2008.03.31
Trà Mi, phóng viên đài RFA
Tổ chức bảo vệ nhân quyền mang tên Phóng viên không biên giới, trụ sở tại Pháp, vừa phát hành phiên bản thứ hai của cuốn “Cẩm nang dành cho cộng đồng blogger và những ai bày tỏ quan điểm bất đồng trên mạng internet”, với mục đích giúp người dân ở các quốc gia độc tài thực hành quyền tự do ngôn luận, vượt thoát sự kiểm duyệt gắt gao của nhà nước.
Handbook for bloggers and cyber-dissidents. Courtesy of rsf.org.
Liên quan đến đề tài này, Trà Mi có cuộc trao đổi với bà Clothilde Le Coz, người đứng đầu Văn phòng cổ võ tự do Internet, thuộc tổ chức Phóng viên không biên giới.
Bà Clothilde Le Coz : Nội dung cuốn sách được chia ra làm 2 phần. Phần 1 chỉ dẫn mọi người cách sử dụng và cập nhật trang blog nhật ký điện tử cá nhân. Phần 2 dành cho các blogger ở những quốc gia độc tài kiểm soát internet, hướng dẫn các kỹ thuật phá vỡ sự kiểm duyệt của nhà nước.
Ngoài ra, cẩm nang còn có những câu chuyện về người thật, việc thật, do chính các bloggers trên thế giới chia sẻ những khó khăn và kinh nghiệm.
Trà Mi : Các bloggers ở Việt Nam làm thế nào để có được cuốn cẩm nang này, thưa bà ?
Bà Clothilde Le Coz : Chúng tôi đang cố gắng phân phối quyển sách đến các mối liên lạc. Bạn có thể đọc và tải nó về từ trang mạng của chúng tôi ở địa chỉ http://www.rsf.org, hoặc từ các trang web của các tổ chức phi chính phủ.
Ở các nước mà website của tổ chức chúng tôi bị chặn tường lửa, thì vẫn có một số bloggers đăng tải cẩm nang này trên blog cá nhân của họ để chia sẻ với cộng đồng. Ngoài ra, chúng tôi cũng tính tới việc chuyển dịch cẩm nang này ra tiếng Việt để có thể tiếp cận với nhiều người tại Việt Nam hơn.
Theo quan sát của Tổ chức phóng viên không biên giới chúng tôi, các quốc gia quản lý internet như Việt Nam luôn viện cớ ngăn chặn những hành động vi phạm pháp luật để ra luật kiểm duyệt các trang web, giới hạn quyền tự do internet và quyền tự do bày tỏ quan điểm của người dân. Thực tế cho thấy có rất nhiều trang web bày tỏ quyền tự do ngôn luận hay bàn về vấn đề nhân quyền bị nhà nước khoá chặn.
Trà Mi : Theo bà, mọi người có thể làm gì trước những luật lệ quy định như vậy ?
Là một trong những nước có tự do internet tồi tệ nhất trên thế giới mà bằng chứng rõ ràng là hiện có 8 người thể hiện ý kiến bất đồng trên mạng đang bị cầm tù. Việt Nam đang bắt chước y chang quan điểm, đường lối quản lý internet của Trung Quốc. Kể từ năm 2002, tại Việt Nam đã xuất hiện một lực lượng cảnh sát mạng, chuyên theo dõi, kiểm tra các tiệm internet cà phê. Điều này khiến dân chúng e ngại khi phản ánh hiện thực xã hội và thể hiện quyền tự do bày tỏ tư tưởng.
Bà Clothilde Le Coz
Bà Clothilde Le Coz : Điều đầu tiên là giúp mọi người học hỏi cách sử dụng các phương pháp kỹ thuật chống lại sự kiểm duyệt, và cần phải nhân rộng việc này. Vì một khi mọi người hiểu biết các kỹ thuật đối phó thì sự kiểm duyệt của nhà nước sẽ phần nào bị vô hiệu hoá. Điều quan trọng thứ hai là mọi người đừng nao núng trước các hành động áp đặt, vi phạm nhân quyền, cứ tiếp tục viết blog bày tỏ tư tưởng, chia sẻ thông tin, để thực thi quyền tự do thể hiện quan điểm của mỗi cá nhân.
