Posts tagged ‘Unifi’
Two days ago, the Democratic Action Party (DAP) lodge a report to the MCMC on an ‘internet blockade’ targeting DAP related political websites that was allegedly being carried out by Telekom Malaysia (TM). As you may know TM is the largest ISP in Malaysia, and if TM suddenly blocks a website–a large chunk of the Malaysian public are automatically denied access to it.
The DAP IT manager (didn’t know the DAP had an IT team now did ya?), in his press statement said that :
In investigating the DPI filtering equipment location, I have found 1032 suspicious network equipment using same IP address family as the the Arbor Network Peakflow SP with TM branding. Since the login page of this network equipment bears TM logo, undoubtedly MCMC should haul up TM and conduct IT forensic investigation on all 1032 equipments without delay. I am fully prepared to assist MCMC in its investigations.
In light of this new evidence, MCMC must re-examine its 2nd May statement. MCMC should be politically impartial and hold the standard of government regulatory body that it should be. It must put the interest of all Malaysians first.
Now this isn’t really news, to be fair the Arbor Network Peakflow SP solution is meant primarily as a DDoS protection security suite with a slight tinge of DPI functionality added on the side. TM in their defence haven’t really denied they own the Arbor Network solution–there’s even a joint press release from 2004 to announce their purchase of it.
Unless TM operates like the government, in which they announce the purchase of something in 2004, but only start to using it in 2013–I’m guessing they were using Arbor for other purposes before they decided to unleash its DPI functionality.
But there could be a twist. More…
I’m not a usual fearmonger, or a person who panics easily–yet you friendly local tech evangelist has a warning for Malaysian users out there. Unifi is censoring the internet in the run up to the hotly contested GE1–and that’s what the data suggest.
You heard that right folks, some of you suspected all along, and I apologize for not believing you earlier. I was initially skeptical that Unifi and Telekom Malaysia would go to such extents to censor our right to information, and I’m deeply upset that this is happening in my own country.
Usually most Internet Service Providers (ISP) don’t censor the internet, not because they don’t want to–it’s simply because censoring the vast amount of online traffic is a monumental technical challenge. In the past we’ve seen Malaysia ISPs do this, for instance when they blocked Malaysia-Today in the run-up to the 2008 General elections, but censoring one entire website is a fairly straightforward thing to do–an bypassing that censorship is equally straightforward.
However, what Telekom Malaysia have done in this case, is not just censor one website–but rather parts of a website. Telekom Malaysia has gone leaps and bounds ahead in terms of censoring capabilities–now they’re able to censor ‘parts’ of a website including specific videos on youtube, and pages on Facebook.
Any government that blocks Facebook completely, isn’t going to get re-elected in Malaysia, the enormous public backlash we can expect would be enough to unseat even the great Barisan Nasional. Can you imagine how upset my aunty would be when she can’t play Candy crush???
It was in this premise that caused me to be skeptical that a government would be able to censor the internet, blocking only certain pages of Facebook (like the DAP Malaysia Facebook page) is far more technically challenging, than blocking and entire website like Malaysia Today.
Unfortunately, I can almost 100% confirm at this point that Telekom Malaysia now have this capability. A capability once only used by countries like China and Iran, have now reached our borders–and it is being used.
What is Deep Packet Inspection
Just to briefly explain what’s happening here.
1. The internet is this vast network running on something called the Internet Protocol or IP. This is what we mean by IP Address, it is literally your address on the internet.
2. The way the protocol works is routing data in packets. Essentially a packet is a small amount of data.
3. An analogy would be that if you used IP to send a long letter to your mother, instead of writing a 100 word letter and then sealing it in one envelope and sending it your mother. Your computer breaks that 100 word letter into 10 packets of 10 words each(for example) and sends those along in 10 different envelopes. So your mother would receive your message in increments.
4. This is why webpages don’t load instantly. Instead they take time, because your browser just displays your web page for packets you’ve already received and what you get is an incremental load.
5. It’s also why on slower internet connections you’d see a image load in stages, rather than instantly see the entire image.
6. Just like envelopes sent via mail, packets also contain addressing information, so that the Postman knows where your letter needs to go to.
7. In all cases, the postman looks at the OUTSIDE of the envelope and sends your letter to the address you’ve written on it–without OPENING the letter.
8. So if the Postman wants to block you from sending letters to your mother, he’d just discard all the envelopes going from your home to your Mothers home. He can do this easily without opening your letter.
9. That’s how TM can easily block MalaysiaToday. They can just cut-off all traffic to the MalaysiaToday IP address (although this is a bad analogy).
10. However, if the PostMan wanted to block only certain letters to your mother–let’s say all letters you sent to your mother to vote Pakatan Rakyat, but allow letters that had nothing to do with the election–he’d have to OPEN the letter and find out what information you’re sending.
11. Similarly if Telekom wanted to block only certain parts of Facebook from you, they’d have to OPEN your data packets, to see which Facebook pages you were visiting.
