 Good afternoon. Thank you for all coming today. I'm here to announce a new software project fo Which is stand for fee over email The main goal of this project is to create a program that allows internet users in censored countries to receive news feeds Before I begin Allow me to first introduce myself My name is Sho Ho. I'm a member of the Internet anti-censorship team at the broadcasting board of Governors for BBG BBG is the federal agency that oversees and supports the operations of a voice of America Radio Free Asia and so on together these Broadcasters bring news to people around the world in 60 languages and the reach 175 million people every week in Today's presentation. I will first go over some background information so you know what we do Next I will review the current censorship and anti censorship technologies then I'll explain where is foe the technology behind it and its limitations After that, I will do a demo so you can see how foe works In the end, I will tell you how you can help us to fight censorship and then maybe make some money doing it Okay, let me stop by telling you what our team does when I read the news I Sometimes find it very sad that the elephant and the donkey are always trying to Crucify each other when they get a chance or never get a chance and Sometimes I wonder why can they just stop fighting and do something more constructive Like Recognize the differences work together and create something good together Huh, look at the picture isn't adorable But with all the bad things that we read about our government and the others There are at least two things We should be happy about number one. We can actually read about the bad things on the news number two We can criticize our government or make fun of it in other words freedom of press and the freedom of speech These are some of the most important rights that we have in the United States however In some countries things can be quite different over there People don't always get the full story of the news because their government Will remove harmful news for them over there people are Not allowed to criticize their government So people like John Will be locked up in jail This is called censorship So and we are here to fight it But things are not always that simple. There are two mean challenges when fighting internet censorship Number one we need to find some useful anti censorship programs like tour Freegate ultra surf Siphon and James Marshall's CGI proxy Fighting internet censorship is like a cat and mouse game Sensors would come up with new ways to take over the internet and We need to come up with new ways to fight them The next challenge we face is how to reach people in censored countries Let's see we have the best anti censorship software and then we want to tell people about it, but how How do you reach people inside the censored countries? this is actually a big problem because all the usual communication channels are blocked and The in almost seems impossible to reach the people on the other side of the firewall So let's now take a look at the most commonly used censorship Technologies and how to circumvent each of them IP address blocking This is the most basic Censorship technique the sensor simply block all the harmful IP addresses at the national firewall Fighting IP blocking is also so straightforward We can keep changing our websites IP addresses all We can tell the users to use proxy servers after a while the sensors realize That is difficult to catch up with all the new IP addresses So they begin to use a new blocking technique domain name blocking domain name blocking is a Much more flexible way for blocking websites It doesn't matter what IP addresses you change to as long as you don't change your domain name Your side will be blocked To fight domain name blocking We can tell the users to use proxy servers Then after a while the sensors realize that there are just too many harmful domains and They can't keep track of all of them So they implemented another censorship technology This one is a packet filtering the way it works It's by screening packets for harmful keywords And if if if they found it the sensor were terminated the connection between the user and the website To circumvent this type of blocking we can tell the user to use SSL enable proxy SSL will encrypt the data which make it difficult for sensors to To perform real-time packet filtering a few years ago The Chinese government creates something to confuse their internet users They hijacked DNS requests and Resolve certain host names to wrong IP addresses In one incident They redirect all Google users to buy do comm For those of you don't know what's by do is it's China's biggest search engine To fight DNS hijacking we can tell users to use proxy servers a Few months ago the Chinese government tried to force all PC makers to pre-install a software on All the PCs they sell The software is called Green Dam It is basically a sensor where and Potentially capable of performing all the censorship work and the much more powerful Luckily for now the Chinese government back down in the last minute due to public outcry The best way to fight sensor where is to remove it The software that will remove Green Dam is widely available a few days after Green Dam was released Now and everyone know what we do and how censorship work and how we fighting it So let's move forward to talk about