Tình hình tự do internet tại Việt Nam
Trà Mi : Tổ chức phóng viên không biên giới đánh giá về tình hình tự do internet tại Việt Nam như thế nào, thưa bà ?
Bà Clothilde Le Coz : Là một trong những nước có tự do internet tồi tệ nhất trên thế giới mà bằng chứng rõ ràng là hiện có 8 người thể hiện ý kiến bất đồng trên mạng đang bị cầm tù. Việt Nam đang bắt chước y chang quan điểm, đường lối quản lý internet của Trung Quốc. Kể từ năm 2002, tại Việt Nam đã xuất hiện một lực lượng cảnh sát mạng, chuyên theo dõi, kiểm tra các tiệm internet cà phê. Điều này khiến dân chúng e ngại khi phản ánh hiện thực xã hội và thể hiện quyền tự do bày tỏ tư tưởng.
Trà Mi : Giới chức trách Việt Nam khẳng định việc quản lý internet nhằm hỗ trợ cho nó phát triển đúng hướng, ngăn chặn việc lợi dụng quyền tự do bày tỏ tư tưởng để chống đối nhà nước hoặc gây hại cho an ninh quốc gia. Ý kiến của bà về việc này ra sao ?
Bà Clothilde Le Coz : Thế thì cái hướng đúng cần phải phát triển đó, là gì ?
Trà Mi : Theo cách nói của giới thẩm quyền, đó chính là sự phát triển internet lành mạnh và bổ ích.
Bà Clothilde Le Coz : Vậy, cái gì gọi là “lành mạnh” một khi người dân không có quyền phê bình, chỉ trích nhà nước hoặc phản ánh đời sống xã hội ? Thật không “lành mạnh” chút nào khi con người chẳng được quyền phát biểu tự do những suy nghĩ, cảm nhận của mình.
Những nhân vật đang bị cầm tù vì các bài viết phổ biến trên mạng internet, họ chỉ thể hiện quan điểm của họ, chứ họ không làm gì nguy hại đến nhân dân và quốc gia Việt Nam cả. Cái quyền ấy, những người ở Pháp hay ở Châu Âu vẫn thực hành mỗi ngày mà có ai bị đi tù đâu ?! Đó không phải là hành động gây rối trật tự xã hội hay an ninh quốc gia mà đó chính là quyền tự do ngôn luận, tự do bày tỏ ý kiến, là nhân quyền của công dân.
Trà Mi : Xin chân thành cảm ơn bà đã dành thời gian cho cuộc trao đổi này.
Thông tin trên mạng:
How to blog anonymously http://www.rsf.org/article.php3?id_article=15012
http://www.rfa.org/vietnamese/in_depth/2008/03/31/RSFHandbookForBloggersAndCyberDissidents_TMi/
How to blog anonymously
This is a quick technical guide to anonymous blogging that tries to approach the problem from the angle of a government whistleblower in a country with a less-than-transparent government. It’s not intended for cypherpunks, but for people in developing nations who are worried about their safety and want to take practical steps to protect their privacy.
The Electronic Frontier Foundation’s guide, “How to Blog Safely“, also offers some very good advice on this.
Introducing Sarah
Sarah works in a government office as an accountant. She becomes aware that her boss, the deputy minister, is stealing large amounts of money from the government. She wants to let the world know that a crime is taking place, but she’s worried about losing her job. If she reports the matter to the minister (if she could ever get an appointment!), she might get fired. She calls a reporter at the local newspaper, but he says he can’t run a story without lots more information and documents proving her claims.
