DNS results now being manipulated in Turkey
Here is a valid reason for adopting DNSSEC or DNSCrypt. It's likely they're
using deep packet inspection. Using VPNs seems like the only valid solution
here for now.
Result from "dig youtube.com":
; <<>> DiG 9.8.3-P1 <<>> youtube.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21333
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;youtube.com. IN A
;; ANSWER SECTION:
youtube.com. 86091 IN A 195.175.254.2
;; Query time: 25 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Sat Mar 29 13:59:52 2014
;; MSG SIZE rcvd: 45
Result from "dig youtube.com @4.2.2.2": ; <<>> DiG 9.8.3-P1 <<>> youtube.com @4.2.2.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61182
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;youtube.com. IN A
;; ANSWER SECTION:
youtube.com. 197 IN A 173.194.113.38
youtube.com. 197 IN A 173.194.113.40
youtube.com. 197 IN A 173.194.113.33
youtube.com. 197 IN A 173.194.113.35
youtube.com. 197 IN A 173.194.113.41
youtube.com. 197 IN A 173.194.113.37
youtube.com. 197 IN A 173.194.113.39
youtube.com. 197 IN A 173.194.113.36
youtube.com. 197 IN A 173.194.113.34
youtube.com. 197 IN A 173.194.113.32
youtube.com. 197 IN A 173.194.113.46
;; Query time: 78 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Sat Mar 29 14:33:53 2014
;; MSG SIZE rcvd: 205
Clip from the whois result on 195.175.254.2: inetnum: 195.174.0.0 - 195.175.255.255
netname: TR-TELEKOM-960902
descr: Turk Telekomunikasyon Anonim Sirketi
country: TR
72 comments
[ 3.3 ms ] story [ 116 ms ] threadAs I said, I much rather get my own hosting (even shared hosting) for as cheap as 4 bucks a month, and tunnel my traffic through that machine.
But HMA is a valid solution for someone who's not willing to pay.
here: http://i.imgur.com/jfZS31C.png
As they're messing with DNS, you'll still be connecting to their evil version of YouTube through your SSH tunnel. In Firefox this behaviour can be changed by toggling network.proxy.socks_remote_dns in about:config.
Of course, setting up an actual tunnel (i.e. on a lower network layer) would be better but that's a bit more complicated to do.
(i.e: Telnet to the router, and change DNS there).
It's not like our government is blocking anything (there were rumors it was blocking Facebook in 2011, but it wasn't true as I was able to log in without any issue. It was just slow, but it's not like we have the fastest internet here).
But it's nice to know. Thanks for the clarification.
Plus how can you tell it isn't the actual Facebook if everything is there, status, etc, comments, pictures. I can chat with other users, send messages, etc.
If their goal is to manipulate traffic to www.youtube.com (probably to block access to certain videos), another solution would be for YouTube to require SSL for all connections coming from Turkish IPs. Of course, this wouldn't work if they got some Turkish (or other) CA to sign a bogus www.youtube.com certificate.
EDIT: As lawl points out, trying to require SSL on www.youtube.com won't work either, since they could just do an sslstrip type attack.
EDIT 2: Proof that they are in fact messing with routes to Google Public DNS anycast addresses (they're doing to same to OpenDNS): https://twitter.com/esesci/status/449902883933126659
EDIT: More evidence that this is what's happening (they're doing to same to OpenDNS's anycast addresses): https://twitter.com/esesci/status/449902883933126659
What? NO! They are messing with the DNS results from 8.8.4.4 (Google DNS)
Too early for TLS to do anything. Maybe with HSTS, but I still doubt that HSTS is any effective against state level MITM.
I am not just a DNSSEC hater, but the level of misunderstanding on DNSSEC is quite large.
When victim issues a query for youtube.com, I can intercept that query and hand back whatever response I want. Unless the victim KNOWS IN ADVANCE (which DNSSEC doesn't offer) that the response should be DNSSEC signed, they will accept my forged response.
DNSSEC solves problems we don't really have, and ignores the ones we do.
Somehow it is comforting how abysmally bad he is at doing that though...
The pro-government TV channels are broadcasting Erdogan's rallies while other TV channels respect the law(and they are afraid of disproportional penalties if they do the same).
So today only Erdogan is on national TV.
If however not enough people understand democracy ...
Polls show that %77 of the population believe the corruption case against the government is real.
However the situation is really complicated. Without going into details, I have to say that probably there is a real conspiracy orchestrated by the Gulen(islamic cleric allegedly with big influence on the judiciary & law enforcement) movement because some of the leaked tapes seems to be collected illegally.
The Gulen movement was close ally with the government till recently. They probably collected evidence about the corruption in the government since years and waited until the right moment comes to start the criminal case. The PM responded by demonizing the whole movement and suspending the rule of law.
The allegations against the Gulen movement are not proven at all but few years ago the same prosecutors started a case against the military and lot's of unlawful things took place during the whole trail process. That time the PM Erdogan strongly supported the case but today he claims that this was a conspiracy against the Turkish army.
Many lawyers agree that lots of the evidence against the military was fabricated and many people were imprisoned for political reasons.
