7

For work I often go to China, and there I met some dissidents I would like to help.

I need to upload some videos to an ftp server in Europe.

I will connect through a public hotspot without authentication. The problem is that I'm afraid that they might trace me back through the OS (Ubuntu) or cookies, or maybe the MAC address.

  • Should I use a brand new laptop? Maybe a dual boot is enough?
  • Which steps should I take to ensure my anonymousness, so that they will not be able to trace the upload to me?
Ebenezar John Paul
  • 2,894
  • 15
  • 23
Mascarpone
  • 171
  • 5
  • 2
    Is this question really pertaining to "surfing"? or is it limited only to the FTP communication – Ormis Apr 25 '11 at 16:01
  • 1
    Please check out these related questions already posted, could be some useful info there for you: - [Different strategies for online anonymity](http://security.stackexchange.com/q/2398/485) - [How much can I trust Tor](http://security.stackexchange.com/q/1057/485) – Rory Alsop Apr 26 '11 at 07:51

10 Answers10

6

If you are concerned about getting the data out with as low a risk of being exposed/linked/caught with the data, you should not use the internet from inside China.

For a scenario like this, physically moving the stored data out of the country is the safest option. So a thumb-drive with encrypted data somewhere in your (carry-on) luggage is a good option.

As an alternative you could store an encrypted copy of the data on your camera's flash memory. Possibly even hide the encrypted file with within your photos (jpeg data is ideal for Steganography)

Jacco
  • 7,512
  • 4
  • 32
  • 53
4

if you're concerned with FTP, I would recommend sftp.

In the case where you're concerned with your identity overall, there are many steps you need to take (I'm approaching this from a paranoid stance, which is what you are looking for, i assume)

Step 1) Client Side Security... So anti-virus, firewalls, anti-malware are all big concerns. Also, keeping security minded while browsing (using things like no-script, addblock, and tor)

Step 2) leakage of the data you're sending over... In your situation take every step you can to protect yourself. I would use full disc encryption on your laptop and the files that need uploaded individually and use an encrypted tunnel., sftp like i mentioned or tunnel over ssh (the SOCKS proxy that @Ben Preston mentioned).

Step 3) anonymously rent out a server... send the videos to the rented server and then transfer them from that hosted repository to your actual server through a different means (which also should be secure).

A better option that sending the videos to a server you own or rent is to attempt to disperse the video content around the web, and numerous open FTP servers, video sharing sites, file sharing utilities, etc. If you can throw the video at the cloud, it's unrealistic to think that any one body can stop the information from propagating. Youtube, rapidshare, megaupload, Tor based video upload sites, random FTP servers with upload folders... they're all possible places to store this information. But again this is assuming that you just want information to get out about something.

There's no reasonable way to obscure the source and destination if you're connected through them, but you want to make sure that they either don't know what you're sending and/or they are unable to see where it is coming from and going to.

If you're trying to circumvent the Chinese government, the safest option I see is to encrypt it and throw it onto a thumb-drive and sneaker-net it out of the country.

And now we're all being watched by the Chinese govt :-P

P.S. I deleted my many other posts and attempted to consolidate them here.... so I'm sorry if it came together a bit wonky...

Ormis
  • 1,940
  • 13
  • 18
  • I am concerned about my identity. Theoretically they might trace back to me using videocameras and mac addresses.... – Mascarpone Apr 25 '11 at 16:23
  • ok. Where do you think I can rent an anonymous server? – Mascarpone May 03 '11 at 12:34
  • 1
    Sending IP will be detected by (here: Chinese) government and most probably tracked. You might "upload anonymous" according to the target server, but you should remember you're initially using the connections available in the country you're sending data from. If you're not using a one-time, non-trackable and encrypted satellite connection, you're not anonymous. And even when you do that, you need to change your physical location constantly! –  Jan 11 '12 at 21:13
  • how would you rent out a server anonimously? – Lex Feb 13 '13 at 16:41
  • @Mascarpone: nearlyfreespeech is one such provider. – 0xC0000022L Jun 03 '13 at 12:12
3

If you want to be sure that the files you download and upload your brownsing are untraceable, then Create a VPN to your server in Europe. All what you need to do, do it remotely on the remote server, in this way you are still respecting the law.

