TMNet's filtering of +Malaysiakini video interviews of Bala's widow

We strongly suspect some sort of basic content filtering to censor online media in Malaysia is happening. Investigation was done on multiple networks based on the id/url of these videos served from Google's +YouTube  cached servers located in TMNet network.

We are not aware of all the details of Google's infrastructure, but testing so far has revealed that when request is served from servers not in TMNet's network, the video can be viewed immediately. The content filtering is not effective all the time, and it can sometimes pass after a period of time if the request is fragmented into multiple packets.

Many people have reported difficulties with viewing the following video interviews linked from MalaysiaKini's interview article here http://www.malaysiakini.com/news/228492. It is an interview of a private investigator's widow who implicates that the caretaker Prime Minister Najib Razak was indirectly involved in their plight to cover up possible interference in the murder case of Mongolian citizen Altatunya.

- Isteri PI Bala: Kami betul-betul macam pelarian
- Isteri PI Bala: Apakah salah berkata benar?

This is similar to the recent attempts at censoring MalaysiaKini http://www.malaysiakini.com/news/228203 for which normal users think that there is something wrong with their Internet connection, rather than a more sophisticated form of censorship.

We strongly condemn the actions of TMNet and parties involved in censoring  access to free media in Malaysia and hope that +Google's +YouTube team can help shed more light on this with their own internal investigations.

#media   #censorship   #Malaysia   #GE13

Methodology

You can get the url of the actual video request by using Firebug, or Chrome's built in network inspector, see the stream204 request:

To test the theory that this blocked on the server itself, we tested this on external server in the US making a requests to r2---sn-uh-30az.c.youtube.com which resolves to IP 218.208.3.141 located in TMNet's network according to GeoIP http://www.maxmind.com/en/home

user@somewhereusa.com:~$ curl -v 'http://r2---sn-uh-30az.c.youtube.com/videoplayback?algorithm=throttle-factor&burst=40&cp=U0hVTFNNUF9GUENONV9LR1RCOmNEZS1kWjk5OUo4&expire=1367322116&factor=1.25&fexp=930901%2C929809%2C932000%2C932004%2C906383%2C906387%2C904479%2C904482%2C902000%2C901208%2C929903%2C925714%2C929119%2C931202%2C900821%2C900823%2C912518%2C911416%2C904476%2C908529%2C930807%2C919373%2C906836%2C929602%2C930101%2C926403%2C900824%2C912711%2C910075&id=6fd4265417fad968&ip=xxx.xxx.xxx.xxx&ipbits=8&itag=5&key=yt1&ms=au&mt=1367298078&mv=m&newshard=yes&signature=14D87550920151C79867918C67C389A6CD710CF8.5F1B2F33D50892BE779F1BBEA3EF6597B53E49A7&source=youtube&sparams=algorithm%2Cburst%2Ccp%2Cfactor%2Cid%2Cip%2Cipbits%2Citag%2Csource%2Cupn%2Cexpire&sver=3&upn=az7c96WygHg&cpn=fxFdthaMMJRQ3APf&ptk=malaysiakini%2Buser&ptchn=malaysiakiniRequest%20Headersview%20source'
# Timeout

Now other videos seem to be playing fine, so let's strip out the id parameter and see if some content level filtering is happening. What we will get from the following request is that it does connect, but we get 403 because we're not requesting any video and accessing an invalid url.

user@somewhereusa.com:~$ curl -v 'http://r2---sn-uh-30az.c.youtube.com/videoplayback?algorithm=throttle-factor&burst=40&cp=U0hVTFNNUF9GUENONV9LR1RCOmNEZS1kWjk5OUo4&expire=1367322116&factor=1.25&fexp=930901%2C929809%2C932000%2C932004%2C906383%2C906387%2C904479%2C904482%2C902000%2C901208%2C929903%2C925714%2C929119%2C931202%2C900821%2C900823%2C912518%2C911416%2C904476%2C908529%2C930807%2C919373%2C906836%2C929602%2C930101%2C926403%2C900824%2C912711%2C910075'

About to connect() to r2---sn-uh-30az.c.youtube.com port 80 (#0)
Trying 218.208.3.141... connected
Connected to r2---sn-uh-30az.c.youtube.com (218.208.3.141) port 80 (#0)
GET /videoplayback?algorithm=throttle-factor&burst=40&cp=U0hVTFNNUF9GUENONV9LR1RCOmNEZS1kWjk5OUo4&expire=1367322116&factor=1.25&fexp=930901%2C929809%2C932000%2C932004%2C906383%2C906387%2C904479%2C904482%2C902000%2C901208%2C929903%2C925714%2C929119%2C931202%2C900821%2C900823%2C912518%2C911416%2C904476%2C908529%2C930807%2C919373%2C906836%2C929602%2C930101%2C926403%2C900824%2C912711%2C910075 HTTP/1.1
User-Agent: curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
Host: r2---sn-uh-30az.c.youtube.com
Accept: /

HTTP/1.1 403 Forbidden
Last-Modified: Wed, 02 May 2007 10:26:10 GMT
Content-Type: text/plain
Connection: close
X-Content-Type-Options: nosniff
Date: Tue, 30 Apr 2013 05:36:31 GMT
Server: gvs 1.0
* Closing connection #0

Now we will try with everything stripped out but with the id parameter in url passed: id=6fd4265417fad968

user@somewhereusa.com:~$ curl -v 'http://r2---sn-uh-30az.c.youtube.com/videoplayback?algorithm=throttle-factor&burst=40&cp=U0hVTFNNUF9GUENONV9LR1RCOmNEZS1kWjk5OUo4&expire=1367322116&factor=1.25&fexp=930901%2C929809%2C932000%2C932004%2C906383%2C906387%2C904479%2C904482%2C902000%2C901208%2C929903%2C925714%2C929119%2C931202%2C900821%2C900823%2C912518%2C911416%2C904476%2C908529%2C930807%2C919373%2C906836%2C929602%2C930101%2C926403%2C900824%2C912711%2C910075&id=6fd4265417fad968'

# Timeout!
 
Now lets just try the url pattern "videoplayback" and "id=6fd4265417fad968" again we will get timeout showing that it's blocked.

user@somewhereusa.com:~$ curl -v 'http://r2---sn-uh-30az.c.youtube.com/videoplayback?id=6fd4265417fad968'

# Timeout! Blocked!

Let's do some more digging on what kind of filtering they have in place, by doing a manual request by telnet slowly, so that the information is less likely sent as a single packet. This time the connection passes through despite having id and video parameters.

user@somewhereusa.com:~$ telnet 218.208.3.141 80
Trying 218.208.3.141...
Connected to 218.208.3.141.
Escape character is '^]'.
GET /videoplayback?id=6fd4265417fad968 HTTP/1.0
 
HTTP/1.0 404 Not Found
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Tue, 30 Apr 2013 05:40:25 GMT
Server: sffe
Content-Length: 964
X-XSS-Protection: 1; mode=block
 
<!DOCTYPE html>
<html lang=en>
  <meta charset=utf-8>
  <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
  <title>Error 404 (Not Found)!!1</title>
  <style>
    {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}
  </style>
  <a href=//www.google.com/><img src=//www.google.com/images/errors/logo_sm.gif alt=Google></a>
  <p><b>404.</b> <ins>That’s an error.</ins>
  <p>The requested URL <code>/videoplayback?id=6fd4265417fad968</code> was not found on this server.  <ins>That’s all we know.</ins>
Connection closed by foreign host.
Shared publiclyView activity