today's mean pop mean topic foe Stand for fee over email the concept of foe is very simple foe uses specially formatted emails to Transmit RSS feeds and the other information Requested by the users The idea is not much different from sending a HTML email except the foe uses its Own data structure instead of using HTML HTML HTML So You're going to ask Why do we need foe? Why not just use it use the proxy servers? Here's a number of reasons why a Reliable public proxy servers are difficult to find Proxy servers work great when you can access it However, web-based proxy servers are just like any other websites that can be blocked by sensors Once a proxy server is blocked The user will need to somehow find the new ones and they're very difficult to find if You are thinking about using software such as tour free gay or ultra surf Be warned that you will have a hard time finding the software in a sensor countries Because the download website will be blocked Even if you can find a copy of the client side proxy program Depending on which program you use You may have different problems Some programs are very slow during rush hours. Some may impose their own censorship to conserve bandwidth Others may charge their users to cover the bandwidth costs We need a reliable communication mechanism to keep in touch with the people inside sensor countries That that is why we create foe to keep in touch with the people in Sensor countries and to send news Proxy URLs and other useful information to them Let's look at how foe works The concept for foe is actually very simple Uses email to transmit RSS feeds and other type of files In order to use foe the user needs to own an email account on a server outside their countries For example, a Chinese internet user should create account from Gmail, but not from badu The reason for this is that mail services in sensor countries May censor foe messages due to local regulations Or to avoid this kind of problems It is safer to just use mail services that all of those country controls of the sensors In the addition the user also need to be download a copy of the foe client Once the user has the email account and the client software The user can start the foe client and the specify what RSS feeds he wants The client which is on the Right side of the graph were then connected to the user's email server and Send a message to the foe server to request for the feeds Know that the connection between The client and its mail server should be SS encrypted This is necessary in order to bypass sensors packet filtering When the foe server, which is on the left side of The graph receives the request It will download the requested RSS feeds for the client and Then email it back to the client's email address When the client receives the reply message It will verify the content and then display the feeds on the client screen Let's see what foe messages look like First Let's take a look at client messages When you see on the screen It's a full request the message. This is the message That foe client sends to the foe server to request for RSS feed As you can see the client tells the server its identity the password is Actually hashed with some additional data to prove that request is to originate from the real users The reason of authentication is because email headers can be easily forged and then we don't want some attackers to use the foe server to spend foe users In third line, you will see the client is requesting a feed with the name VOA Here you can see what the server message looks like from a Conceptual standpoint and the core of the message is the RSS feed that the user requested Then foe wraps the RSS feed with its own data structure or more precisely adding some header information then foe will compress the entire message to reduce the size and At the same time avoids the content futuring Alas foe will encode the compressed message using base 64 encoding Now this may not be necessary, but we are just doing it anyway to avoid problems So let's summarize how foe works foe messages are embedded in the email messages Also foe messages are compressed so it can first reduce the message size second bypass content filters The requirement is user needs a foreign email account for example Gmail Also foe clients sends a request to foe server via email foe server download the request feeds and the emails emails them back to the users and foe client download the foe message and Display the feeds or save the file to the user's computer if it's download So what are some advantages of using foe and then why don't we simply ask the user to use email to communicate with us First foe Has a friendly user interface which does everything automatically and keep the users updated News feeds and updates will arrive automatically when they become available Users don't need to press the reload button regularly in order to get latest news Unlike Web-based proxy foe server can cannot be blocked. So users don't need to find new proxies second Since foe is based on the email It is very easy to port the program to other platforms including mobile phones Linux Free BSD OS 10 and then many others third foe supports Push messaging what it means is that we can push breaking news and the emergency messages to the users If there's a big earthquake, we can push the latest updates to the users If there's a security flaw in info, we can push the patch to