In case you don't have internet connection reliable enough to open a VPN, then I would advise you to go for limited solutions like using TOR https://www.torproject.org/

Phoenician-Eagle
  • 2,237
  • 17
  • 21
  • 3
    I recommend not sending any data through a tor node that you care about. It does help monumentally with anonymity when surfing, but when it comes to actual data transfers between two reliable points (even if the span between is shady) another route is best. – Ormis Apr 25 '11 at 16:03
  • @Ormis, correct – Phoenician-Eagle Apr 25 '11 at 16:05
  • 1
    @Ormis, why is tor not recommended? – dozer May 31 '14 at 12:55
3

Either send all of your traffic through VPN connection to a server you have set up outside of China or you can use ssh to create a SOCKS proxy (ssh -D 8080 user@host) and configure your browser or ftp client to use it.

Better still would be for this server in Europe to be configured to accept SFTP transfers rather than FTP.

Ben Preston
  • 131
  • 1
2

The truth is you really need a VPN if you stay in China for more than a couple of days, most good sites are blocked there. The block on Facebook is the most annoying one, and also my gMail account didn`t work every time (without VPN I mean).Anyway, I used http://www.sunvpn.com/ while there, worked like a charm every time.

Jenn
  • 21
  • 1
2

On the face of things, you are either paranoid, or doomed. If "they" are after you (by "they" I mean the whole apparatus of political police that they have in China), then they will try to track you down and they have several ways for that, because they are powerful and determinate, and computers tend to leave traces of their action everywhere.

Your model is not fully defined, because you do not tell where you physically are at the time you want to do the uploading. If you are in China at that time, then know that public WiFi hotspots are actively monitored. Connections to a well-known Europe-based dissident FTP site are likely to trigger alarms. Even if you go through an anonymizing service like Tor, then you are not out of reach:

  • Video files are big and have distinct sizes. Data size tends to leak after encryption (encrypted data size will match cleartext size within a few bytes). If a video file of size 23.454739 MB appears on a dissident size, then Chinese police just has to look in their logs which public WiFi was involved in uploading a file of that size in the previous days.

  • Tor works by using a number of collaborating "relays". The Tor user chooses (randomly) a sequence of relays, from an "entry point" to an "exit point". The exit point sees the data, the entry point sees the source IP address. If China forces are at least half competent, then they already operate several (many) Tor relays. If, out of bad luck, you randomly choose as entry point and exit point two such relays, then they will correlate traffic (by size and timing) and obtain the IP address (it is a limitation of the Tor model: Tor preserves anonymity only as long as the relays are much more numerous than what the attackers may muster).

Once the police forces know the public WiFi from which the data upload began, they just have to have a look at the recordings from the security cameras, and then see your face. You'd better wear a fake beard (possibly over your genuine beard, if you have one). Also, the WiFi access points will probably record your MAC address, which reveals the brand of the hardware and can be compared with that of your laptop, should you be intercepted at the airport (MAC addresses can be changed programmatically, but you have to think about doing it).

Undercover upload without detection from police forces which are known to be, let's say, "proactive", is a difficult task. In particular, legalistic protection of the type "they cannot prove anything against me" will not be sufficient: you don't want them to suspect anything about you. This is a use case, even the use case, for steganography: you'll want to embed the litigious files into innocent-looking data. For instance, first get a bunch of pictures of cute kittens. Then, use a steganography tool to hide the data in the pictures. Once outside of the country, extract the files again, and do the upload from a presumably "safe place" (e.g. from a public WiFi hotspot in a country which is known not to collaborate with Chinese political police).

