ANONYMOUS BLOGGING GUIDE - MALAYSIA

 

Download Word version of Malaysia Anonymous Blogging Guide here.

 

INTRODUCTION

 

Over the past several years, as blogging has gained in popularity, certain countries have developed as strong blogging communities. It is uncertain what makes one country embrace blogging so enthusiastically. Academics will need to pursue this question. What is certain, however, is that Malaysia is one such country in which bloggers have thriven, one source counting 20,000 Malaysian blogs. Part of blogging’s popularity may be the advanced technical state of the country. Part of it may be the synergy between Malaysia, Singapore and Indonesia, all countries with relatively thriving blogging scenes. Finally, Malaysia’s harsh climate for the press may have driven people to find ways to express themselves in areas where the government finds it more difficult to pursue.

 

Malaysia, unlike other countries with an interest in controlling the press, has yet to institute full-fledged Internet filtering. But that seems to be looming on the horizon. Malaysia has approved recommendations to restrict access to pornography. In addition, schools and libraries are now required to install filtering software. Other measures to be introduced include optional filtering services on ISPs, a complaint center where Internet users can report obscene content and awareness campaigns against pornography. But some are questioning these moves, suggesting that the implementation of a filtering infrastructure for pornography can easily be configured to block political content. In addition to the overblocking associated with filtering software (blocking sites that share words with blocked sites even if the sites in question are not offensive), Malaysia could easily add additional sites to the block lists for political reasons once the filtering infrastructure is in place. Malaysia has a record of harassing online publications for political reasons.

 

As one Malaysian journalist wrote, “Legitimate Internet censorship provides a backdoor entry to ban dissent or alternative viewpoints.”

 

Among the direct threats to bloggers (and other online sites) in the last year are the interrogation of three prominent bloggers by the nation’s security service and the interrogation of the editors of several online news sites. This being the case, it makes sense for Malaysian bloggers to seriously consider their safety. Because blogging can be as useful in the dissemination of information, both within a country and internationally, as standard journalism, sometimes more so, the scrutiny is likely to increase. Because Malaysia is a country whose leaders are nervous about instability based on offense, and because Internet filtering, both technically and culturally, tends toward over-kill, you may want to take the measures necessary to blog safely.

 

TO BLOG SAFELY IS TO BLOG ANONYMOUSLY

What does it mean to blog safely? To a great degree, it means to blog anonymously. Most bloggers and other online users arrested around the world for critical speech were discovered because they took no pains at all to disguise who they were. Since all but the most innocuous blogs may be suspected of being rebellious in some way, we cannot in good conscience encourage anyone to blog using their real name. The decision to do so, of course, is up to you. But please bear in mind that many of those who have seen the inside of a jail cell never thought for a moment that they were in danger.

 

We’re not trying to be alarmist, just safe. It has been said that anyone or any state with enough resources and time will be able to find out the identity of anyone on the Internet. The key is to put more effort and time into staying anonymous than anyone in the government will put into discovering it. Some people in some places may need to devote relatively little work in order to say safe. Others may need to do quite a bit of work.

 

This document will outline the primary methods and tools for anonymous blogging, as well as some ways to navigate the Internet when it is filtered. Although this document is focusing on the situation of bloggers in Malaysia, it may also be applicable to the situation of bloggers in Singapore and Indonesia.

 

There are two major ways your identity can be discovered while blogging. One is by revealing your identity through the content you post. For instance, if you write, "I'm a third-year education student at the University Putri Malaysia and I come from Georgetown," there's a good chance that someone reading your blog will be able to figure out who you are.

The other way to get discovered is if someone identifies you from information your web browser or email program provides. Every computer attached to the Internet has, or shares, an address called an IP address. That is a series of four numbers from 0-255, separated by dots, for instance: 213.24.124.38.

With a little work, the authorities may be able to trace any posting you make back to your computer. If you use a home computer and dial into an Internet service provider (ISP), this ISP will have a record of which computer dials in at what time and accesses which information.

There are a number of ways you can hide your identity when using the Internet. As a general rule, the more secure you want to be, the more work you will need to do to hide your identity. Some of the strategies for protecting identity online require a great deal of technical knowledge and work. But they all start with basic, common sense measures.

 

BASIC ANONYMIZATION MEASURES

Never use your real name. We don’t mean just on your blog. We mean when signing up for your blog you must use a pseudonym. And when you are signing up for your web-based email, also use a fake name. It is very easy to trace traffic from your home or work email unless you use a remailer, which we will talk about later; so we advise you use a web-based email, which we will also talk about in greater depth later.