So Sarah decides to put up a weblog to tell the world what she knows about what’s happening in the ministry. To protect herself, she wants to make sure no one can find out who she is, based on her blog posts. She needs to blog anonymously.
There are two major ways she can get caught when trying to blog anonymously. One is if she reveals her identity through the content she posts – for instance, if she says: “I’m the assistant chief compliance accountant to the deputy minister of mines,” there’s a good chance that someone reading her blog is going to figure out who she is pretty quickly.
The other way Sarah can get caught is if someone can determine her identity from information provided by their web browsers or email programs. Every computer attached to the internet has – or shares – an address called an IP address – it’s a series of four numbers from 0-255, separated by dots – for instance: 213.24.124.38. When Sarah uses her web browser to make a comment on the minister’s blog, the IP address she was using is included on her post.
With a little work, the minister’s computer technicians may be able to trace Sarah’s identity from this IP address. If Sarah is using a computer at home, dialing into an Internet service provider, the ISP likely has records of which IP address was assigned to which telephone number at a specific time. In some countries, the minister might need a subpoena to obtain these records; in others (especially ones where the ISP is owned by the government), the ISP might give out this information very easily, and Sarah might find herself in hot water.
There are a number of ways Sarah can hide her identity when using the Internet. As a general rule, the more secure she wants to be, the more work she needs to do to hide her identity. Sarah – and anyone else hoping to blog anonymously – needs to consider just how paranoid she wants to be before deciding how hard she wants to work to protect her identity. As you will see, some of the strategies for protecting identity online require a great deal of technical knowledge and work.
Step one – Pseudonyms
One easy way Sarah can hide her identity is to use a free webmail account and free blog host outside her native country. (Using a paid account for either email or webhosting is a poor idea, as the payment will link the account to a credit card, a checking account or Paypal account that could be easily linked to Sarah.) She can create a new identity – a pseudonym – when she signs up for these accounts, and when the minister finds her blog, he’ll discover that it belongs to “A. N. Ymous”, with the email address anonymous.whistleblower@hotmail.com.
Some providers of free webmail accounts:
Some providers of free weblog hosting:
Here’s the problem with this strategy. When Sarah signs up for an email service or a weblog, the webserver she’s accessing logs her IP address. If that IP address can be traced to her – if she’s using her computer at home or her computer at work – and if the email or weblog company is forced to release that information, she could be found. It’s not a simple matter to get most web service companies to reveal this information – to get Hotmail, for instance, to reveal the IP Sarah used to sign up for her account, the minister would likely need to issue a subpoena, probably in cooperation with a US law enforcement agency. But Sarah may not want to take the risk of being found if her government can persuade her email and weblog host to reveal her identity.
Step two – Public computers
One extra step Sarah could take to hide her identity is to begin using computers to make her blogposts that are used by lots of other people. Rather than setting up her webmail and weblog accounts from her home or work computer, Sarah could set them up from a computer in a cybercafé, library or university computer lab. When the minister traces the IP used to post a comment or item, he’ll find the post was made from a cybercafé, where any number of people might have been using the computers.
There are flaws in this strategy as well. If the cybercafé or computer lab keeps track of who is using what computer at what time, Sarah’s identity could be compromised. She shouldn’t try to post in the middle of the night when she’s the only person in the computer lab – the geek on duty is likely to remember who she is. And she should change cybercafés often. If the minister discovers that all the whistleblower’s posts are coming from “Joe’s Beer and Bits” on Main Street, he might stake someone out to watch the cybercafé and see who’s posting to blogs in the hope of catching Sarah.
Step three – Anonymous proxies
(see also the chapter on “Technical ways to get round censorship”) _ Sarah’s getting sick of walking to Joe’s cybercafé every time she wants to post to her blog. With some help from the neighborhood geek, she sets up her computer to access the web through an anonymous proxy. Now, when she uses her webmail and weblog services, she’ll leave behind the IP address of the proxy server, not the address of her home machine… which will make it very hard for the minister to find her.
