This may be the the first part of a series of three articles (if I manage to find the time…) aiming to prepare journalists and others to work on the internet in Sochi as safely as possible.
Here they are:
- Live from Sochi: For a sport journalist
- One’s head in the lion’s mouth: For a journalist covering political topics
It is not technical documentation (for that, speak with your nearby hackerspace, they will be happy to help). What I want to speak about now is what can and will happen if you go to Sochi unprepared.
In this piece, I will put myself in the role of a Russian official whose job is to surveil the journalists who may write negatively about the regime..
It is now early January, all the network infrastructure has been in place for months. It will be the same as what was in London, 4 years later. But with more computing power.
And Russia, a slightly less democratic country ☺
Everything has been tested and is working as expected. I know the infrastructure. I know what I can do, what I cannot do, and when. I have a captive audience: every single person who will be there will use the network at one point or another.
And I can decide what traffic will pass through.
In fact, I will tap and capture everything, but mostly for postmortem analysis, because it will be too much traffic to analyze in real time. And I have better ways to tell the difference between what is interesting or not: metadata.
Metadata are great: thanks to them, I will know who is speaking with you, how often, how many times, and when. In real time. Even if the content is encrypted.
What I need now is a way to find out who is who on this network.
If I am lucky, I will manage to install malware on your computer at border control, or when you leave your computer unattended in your hotel room. That would be the easiest and most old school way.
I could also give you any kind of USB device as a gift (USB key, USB mouse, USB power plug for phone), and take control of any devices that will be connected to it (phone or computer).
And again, thanks to the metadata, I can track all the devices: I know which device is connected to which access point at which time. As I also know where the journalists I am interested in are staying, I will have a closer look at the traffic of those MAC addresses (the unique identifier assigned to your network card). Taking note of your MAC address in the airport would also save me some time. Bonus: if you use the Ethernet plug in your room, and I can associate it to you.
Just in case, I will also capture and index all the clear text communication, because it is an easy win.
At this point, I will have gathered information on you by looking at the network. I can get more intrusive.
But I cannot do anything I want, because my country has to look good and not get caught messing around to much with freedom of speech.
For example, I cannot shut down the Internet as a whole, or even block much Internet communication without a good reason. It is also not possible to track everyone, everywhere, in real time, and all the time. I have to choose carefully my targets.
I also cannot decrypt all the encrypted traffic in real time: it requires too much computing power for too few results.
That said, I can probably decrypt some devices, some of the time.
Let’s start with the network itself. What if I make sure that 20% of the packets sent to all the major VPN providers are dropped? You will blame your IT department, and switch back to unencrypted communication. I can also reset 10% of the VPN connections, shutting down your encrypted channel, and hope you will not notice.
Especially when you really need connectivity, such as when a final event is happening, or while you are trying to publish an article.
There are also a lot of interesting things to do with the domains, such as redirecting you to phishing websites by intercepting the DNS queries. Or having the network answer a request for a page by saying that a website does not exist. I obviously have to be very careful, but I can also make sure none of you see the phishing same website twice…
But anyway, why would I even spend time on developing accurate-looking phishing websites if I can simply present a legitimate SSL certificate? Your browser has a few root certificates under the control of my government. If I use one of those, and your browser does not have the right plugin, it will probably not complain.
Scary, isn't it ?
And I did not even mention unknown vulnerabilities that could let me take over your devices. Mostly because they are expensive, and if I’m ready to use one on you and risk having it discovered, you probably aren't in Russia, or are using OPSEC that’s making me unable to locate you.
All those scary ideas considered, I have one last thing to tell you:
I am a lazy bastard.
I would love you to think that I will follow you everywhere, all the time, that there is nothing you can do against me and that you are doomed anyway.
Because then you will give up, and go back to the category of people I will spend most of my resources tracking: the ones with no OPSEC, the low hanging fruits, the people as lazy as I am.
Because I want to have a life, and honestly, I don’t really care about you. I just want to pay the bills. So you can beat me with some OPSEC, or at least make me concentrate on other journalists easier to control than you.
Update 2014-01-28 — Told You So
An article has been published and confirms the surveillance state in place in Sochi. You should read it.
On Wednesday, I spoke to Andrei Soldatov, a Russian investigative journalist who broke the biggest security story of the Sochi Olympics: SORM, the Russians’ virtual surveillance system. The Russian FSB (successor to the KGB) will monitor all communications between spectators, journalists, athletes and anyone else who visits (or lives in) Sochi. The U.S. State Department has warned business travelers to be careful with sensitive information, which “may be taken and shared with competitors, counterparts, and/or Russian regulatory and legal entities.” One security expert said SORM was like “PRISM on steroids.” — Henry Grabar