decline Next foe can provide a more reliable service because sensors cannot block the foe server directly Finally foe's development and the maintenance costs are relatively low because it relies on open standards such as SMTP pop3 IMAP and XML Software libraries for these protocols are widely available for free Maintaining the foe server is also relatively Inexpensive as there are many email service providers out there who can host the foe server for very low cost So why do we choose to build foe on top of email protocols? There are millions of email servers on the internet the chances that user can find create a Usable email account a file greater than finding a good proxy server Also in practice Sensors cannot possibly block all the email servers in the world unless they want to isolate themselves from the rest of the world There is no need to update a proxy addresses Because foe doesn't rely on traditional proxies in order to function properly Users can enable SSL when using SMTP pop3 and IMAP Which is an added advantage because it helps to circumvent pocket filtering The foe architecture is more reliable than most other enter censorship technologies It is inexpensive to develop and to maintain Users can also use the foe service for free if they can find a free email service provider Such as Gmail foe is difficult to block Sensors cannot block the foe server directly The most that our sensor can do is to block certain email provider such as Gmail That will cause problems for users With Gmail accounts, but it will now affect other users who use other email providers In addition the foe architectures allows and Unlimited number of foes service points with each service point only provide services to a limited number of users This architecture also made the foe service as a whole More reliable Now let's take a look at what foe can be useful They are sample of users news feeds, RSS podcasting file download Distrib proxy IP Also get user feedback and push the important announcements The foe architecture is flexible and it can be modified to support any other functions but Let's talk about foes limitations just like most programs foe is not perfect and it has its limitations Let's find out what they are Can foe be blocked? The short answer is yes If the sensor blocks the email servers, then the foe client will stop working If the email account is closed Then the foe client will not work If the email provider turns evil and it starts blocking all foe messages The client will not be able to get updates However, it is very difficult for the sensor to completely block the foe network The sensors actions will likely only affect a subset of the user the foe users What foe is and isn't? Foe is a tool to allow users to receive new news feeds podcasts files programs and the proxy updates a Compliment to existing anti-sensorship solutions foe is not a universal proxy solution and it's not for real-time applications Also or for downloading large files The supported for supported platforms including currently supporting Microsoft Windows potentially on Linux Free BSD Mac Mac OS 10 Also can easily be ported to most mobile platforms how to improve foe It's ran on other protocols for example, Jabber instead of SMTP or Create a client-side plugin architecture or We can create an architecture to allow anyone to set up a foe server to provide different services Also, we can port foe to another operating systems Like Create foe clients for mobile devices Okay, it's show time Okay, let's take a look at the client's interface Right here It's pretty straightforward the news feeds are displayed on the main screen as you can see They are Chinese and English feeds It's updated on the August this August First you can You can choose either English or view a Chinese or view a English from this subscriptions right here Also, when you click the links as you can see they are It's a proxy links. I use the free another mouse org So when the proxies are got blocked it We can constantly update the proxy the new proxies to to the foe client So you don't need to wait like a few days to get a new proxy Here we I run this foe server on the same Laptop Environment here, but in in the production World we need to put this foe server somewhere I Just just show you Okay So how you can help? Foe is just one of the many tools that helps to fight internet censorship You can help to fight censorship by contributing to the foe project By writing codes Submitting new ideas writing papers talking about on your blogs or websites and in any ways that you can imagine We do not accept money contribution, but thank you for asking Creating your own anti censorship tools and make it freely available to the public Set up your proxy service or other Anti-censorship service to help people in censor countries How you may make a few bucks have a promising Product or great idea that can help us to fight censorship We are constantly looking for new anti censorship products and ideas So if you have a good product or idea, please let us know If we find your product or idea promising we may be able to find your Project of course, we are not the DOD so we don't have billions of dollars to spend But who cares about money, right? Again, if you have some ideas that you want to share with us, please contact me After this presentation, we will have QA section in room 104 Please stop by if you have any questions