First, she finds a list of proxy servers online, by searching for “proxy server” on Google. She picks a proxy server from the publicproxyservers.com list, choosing a site marked “high anonymity”. She writes down the IP address of the proxy and the port listed on the proxy list.
Some reliable lists of public proxies:
Then she opens the “preferences” section of her web browser. Under “general”, “network” or “security” (usually), she finds an option to set up a proxy to access the Internet. (On the Firefox browser, this option is found under Preferences – General – Connection Settings.)
She turns on “manual proxy configuration”, enters the IP address of the proxy server and port into the fields for HTTP proxy and SSL proxy and saves her settings. She restarts her browser and starts surfing the web.
She notices that her connection to the web seems a bit slower. That’s because every page she requests from a webserver takes a detour. Instead of connecting directly to hotmail.com, she connects to the proxy, which then connects to Hotmail. When Hotmail sends a page to her, it goes to the proxy first, then to her. She also notices she has some trouble accessing websites, especially those that want her to log in. But at least her IP isn’t being recorded by her weblog provider.
A fun experiment with proxies: Visit noreply.org, a popular remailer website. The site will greet you by telling you what IP address you’re coming from: “Hello pool-151-203-182-212.wma.east.verizon.net 151.203.182.212, pleased to meet you.”
Now go to anonymizer.com, a web service that allows you to view (some) webpages through an anonymous proxy. In the box on the top right of the anonymizer page, enter the URL for http://www.noreply.org (or just click ). You’ll note that noreply.org now thinks you’re coming from vortex.anonymizer.com. (Anonymizer is a nice way to test proxies without needing to change your browser settings, but it won’t work with most sophisticated web services, like webmail or weblogging servers.) Finally, follow the instruction above to set up your web browser to use an anonymous proxy and then visit noreply.org to see where it thinks you’re coming from.
Alas, proxies aren’t perfect either. If the country Sarah lives in has restrictive Internet laws, many websurfers may be using proxies to access sites blocked by the government. The government may respond by ordering certain popular proxies to be blocked. Surfers move to new proxies, the government blocks those proxies, and so the circle continues. All this can become very time-consuming.
Sarah has another problem if she’s one of very few people in the country using a proxy. If the comments on her blog can be traced to a single proxy server, and if the minister can access logs from all the ISPs within a country, he might be able to discover that Sarah’s computer was one of the very few that accessed a specific proxy server. He can’t demonstrate that Sarah used the proxy to post to a weblog server, but he might conclude that the fact that the proxy was used to make a weblog post and that she was one of the few people in the nation to use that proxy constituted evidence that she made the post. Sarah would do well to use proxies that are popular locally and to switch proxies often.
Step four – This time it’s personal
Sarah starts to wonder what happens if the proxy servers she’s using get compromised. What if the minister convinces the operator of a proxy server – either through legal means or bribery – to keep records and see whether anyone from his country is using the proxy, and what sites they’re using? She’s relying on the proxy administrator to protect her, and she doesn’t even know who the administrator is. Though the proxy administrator may not even know she’s running a proxy – proxies are often left open by accident.
Sarah has friends in Canada – a country less likely to censor the Internet than Sarah’s own country – who might be willing to help her maintain her blog while protecting her identity. Sarah phones her friend and asks him to set up “Circumventor” on his system. Circumventor is one of dozens of proxy servers a user can set up to allow people to use his computer as a proxy.
Sarah’s friend Jim downloads Circumventor from Peacefire.org and installs it on his Windows system. It’s not an easy install – he needs to install Perl on his system, then install OpenSA, then Circumventor. And he now needs to keep his computer connected to the Internet constantly, so that Sarah can use it as a proxy without previously asking him to turn it on. He gets the software set up, calls Sarah’s cellphone and gives her a URL she can start using to surf the web through his proxy, or post to her blog. This is especially convenient, because Sarah can use the proxy from home or from a cybercafé, and doesn’t have to make any changes on her system.
