BolehVPN: Freedom Through Security

As you probably are aware, over the past few months our focus has been to improve the customer support experience.

We’ve started using Zendesk a fully fledged ticketing system that replaces our previous Portal system and we now have some statistics to share with you.

In the month of April, we received 615 unique tickets, meaning we had 615 separate incident requests.

Our Average First Response Time Statistics:

67% 0 – 1 hr

29% 1 – 8 hr

3% 8 – 24 hr

1% 24 + hrs

This shows we have a bit of work to do to reduce the response times for the 8 hours and above but we have beaten by a huge margin the IT Services and Consultancy benchmark average first response time which is 25 hours (something that would prompt a reprimand in our support team).

We have now enabled Customer Satisfaction reviews of ticket resolution. This directly affects our Support Staff appraisal so we ask you to be fair when rating tickets handled by them. We hope to share these results later on!

0 0 0 0

Before I begin this post, we at BolehVPN are of diverse political views and have supporters of both sides. However, when it comes to dealing with internet censorship, we’re all in agreement that it’s bad.

There is strong evidence that Streamyx is employing Deep Packet Inspection (DPI) to censor certain political YouTube videos as discovered by Lowyat forumer rizvanrp.

This means Streamyx has employed hardware to identify certain sites as blacklisted and deny access. These sites are such as Youtube videos on Bala’s wife, and possibly MalaysiaKini and DAP’s Facebook page. Using encrypted HTTPS seems to bypass this. Another way is to use a VPN which is a more secure solution to protect yourself against DPI.

This is an excerpt from rizvanrp’s post:

All plaintext HTTP connections on Unifi (and maybe Celcom + Maxis) are being man-in-the-middle’d and dropped if they contain blacklisted data.

What we know :

i. The DPI isn’t only being used to selectively block YouTube videos, however unencrypted Facebook pages belonging to certain parties are also being blocked. You can get around this by appending ‘https://’ to the Facebook URLs rather than trying to use ‘http://’.

ii. The DPI is based on TCP segment analysis. Basically, every single TCP packet has its payload analyzed for certain request URI strings that have been blacklisted. Obfuscation attacks such as packet fragmentation (splitting a large TCP payload containing a single HTTP request into smaller TCP segments) as well as packet padding (appending large amount of junk data to the HTTP request URI in order to force the ‘HTTP/1.1\r\n’ trailer into a separate TCP segment) will also work however you need specialized HTTP proxy software or iptables rules (on Linux) to do this.

iii. Once a blacklisted payload is detected within a packet, the header information for the TCP stream (SRC/DST port + SRC/DST IP address) is added to some kind of blacklist for 90 seconds. This causes all traffic for that particular TCP stream to be dropped for 90 seconds (hence the 90 second gaps in my packet capture samples above). This is also why some of you have noticed that if you wait long enough (well, 90 seconds in my tests).. the videos/sites that are blocked will eventually continue to load. Due to the persistent nature of TCP, once the 90 second blacklist window passes.. your TCP stream will continue and the payload data for whatever you’re requesting will reach your computer.

Mitigation techniques :

i. Use ‘https://’ wherever possible (especially on Facebook). Users in the thread have recommended HTTPS Everywhere which is a Firefox/Chrome addon to do this automatically for most major websites.

* While YouTube supports HTTPS for their main website, their player does not support it so even if you were to use HTTPS on YT.. the videos won’t load.

ii. For accessing blocked YouTube videos, you can use some of the various YouTube proxy sites such as ProxFree.

iii. Get a VPN/SSH tunnel service if you’re worried about having your HTTP requests intercepted.

Sinar Project’s Google + update also confirms this:

TMNet’s filtering of +Malaysiakini video interviews of Bala’s widow

We strongly suspect some sort of basic content filtering to censor online media in Malaysia is happening. Investigation was done on multiple networks based on the id/url of these videos served from Google’s +YouTube  cached servers located in TMNet network.

We are not aware of all the details of Google’s infrastructure, but testing so far has revealed that when request is served from servers not in TMNet’s network, the video can be viewed immediately. The content filtering is not effective all the time, and it can sometimes pass after a period of time if the request is fragmented into multiple packets.