12. This is the technically challenging part. Opening up the Data Packets routed through Telekom is an enormous amount of work, and obviously slows down the entire process. The internet was built on speed and trust, and not for censorship at the packet level. How many postmen would you need if you wanted them to open each and every envelope sent??!
13. This process is called Deep Packet Inspection (DPI) and it is such an engineering challenge that very few countries even bother trying. The only country with the true audacity to do this is China (and possibly Iran).
14. Yet, from my analysis and my data–I can conclude that Telekom Malaysia at least have this capability. I could be wrong–but it’s unlikely.
What data do I have?
I made fun of Malaysiakini previously, when they claimed they were being blocked by Malaysian ISPs. The reason was that Malaysiakini had no data–but they did do something strange. They claimed that the encrypted website httpS://www.malaysiakini.com was fine, while the normal website had http://www.malaysiakini.com was being blocked. (the S at the end of http means the website is encrypted)
You see if all you’re doing is blocking all traffic to the portal (for instance blocking all traffic to MalaysiaToday), it would make no difference if the data was encrypted.
If you’re doing deep packet inspection–then encryption would basically bypass that censorship. The analogy here is that if you write to your mother in Cyrillic Russian and the Postman can’t read it. He can’t determine if this indeed was a letter asking your mother to vote pakatan or whether it’s just you asking for some money from mummy dearest. So in the end the postman has to make a decision to either throw the letter away or forward it onto your mother–but he doesn’t know.
In the same way, encrypting the line, means Telekom Malaysia doesn’t know which video on youtube you’re watching or which page on facebook you want to see, they still know you’re connected to Facebook or Youtube, but they don’t know if you’re watching a Pakatan ceramah or Psy-Gentlemen–it’s all encrypted to them.
And I proved this by trying to visit the DAP Facebook page on my Unifi connection, first without encryption–and it failed. And then with encryption–and it worked. (check out the video above–the DAP Facebook page on https loads instantly, but the DAP Facebook page without encryption is blocked!!)
This is no accident, I tried it plenty times–and it gave me the same result.
Is this accidental? Could be, but highly unlikely. Deep Packet Inspection is a technically sophisticated process, and a sophisticated process is usually purposeful and intentional. It’s VERY unlikely to be some sort of accident, and there is no other way for me to explain why an encrypted version of facebook page worked, but not the unencrypted version, although networking isn’t my strong suit and I’m open to opinions.
Beware ladies and Gentlemen, I’m convinced that Telekom Malaysia at least are beginning to censor the internet, Malaysiakini seems convinced as well. I can’t be 100% sure from my data (since it’s just from my connection), but I’d be looking forward to an explanation from Telekom.
Till then–happy voting from your local neighbourhood Tech Evangelist.
A couple of days ago, a reader of the blog wrote a rather long comment on a post I wrote about writing to TM’s CEO to restore my Unifi service. The comment detailed out a long horrific story of a foreigner in Malaysia trying to get decent broadband. I felt the story was to compelling to leave in the comments section and requested permission from the author to post it formally on the blog un-edited and in it’s original form, she consented and so here’s a little bed-time reading from a rather unhappy customer of both Maxis and Unifi. More…
Many folks seem to be stuck with their Unifi Passwords. It’s actually quite simple.
For the most part, most Shops and Restaurants that provide Free Wi-Fi via Unifi don’t change their Router Password allowing easy access for a nefarious intruder to logon and gain access to the router. Once inside, they’ll be able to do lots and lots of damage, including opening up a permanent backdoor to the router for continuous malicious fun!
Don’t be afraid though, for the most part iPhones are pretty invulnerable to network attacks, ‘most’ Androids as well. However, a small select few who choose to roots their phones and install non-standard pieces of software may be susceptible to.
If you’re on Unifi and find yourself ‘locked’ out of your own router, try these password combinations:
Username : admin
Password : <blank>
*<blank> means don’t enter anything and leave the field blank
Username : admin
Password : telekom
Either of these should get you into your router. If you’re still unable to log onto your router, don’t despair. This is actually a good opportunity for you to practice your newly found skills. The guys over at Unifi Athena have actually come up with a way to find your router password through some very simple and easy steps, check out their tutorial here. More…
If you’re on Unifi you might have noticed that some sites are blocked and it’s due to government directives to block these sites. Now that goes against what the Government of Malaysia promised it’s stakeholders during the advent of the MsC, in which it promised to not censor the internet. If you remember, somewhere in August 2008, the government issued a similar directive to censor Malaysia Today.
So what’s a average user to do to bypass these internet blocks. The blocks themselves are issued by the government and issued to all ISPs, fortunately there are a couple of ways to bypass these internet blocks which amount to censorship, and it depends on what kind of mechanism your ISP uses to block it. I’m all for a free internet and here are some ways you can bypass those blocks. More…