While Sarah’s very grateful for Jim’s help, there’s a major problem with the arrangement. Jim’s computer – which runs Windows – reboots quite often. Whenever it does, his ISP assigns a new IP address to the machine. Each time this happens, the proxy stops working for Sarah. Jim needs to contact Sarah again and tell her the new IP that Circumventor is associated with. This rapidly gets expensive and frustrating. Sarah also worries that, if she uses any one IP address too long, her ISP may succumb to government pressure and start blocking it.
Step five – Onion Routing through Tor
Jim suggests that Sarah experiment with Tor, a relatively new system that provides a high degree of anonymity for websurfing. Onion routing takes the idea of proxy servers – a computer that acts on your behalf – to a new level of complexity. Each request made through an onion routing network goes through two to 20 additional computers, making it hard to trace what computer originated a request.
Each step of the Onion Routing chain is encrypted, making it harder for the government of Sarah’s country to trace her posts. Furthermore, each computer in the chain only knows its nearest neighbors. In other words, router B knows that it got a request for a webpage from router A, and that it’s supposed to pass the request on to router C. But the request itself is encrypted – router B doesn’t actually know what page Sarah is requesting, or what router will finally request the page from the webserver.
Given the complexity of the technology, Sarah is pleasantly surprised to discover how easy it is to install Tor, an onion routing system. She downloads an installer which installs Tor on her system, then downloads and installs Privoxy, a proxy that works with Tor and has the pleasant side benefit of removing most of the ads from the webpages Sarah views.
After installing the software and restarting her machine, Sarah checks noreply.org and discovers that she is, in fact, successfully “cloaked” by the Tor system – noreply.org thinks she’s logging on from Harvard University. She reloads, and now noreply thinks she’s in Germany. From this she concludes that Tor is changing her identity from request to request, helping to protect her privacy.
This has some odd consequences. When she uses Google through Tor, it keeps switching language on her. One search, it’s in English – another, Japanese. Then German, Danish and Dutch, all in the course of a few minutes. Sarah welcomes the opportunity to learn some new languages, but she’s concerned about some other consequences. Sarah likes to contribute to Wikipedia, but discovers that Wikipedia blocks her attempts to edit articles when she’s using Tor.
Tor also seems to have some of the same problems Sarah was having with other proxies. Her surfing slows down quite a bit, as compared to surfing the web without a proxy – she finds that she ends up using Tor only when she’s accessing sensitive content or posting to her blog. And she’s once again tied to her home computer, since she can’t install Tor on a public machine very easily.
Most worrisome, though, she discovers that Tor sometimes stops working. Evidently, her ISP is starting to block some Tor routers – when Tor tries to use a blocked router, she can wait for minutes at a time, but doesn’t get the webpage she’s requested.
Step six – Mixmaster, Invisiblog and GPG
Surely there’s a solution to the blogging problem that doesn’t involve a proxy server, even one as sophisticated as Tor.
After spending quite a long time with the local geek, she explores a new option: Invisiblog. Run by an anonymous group of Australians called vigilant.tv, it’s a site designed for and by the truly paranoid. You can’t post to Invisiblog via the web, as you do with most blog servers. You post to it using specially formatted email, sent through the MixMaster remailer system, signed cryptographically.
It took Sarah a few tries to understand that last sentence. Eventually, she set up GPG – the GNU implementation of Pretty Good Privacy, a public-key encryption system.
In two sentences: Public-key encryption is a technique that allows her to send messages to a person that only she can read, without her needing to share a secret key with you that would let you read messages other people send to her. Public key encryption also allows people to “sign” documents with a digital signature that is almost impossible to forge.