A good general rule for anonymous blogging: Never use any service that you must pay for or that you sign up for via the government or that uses a service that must report to the government. And do not register with the authorities, of course. Please note that some of these services may require you to use the Latin alphabet.

 

Free web-based email providers:

Hushmail: http://www.hushmail.com/

Lycos Email: http://mail.lycos.com/

Opera Mail: http://www.operamail.com/scripts/common/index.main?signin=1&lang=us

 

Free weblog hosting:

Blogger: http://www.blogger.com/start

Blogsome: http://www.blogsome.com/

Livejournal: http://www.livejournal.com/

Seoblog: http://www.seo-blog.org/

Weblog.us: http://weblogs.us/

 

The trend toward blocking and filtering individual blogs; blog hosts, such as Blogger http://www.blogger.com; and photo sharing sites such as Flicker http://www.flickr.com/, is intermittent. The uncertainty of the blocking is part of a tried-and-true method of intimidation: creating systemic uncertainty. Also, again due to the extreme centralization, should the government or the ISU decide to block a hosting service, it can be done almost immediately. The ISU is transparent in its filtering. If something is blocked, you are given as a reader, the option of requesting that it be unblocked. The risk you run in making such a request is that you announce who you are and what kind of things you wish to read.

 

Do not use any identifying information on your blog. For the reasons discussed above, do not use a nickname, for instance, that people know is yours. Do not use one that identifies you somehow. Do not talk about your street or neighborhood, what you do for a living or where you work, or specifics about who you know, where you have traveled and so forth. Otherwise, you will be providing investigators with leads to your identity.

 

Here's the problem with this strategy. When you sign up for an email service or a weblog, the web server you are accessing logs your IP address. If that IP address can be traced to you, for instance if you are using your computer at home or at work, you could be found.

 

One additional step you could take to hide your identity is to do your work on heavily-used computers. Rather than setting up your webmail and blogging accounts from your home or work computer, you could set them up from a computer in a cybercafe, a library, or a university computer lab. Should anyone trace the IP used to post a comment or a post they will discover that the post was made from a cybercafe, where any number of people might have been using the computers.

 

There are flaws in this strategy as well. If the Internet café or computer lab keeps track of who is using what computer at what time, your identity could be compromised. Do not use computers at places like these in the middle of the night or other times when you are likely to be the only person there. If you use Internet cafés, change which ones you use often. If the authorities decide to look into a blog and discover that all the posts are coming from a specific café, it would not be hard to send police to watch who visits.

 

ANONYMOUS PROXIES

If you choose to, you can take the trouble to use what is called a “proxy.” If you access the Internet through a proxy, you will leave behind the IP address of the proxy server, instead of the address of the computer you are using.

 

The difficulty in using proxies and anonymizers (we will cover these later) is that they are frequently among the first sites to be blocked by a government seeking control of its people. That is currently not the case in Malaysia, but it is something to watch out for. Should Malaysia begin to block proxies, you may have to search for new proxies as old ones are blocked. Another option (also covered below) is to use Peacefire’s Circumventor program, or another “social” option.

 

To use a proxy, first choose a proxy server from one of these lists, or find one yourself on a search engine like Google http://www.google.com.

Public Proxy Servers: http://www.publicproxyservers.com/index.html

Rosinstrument: http://tools.rosinstrument.com/proxy/

Samair: http://www.samair.ru/proxy/

 

Now, open the “preferences” or “options” section of your web browser. Under the “general”, “network” or “security” tab (usually), find an option to set up a proxy to access the Internet. Here is a set of instructions http://www.freeproxy.ru/en/free_proxy/howuse.htm for various browsers.

Turn on “manual proxy configuration”, enter the IP address of the proxy server and port into the fields for HTTP proxy and SSL proxy and save your settings. Restart your browser.

 

Your connection to the web will seem a bit slower because every page you request from a web server takes a detour. Instead of connecting directly to Hushmail, for instance, you connect to the proxy, which then connects to Hushmail. When Hushmail sends a page to you, it goes to the proxy first, then to you. You may also notices some trouble accessing websites, especially those that want you to log in.

 

A final problem is that if authorities discover you have been using a proxy, that in itself may constitute “proof” of wrongdoing.

 

“SOCIAL” OPTIONS

One way around the excessive blocking of proxies is to use Peacefire’s Circumventor.