This still has the problem of getting the tool itself into the country in the first place. Having that on your computer or a USB key could be incriminating. Downloading it from elsewhere once you are in China is also subject to tracking. You might want to learn the source code by heart, and type it in on a brand new laptop which you buy there (and discard after the steganography tool has been applied).

You would still have the problem of file comparison: if you use public photographs of kittens from the Internet, then the police forces could download the same pictures, and see that yours do not match, bit-to-bit, the ones which are publicly available. Instead, make 3000 photos of your own cat with your own camera, and don't publish them on the Internet. (Side effect: the Chinese police will think that you are worshipping your pet to utterly unhealthy levels.)

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
1

Your threat model looks like;

  • The IP address of the FTP server must never be associated with you.
  • The content you are uploading must remain confidential from Chinese authorities during transit.
  • The act of uploading the content must not cause any response from Chinese authorities.

So, using ToR alone is not enough - the exit node could be run by an unfriendly party, who are able to associate your IP with the FTP server IP, and to view the content, so just using ToR on its own still potentially breaks all 3 points above.

The exit node cannot be trusted, so you must do two things;

  1. Encrypt your traffic.
  2. Upload to a server that is not the same as the FTP server.

Point 1 prevents the content from being viewed in transit, which will prevent any content-based response from the Chinese. Point 2 ensures that if the Chinese identify the dissident material server at some point in the future, they cannot tie the upload to your session, because the IPs do not match.

So your approach should be;

  1. Open an SSL tunnel to an unrelated server in Europe you control (grab a free Amazon AWS node if you do not have a server, but make sure you grab the RSA fingerprint from an out-of-bounds source, such as a trusted friend). This tunnel can be made through the ToR network, but it does not strictly need to be (we are talking major tin-foil hat territory, but it can't hurt). This can also be an FTPS connection, anything with SSL is fine.
  2. Upload your content through the tunnel.
  3. SSH into the intermediate server and push your content to the final FTP server through another encrypted tunnel (SCP or FTPS). Again, feel free to run this through a ToR circuit if you're feeling insane.
  4. If you use AWS, release the elastic IP as quickly as possible, and remove the node.

Do all of this from a virtual machine on an encrypted disk, which you securely delete afterward, from a shady internet cafe in a neighbouring town, in which you paid cash, with a randomized host MAC and VM MAC, wear a false moustache and I'd say you're golden :P.

lynks
  • 10,646
  • 5
  • 29
  • 54
1

To expand on the suggestion to use TOR - the TOR browser bundle can be a nice tool. No files to install, you can use it directly from a flash drive.

https://www.torproject.org/projects/torbrowser.html.en

getahobby
  • 175
  • 3
  • 1
    TOR networks will most likely be blocked or filtered. Remember, it's China! –  Jan 11 '12 at 21:10
0

You can just use a VPN service that provides encrypted access. So surfing can be done anonymously. If you are talking about surfing that is. There are many services like that for eg. this one here.

Bee
  • 1
0

I don't know the efficiency of this but

I would be doing something like this.

Buy a Pre-paid 3G data card and a card Buy a Pre-paid gsm phone buy a cheap laptop leave it at home (or somewhere where he could be 24x7 powered, solar panel could be interesting...).

Prepare the machine to receive dialup calls. (use public phones) use that calls to turn on or off the 3G network. Prepare the machine to be an ssl vpn / vpn server so you can connect from any computer anywhere easy way :).

Pre prepare the information. Cypher the videos and break it in small chunks. Cypher each chunk individually with some extra file with random trash.

Upload each of them when you have opportunity don't upload them all at same time... :) Use different clients in different places.

Use the remote laptop to rebuild the videos and do whatever you wish.

This is just my thinking in the last 10 minutes :) I don't really know if it is viable. :) and I don't know the Great Firewall of China... :)

Hugo
  • 1,701
  • 11
  • 12