Back then a sex tape of the main opposition party leader was leaked and PM Erdogan used it as a political tool. Today the same PM claims that these leaks about corruption are invasion of his privacy. Another leak shows that the PM was involved in the filming and distribution of the sex tape of the opposition party.
It's just huge mess here.
So, not much unlike the so-called educated public, being manipulated by anti-clericalism and globalisation!
One ideal which emphasizes the need for science and rational thought and one that needs conspiracy theories to survive.
One ideal which has proven to bring peace and prosperity, while the other is failing miserably, comparatively speaking.
In some sense, the US with their absurdly high campaign spending, avoid this kind of corruption either way just by competition.
Even if a single interest group/company would try to outright "buy" a presidential campaign (which hardly works anyway), all the other interest groups combined have an incentive to "buy" it back. Which is why politicians can't be controlled through donations as often as TV Shows might want you to believe.
Erdogan however just rigs the regulation in a way that benefits his reelection and accumulation of wealth. No competition, no problem...
However the "axis" of these two directions is aligned by the general public. If people care about wars, the parties would align towards "war" and "no war" for an election. But they don't, because beginning and ending a war isn't something that works well with elections or any arbitrarily timed decision process for that matter.
Governments have to be able to start a war or not end it at the wrong time, otherwise you might as well let non-democratic countries take you to the cleaners...
That's a joke, right? Germany is more corrupt and less competent than the US? Sweden is? The UK is? On almost every metric of government efficiency, the US is behind most european countries.
> If people care about wars, the parties would align towards "war" and "no war" for an election. But they don't,
This is a stupid assertion. Why would they align towards "war" and "no war" when they don't have to? They have enough divisive things like Row vs. Wade, Planned Parenthood, Food Stamps, ACA, etc to make sure that every single-issue voter is accounted for in one camp or the other.
Do you remember that Obama campaigned on the "Close Gitmo" promise?
> But they don't, because beginning and ending a war isn't something that works well with elections or any arbitrarily timed decision process for that matter. Governments have to be able to start a war or not end it at the wrong time, otherwise you might as well let non-democratic countries take you to the cleaners...
I will assume you are naive, because otherwise I would have to assign malice to your argument. The US has been, for years, opening a new front every couple of years. Regardless of timing, "more military action around the world" and "less military action around the world" are things you can base policy on. In fact, Ron Paul campaigned for the latter. But in a two party system, anything except the big two parties is meaningless, and the big parties like it that way - it means they don't have to align with anything the public at large might actually want.
http://public-dns.tk/
You might also be interested in https://dnscrypt.eu.
2001:4860:4860::8888 and 2001:4860:4860::8844
Also look at the other links that user lemonade posted here.
DNSCrypt could help here... but chances are their middleware would just barf on it.
You need something more evasive.
It's hilarious that people are saying DNSSEC can be used in Turkey (or anywhere else) to defend against censorship. Either they don't know what they're talking about or don't care about having an honest discussion. Or both.
Some leaks about Erdogan's corruption and false flag attack in Turkey to blame Syria and go to war with it came out in those channels, and he wanted people to stop talking about it or see the leaks. I think some elections are in Turkey soon, too.
After all, if you cannot see the difference between the alleged single person targeting and the blanket targeting of an entire population, I'm not really sure you deserve to be here.
I guess I'll leave you with that Stalin quote "Death of one man is a tragedy. Death of a million is a statistic".
What I was trying to say was that Governments do shit like this, regardless of if they are China, North Korea, Turkey or America. In terms of doing things against their citizens, every country is in the Axis of Evil, so STOP complaining and instead get behind projects that will fix this shit by making the internet bulletproof.
BTW, I have to manoeuvre some IP addresses of the CDNs in /etc/hosts in order to get access to github.com today, and some others for stack overflow.com last week. Interference from those who have power really sucks!
CDNs nowadays are so vulnerable to political issues, and some CDNs seems to be hurt by extended non-specific attacks/blocks to some other sites sharing the same IP addresses, due to some unrelated reasons, which makes me feel nostalgic to the web before CDNs.
You can do the same setup as http://piratebrowser.com/
But a government like China interferes with even VPNs (more so outside of the greater Shanghai and Beijing metro areas, in case anyone is sitting in those areas saying "My VPN works great"... they permit it and can block or interfere with it anytime they like) so I don't think they are really a solution. In China, nothing really works if the authorities don't want it to. VPNs are degraded to the point of being unusable, SOCKs proxy over SSH is the same, TOR is unusably slow, etc. Unfortunately, I don't think there really IS a solution in the face of determined governmental interference.
However, don't discount the impact of bandwidth/peering issues on VPN performance. In most cases, I've found that VPN throughput over TCP (either PPTP or OpenVPN) is similar to HTTP throughput to the same host.
You can test this yourself. Put a file on your VPN server, and try to retrieve it over HTTP. If you're worried that the latency is limiting the throughput, use wget to make several connections at the same time, and sum up the transfer speeds.
Finally, you're right - there is no (technical) solution in the face of determined governmental interference.