 

To do this, you will need a friend outside of Malaysia whom you trust. They will need to set up Circumventor on their computer. Your friend downloads Circumventor http://www.peacefire.org/circumventor/simple-circumventor-instructions.html from the Peacefire site and installs it on his Windows system. It is not easy to do. First, he needs to install Perl on his system, then OpenSA, then Circumventor.

 

After these installations, he will needs to keep his computer connected to the Internet constantly, so you can use it as a proxy without asking each time. But you will, once it is set up, be able to surf the web, post to your blog, and use your email, all through the proxy your friend has created on his machine by using Circumventor. You can even use it at an Internet café, because the proxy is not listed as such in the state’s filtering technology, so it is not very suspicious.

 

Nothing is perfect. (Are you surprised?) Here’s the problem with this system: your friend’s computer, running Windows, often reboots. Each time it does, it is assigned a new IP address. And every time this happens, your friend will need to contact you with the address. (Probably cellular phone calls are best for this.) There is always the chance that this proxy will be recognized in time as such by the government.

 

Another social option is to use Adopt-a-Blog http://www.adoptablog.org/. Designed primarily for blocked blogs in China, you can contact this service with a request that someone outside your country host a blog on their server. The server hosting your blog is unlikely to be blocked and, if it becomes blocked, your blog is moved to a different server.

 

If you know someone trustworthy outside the country, another option is to simply ask that person to set up a blog for you and then to post to it either using a proxy, or by contacting them via web-based email, encrypted email or by using a remailer system (see below). It is highly advisable, however, not to trust anyone quickly whom you do not know. Established human rights and free speech groups might be willing to connect you with trustworthy people willing to help. Members of the Malaysian expatriate community may also be helpful.

 

TOR ONION ROUTING

Tor, an “onion routing” system takes the idea of proxy servers to a new level of complexity. Each request made through an onion routing network goes through two to 20 additional computers, making it hard to trace what computer originated a request. Each step of the Onion Routing chain is encrypted, making it harder for the government to trace your posts. Furthermore, each computer in the chain only knows its nearest neighbors. In other words, router B knows that it got a request for a web page from router A, and that it's supposed to pass the request on to router C. But the request itself is encrypted: router B doesn't actually know what page you are requesting, or what router will finally request the page from the web server.

 

Given the complexity of the technology, it is surprisingly easy to install Tor http://tor.eff.org/cvs/tor/doc/tor-doc-win32.html. You download an installer which first installs Tor on your system, and then downloads and installs Privoxy, a proxy that works with Tor.

 

The Tor system will make it look at one point like you are on a computer at Harvard University, and then it looks like you are in Germany, and so forth, changing all the time as you reload or sign on at different times. Tor is changing your identity from request to request, helping to protect keep your identity private.

 

This has some a couple of unintended consequences. When you use Google through Tor, it may switch languages on you. One search may be in English; another may be Japanese, German, Danish or Dutch, all in the course of a few minutes. Some sites, Wikipedia, for instance, may not allow connections from a Tor system. Your surfing may slow down quite a bit at times. And, of course, you are reliant on your home computer, since you cannot install Tor on a public machine. Most worrisome, though, is Tor’s occasional malfunctioning: it may sometimes stop working. Your ISP may block some Tor routers.

 

TORPARK

TOR is somewhat difficult to install for a non-technical user. Although much easier than most anonymizing technologies, it can still be tricky. Also, if you are accessing the Internet from an Internet café, it is unlikely you will be able to install TOR on the computers you are using.

 

Now there is an alternative. The people behind a new tool called Torpark http://torpark.nfshost.com/ have combined an alpha version of the new Firefox Deer Park browser http://www.mozilla.org/projects/firefox/ with TOR and an installer, to produce a 20MB package designed to fit on a USB key http://en.wikipedia.org/wiki/Keydrive.

 

When you insert your USB key into the port of a computer equipped with Windows 2000 or XP and you run the Torpark application, an anonymized browser window will open, allowing you to surf the web, leaving few or no traces behind.

 

One click starts a script, opens a DOS window and a browser, which then surfs through TOR. Ejecting the USB key removes obvious traces from the system. The browsing experience is the slow, but satisfactory, experience you get when browsing with TOR.

 

There are some problems: Stylesheet-heavy pages tend to look bad, as some graphics and files fail to load. Some images break. But for the most part, you can surf the web effectively.

 

There are three difficulties that may prevent some users from adopting Torpark as their preferred method of surfing.