She generates a keypair that she will use to post to the blog – by signing a post with her “private key”, the blog server will be able to use her “public key” to check that a post is coming from her, and then put it on the blog. (see also the chapter on “How to ensure e-mail is truly private”)
She then sets up MixMaster, a mailing system designed to obscure the origins of an email message. MixMaster uses a chain of anonymous remailers – computer programs that strip all identifying information off an email and send it to its destination – to send email messages with a high degree of anonymity. By using a chain of 2 to 20 remailers, the message is very difficult to trace, even if one or more of the remailers is “compromised” and is recording sender information. She has to “build” MixMaster by compiling its source code, a project that requires a great deal of geek assistance.
She sends a first MixMaster message to Invisiblog, which includes her public key. Invisiblog uses this to set up a new blog, with the catchy name “invisiblog.com/ac4589d7001ac238” – the long string is the last 16 bytes of her GPG key. Then she sends future posts to invisiblog, by writing a text message, signing it with her public key and sending it via MixMaster.
It’s not nearly as fast as her old style of blogging. The misdirection of MixMaster mailers means that it takes anywhere from two hours to two days for her message to reach the servers. And she has to be very careful about looking at the blog – if she looks at it too often, her IP address will appear in the blog’s log frequently, signaling that she’s likely to be the blog author. But she’s reassured by the fact that the owners of Invisiblog have no idea who she is.
The main problem with the Invisiblog system is the fact that it’s incredibly difficult for most people to use. Most people find GPG a challenge to set up, and have difficulty understanding the complexities of public and private keys. More user-friendly crypto tools, like Ciphire, have been set up to help the less geeky of us, but even they can be tricky to use. As a result, very few people – including those who might really need it – use encryption for most of their email.
MixMaster is a true technical challenge for most users. Windows users can use an early DOS version of the program by downloading it here. I downloaded and tested it, and it doesn’t appear to work… or perhaps my email is still being remailed back and forth between remailers. Anyone wanting to use the newer version, or wanting to use the program on Linux or Mac, needs to be able to compile the program themselves, a task beyond many expert users. It’s possible that Invisiblog would become more useful if it accepted messages from web-accessible remailers, like riot.eu.org but for now, I can’t see it as being particularly helpful for the people who need it most.
There are other problems with strong encryption in repressive countries. If Sarah’s computer is seized by the government and her private key is found, it would constitute strong evidence that Sarah had authored the controversial blog posts. And, in countries where encryption is not widely used, simply sending out MixMaster messages – mail messages wrapped in strong encryption – might be enough to cause Sarah’s Internet activity to be watched closely.
How much anonymity is enough? How much hassle is too much?
Is Sarah’s solution – learning enough about cryptography and software to use MixMaster – your solution? Or is some combination of steps 1-5 enough to let you blog anonymously? There’s no single answer. Any path towards anonymity needs to consider local conditions, your own technical competence and your level of paranoia. If you’re worried that what you’re posting could put you at risk and you’re capable of installing it, posting to a blog through Tor is a very good idea.
And remember not to sign your blog posts with your real name!
Ethan Zuckerman
Ethan Zuckerman is a fellow at the Berkman Center for Internet and Society at Harvard Law School where his research focuses on the relationship between citizen journalism and conventional media, especially in the developing world. He’s a founder and former director of Geekcorps, a non-profit organization that focuses on technology training in the developing world, and was one of the founders of webhosting company Tripod.
http://translate.google.com/translate?u=http%3A%2F%2Fwww.rsf.org%2Farticle.php3%3Fid_article%3D15012&langpair=en%7Cfr&hl=fr&ie=UTF-8
—-
– Mixmaster– [ Traduire cette page ]
Mixmaster is an anonymous remailer. Remailers provide protection against traffic analysis and allow sending email mail anonymously or pseudonymously.
mixmaster.sourceforge.net/
|
– SourceForge.net: Mixmaster– [ Traduire cette page ]
This is the official site for the development of Mixmaster, the Internet’s most secure anonymous remailer software.
sourceforge.net/projects/mixmaster/
|
– Mixmaster Interface– [ Traduire cette page ]
– security.tao.ca (en français) : Mixmaster remailers