Many people have reported difficulties with viewing the following video interviews linked from MalaysiaKini’s interview article herehttp://www.malaysiakini.com/news/228492. It is an interview of the window of a private investigator’s widow who implicates that the caretaker Prime Minister Najib Razak was indirectly involved in their plight to cover up possible interference in the murder case of Mongolian citizen Altatunya.

- Isteri PI Bala: Kami betul-betul macam pelarian
- Isteri PI Bala: Apakah salah berkata benar?

This is similar to the recent attempts at censoring MalaysiaKini http://www.malaysiakini.com/news/228203 for which normal users think that there is something wrong with their Internet connection, rather than a more sophisticated form of censorship.

We strongly condemn the actions of TMNet and parties involved in censoring  access to free media in Malaysia and hope that +Google‘s +YouTube team can help shed more light on this with their own internal investigations.

0 0 0 0

Someone has been attempting to brute-force our Support forum accounts. This means they’ve been trying all types of password combinations in an attempt to “guess” the password. This is NOT a security vulnerability. However, for safety, we have disabled our forum temporarily.

For your information, every single day our Customer Portal system is subject to bruteforce attacks but with our security systems, these attacks are mitigated. This is the first time our support forums have been targeted at this scale.

Some important tidbits:

1. Our Support Forums exist independently from our Portal. However your account may have been compromised if your password was weak.
2. Your BolehVPN account is only potentially vulnerable if your forum account shares the same username and password. We however recommend for you to change your password to something suitably complex/long.
3. When our Support Forums come back online, please also change your forum password.

We will install additional login security to prevent this.

0 0 0 0

We have released our new BolehVPN-GUI Clients!

ChangeLog:

• Added Server Status ping test function
• Changed Cloak method and removed Cloaked configurations from regular client
• New independent Cloak Client 2.1.4b which has modifications.
• Fixed TAP Adapter installation issues
• Updated non-cloak OpenVPN version to 2.3.0

Remember to uninstall your previous version first!

Download links

Windows V2.1.4

Windows Cloak V2.1.4b (for China/Iran etc)

Mac 1.0.8

0 0 0 0

A lot of people have been asking us our response to these questions so I thought I’ll set them out here.

1. Do you keep ANY logs which would allow you or a 3rd party to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold?

No we do not keep logs. However as per our policy, if we do notice any unusual activity on our servers (high bandwidth loading, high number of connections or cpu usage) we may turn on logs temporarily to identify abuse of our services (such as DoS or spamming through our servers).

Once the user is identified, we will terminate the offending user, issue him an e-mail for the reason of termination and wipe the logs from our system.

Turning on logs for troubleshooting is a very last resort and is necessary to ensure the integrity of our services. It has happened very rarely (only a handful of times in our 6 years of operation) and such information was not disclosed to third parties but merely used to terminate the offending user. In any case logs were usually enabled for not more than few hours and only for the particular server that was experiencing abuse.

2. Under what jurisdictions does your company operate and under what exact circumstances will you share the information you hold with a 3rd party?

We’re a Malaysian incorporated company which is not subject to any mandatory data retention laws. As we don’t keep logs, there is not much information to share even when requested.

3. In the event you receive a DMCA takedown notice or European equivalent, how are these handled?

Servers hosted in US or categorized as “surfing/streaming’ have P2P disabled on them. As for other servers, they are not subject to DMCA and we have a good working relationship with our server providers.

In the event DMCA notices or similar are given to us, we normally respond that we don’t have such content hosted on our networks and if the provider is adamant, we will terminate our relationship with the server provider and find a new one. We will not reveal the user that generated that DMCA notice (nor can we with no logs taken). Over the years, we have identified server providers that we can work with and understand the nature of our business.

4. Which payment systems do you operate and how are these linked to individual user accounts

We accept BitCoin, Liberty Reserve, Paypal and MolPay (Malaysian online bank-ins) and also direct bank-ins for Malaysian users.

For each order, there is an Order ID that is tied to a user name which is marked as paid or not and the method of payment. BitCoins would be the most anonymous form of payment since all other payment processors would require some identifying information. However to sign up to our service, all is needed is a working e-mail and you are free to use placeholder names etc etc. Only in the event of dispute or chargeback cases (especially with credit cards), additional info is requested which is to be expected when using a credit card (unless a prepaid visa is used).

Our order/portal system is not linked to your authentication to our VPN servers and exists completely independent of it since we use a certificate based authentication system.

0 0 0 0