 

First, not everyone has a USB key. Securing access to a reasonably priced key may be difficult for some people. There may be a lack of supply or the price may place it out of reach for many. Second, many Internet cafés may not allow you to attach a USB key to their machines. Finally, TOR uses a small, published list of servers that transfer and obscure packets. In any country that employs a firewall, it is reasonable to assume that the administrators block traffic from the servers that are currently listed http://proxy.org/tor.shtml and add any new servers to the blacklist when they come online.

 

Torpark can be downloaded http://torpark.nfshost.com/ in English, Chinese, French, Slovenian, Russian, Korean, Hebrew, Polish and Turkish and other languages.

 

MIXMASTER, INVISIBLOG AND GPG

There are a number of additional options that do no require proxy servers. One such service is Invisiblog http://www.invisiblog.com/. You do not post to Invisiblog via the web, as you do with most blog servers. You post to it using specially formatted email, sent through the Mixmaster remailer system, signed cryptographically.

 

That sounds complicated. It is. But here is what you do. First, go to GPG http://www.gnupg.org and set up a “public-key encryption system.” (Public-key encryption is a technique that allows you to send messages to a person that only the recipient can read. Public key encryption also allows people to “sign” documents with a digital signature that is almost impossible to forge.)

 

Then, set up Mixmaster http://mixmaster.sourceforge.net/, a mailing system designed to obscure the origins of an email message. Mixmaster uses a chain of anonymous remailers (computer programs that strip all identifying information off an email and send it to its destination) to send email messages with a high degree of anonymity. By using a chain of 2 to 20 remailers, the message is very difficult to trace, even if one or more of the remailers is “compromised” and is recording sender information.

 

Unfortunately, you have to “build” Mixmaster by compiling its source code, a project that requires a great deal of technical know-how.

 

Once set up, you send a Mixmaster message to Invisiblog, which includes your public key. Invisiblog will use this to set up a new blog for you, with a name like “invisiblog.com/ac4589d7001ac238”. (The long string is the last 16 bytes of your GPG key.) Once your Invisiblog is set up, you send future posts to by writing a text message, signing it with your public key and sending it via Mixmaster.

 

The misdirection of Mixmaster mailers means that it takes anywhere from two hours to two days for your message to reach the servers. And you must be very careful about looking at your blog. If you look at it too often, your IP address will appear in the blog's log frequently, signaling that you are probably its author. You can be somewhat reassured by the fact that the owners of Invisiblog have no idea who you are.

 

The main problem with the Invisiblog system is the fact that it is very difficult for most people to use. Most people find GPG a challenge to set up and have difficulty understanding the complexities of public and private keys. More user-friendly cryptographic tools, like Ciphire https://www.ciphire.com/, have been set up to help less technically proficient users, but even they can be difficult. These tools are also frequently blocked by repressive regimes. Another issue that makes this difficult is that if the authorities ever take your computer and find your private key, it would be considered highly suspicious in itself and might be used as evidence that you were the author of the blog. If you do succeed in sending out mail messages wrapped in strong encryption, like Mixmaster, you run the risk of attracting the attention of the Internet authorities.

 

CONCLUSION

You have a right to be heard. Your voice is important to Malaysia, both for its present and its future. However, contradicting the accepted common truths of a nation can be frowned upon, and a government that is on the defensive politically can be challenging to those who wish to add their voices to the discussion of their country’s future. Someone who cares about this future can do no good mute. You must remain in possession of your voice.

 

To that end, we have covered basic anonymization measures, such as pseudonymous blogging and web-based email; proxies; social options, such as individual Circumventor proxies, Adopt-a-Blog and assisted blogging; Tor servers’ onion routing; and very complex email-based blogging systems like Invisiblog.

 

None of these, nor any combination, is foolproof. There will always remain a chance that you will be discovered and the authorities, which fear the intellect of their own people, will succeed in silencing you. Be very careful. You are fellow bloggers, as well as fellow human beings, and we wish above all for you to remain free and safe.

 

Please forward this document to anyone you think might benefit from reading it. You are also welcome to add to it your ideas, experiences and experiments—though we ask you leave in place all warnings about the dangers of speaking up and the provisional nature of all anonymizing techniques, tools and processes. Perhaps you have information we do not. Perhaps you know of additional measures to take that we have not covered. Let’s share with each other and take care of one another.

 

LEGAL

We make no warranty as to the accuracy of the information contained in these guides. The reader assumes all responsibility for the risk of using them.

 

This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 2.5 License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

 

Contact the authors at chopkins4145@charter.net.