regarding foe our program or anything else Thank you again for coming here I would like also like to thank Defcon for giving me this wonderful opportunity. Thank you very much Okay, actually since we ended early in the Q&A room is actually still occupied. We'll do about 15 minutes of Q&A here So I think the best way to do that is if you have questions You can line up I guess down that aisle over there and we can take your questions there And if there are still questions after 15 minutes, we will move over to the Q&A room So if you have questions, why don't you line up right there behind this gentleman? Repeat the first part of your question Advertising? I guess Advertising is one way and or Just send Emails like newsletters because view a sense of Millions of emails out and we can announce that on the email this one way and Also, we can Go to those Blog in China or those sensor countries and let them know the probe the client software is available Yeah, that's pretty much I can think of right now Anybody else have any questions if you had a big voice yelling out I would be How much progress have you made on it so far is it finished and have you distributed it how many copies are out there? Um, I just started so It's still in the um It I'm still in the um I'm making of it. I mean so That's why I saying I um that's in the last That's part of speech as a you can help and help me to add your codes and New ideas to it. Yes, sir Yes, sir Yeah, what he's asking is how much history is preserved within the interface of Does it maintain everything you've downloaded or is it only keeping current information? No, it's Updated every like few minutes It just grabbed SSP from the website. I'm sorry. I misunderstood your question. I think So I think maybe how much history can and how configurable I mean because in some cases, maybe you don't want to save it, right? So so I think what he's asking is can is the tool configurable so that you can say As soon as I read it. I want to dump it. I want to get rid of it So that yeah, yeah, there's there's the option so you can you can click clear all the news on the on the client Then I'm the client software Okay, this gentleman right here. Yes a person Cuz in view a there's a 60 languages the main thing, you know, like Persian in Iran We were willing to do that as well So let me repeat the question The young lady in the front is asking whether there is potential in the future to have bi-directional Communication outbound as well as inbound and maybe potentially supporting peer-to-peer See I did a much better job summarizing that than yours if I can just fill in here. I'm just a assistant over here All right, I Guess what foe is actually a software that complement existing software like tour Freak a and a number of other software. So in your case you want to like submit video to YouTube or some other website you probably better off using something like a general-purpose Proxy proxy type of software Folk can help you to get those software if you want to say okay I want to download this tour, but I don't know where to get it But if if for some reason or somehow you can get Folk to your computer you can get all the software that you need to do other type of funny things Okay, yes, sir That's the setting on the full client you can clear all the news on the client Basically a race you can't erase its own tracks. Oh, we certainly add that function later Okay, anyone else yes This this is a subscription on the top of Yeah, I mean it's written in English, but you can choose the subscription on the on the client It can pick English or Chinese or Persian So you can read it from so the fees are chosen from the client side not at the server Oh, yeah, you certainly have a choice of that Now we only get the firm view a news website. So later. Maybe you can choose from different news like media like CNN or anything We have time for one more and then we're gonna actually move down into the Q&A room. Yes, sir Oh, I'm sorry. You know what you got to speak up or if you can come closer. Maybe we can get your mic Sorry about that So the question is can you switch back and forth to proxies if one proxy may disappear? Yeah, okay, actually So, let me repeat the other thing The gentleman asked whether there was any way to have knowledge of all of the proxies that are out there I think I think we are now currently we we can manually update it, but In the future we just list all the All the proxies and in the date in the database and the gravity automatically to the next available proxies Can I add something to it? I'm sorry to to Excuse me. Yeah, actually it's a separate program in BBG. There's we have managing a pool of Web-based proxy. So in that case, I'll say your that particular one is block We have a they have actually a mechanism to actually detect that kind of blocking and then say okay This proxy is down now. We whenever somebody a full client try to request a new fee We'll send a new proxy along with the fee What happened is well, but the default behavior is whenever there's a new Article news article that come out you will automatically send it to the full client as long as the full clients online so at that point that Proxy laying along attached to the fee will be updated at that point Okay, we're actually going to move everyone into the Q&A room because I got to get set up for the next speaker So thank you very much