Shared publicly  - 
 
TMNet's filtering of +Malaysiakini video interviews of Bala's widow

We strongly suspect some sort of basic content filtering to censor online media in Malaysia is happening. Investigation was done on multiple networks based on the id/url of these videos served from Google's +YouTube  cached servers located in TMNet network.

We are not aware of all the details of Google's infrastructure, but testing so far has revealed that when request is served from servers not in TMNet's network, the video can be viewed immediately. The content filtering is not effective all the time, and it can sometimes pass after a period of time if the request is fragmented into multiple packets.

Many people have reported difficulties with viewing the following video interviews linked from MalaysiaKini's interview article here http://www.malaysiakini.com/news/228492. It is an interview of a private investigator's widow who implicates that the caretaker Prime Minister Najib Razak was indirectly involved in their plight to cover up possible interference in the murder case of Mongolian citizen Altatunya.

- Isteri PI Bala: Kami betul-betul macam pelarian
- Isteri PI Bala: Apakah salah berkata benar?

This is similar to the recent attempts at censoring MalaysiaKini http://www.malaysiakini.com/news/228203 for which normal users think that there is something wrong with their Internet connection, rather than a more sophisticated form of censorship.

We strongly condemn the actions of TMNet and parties involved in censoring  access to free media in Malaysia and hope that +Google's +YouTube team can help shed more light on this with their own internal investigations.

#media   #censorship   #Malaysia   #GE13

Methodology

You can get the url of the actual video request by using Firebug, or Chrome's built in network inspector, see the stream204 request:

To test the theory that this blocked on the server itself, we tested this on external server in the US making a requests to r2---sn-uh-30az.c.youtube.com which resolves to IP 218.208.3.141 located in TMNet's network according to GeoIP http://www.maxmind.com/en/home

user@somewhereusa.com:~$ curl -v 'http://r2---sn-uh-30az.c.youtube.com/videoplayback?algorithm=throttle-factor&burst=40&cp=U0hVTFNNUF9GUENONV9LR1RCOmNEZS1kWjk5OUo4&expire=1367322116&factor=1.25&fexp=930901%2C929809%2C932000%2C932004%2C906383%2C906387%2C904479%2C904482%2C902000%2C901208%2C929903%2C925714%2C929119%2C931202%2C900821%2C900823%2C912518%2C911416%2C904476%2C908529%2C930807%2C919373%2C906836%2C929602%2C930101%2C926403%2C900824%2C912711%2C910075&id=6fd4265417fad968&ip=xxx.xxx.xxx.xxx&ipbits=8&itag=5&key=yt1&ms=au&mt=1367298078&mv=m&newshard=yes&signature=14D87550920151C79867918C67C389A6CD710CF8.5F1B2F33D50892BE779F1BBEA3EF6597B53E49A7&source=youtube&sparams=algorithm%2Cburst%2Ccp%2Cfactor%2Cid%2Cip%2Cipbits%2Citag%2Csource%2Cupn%2Cexpire&sver=3&upn=az7c96WygHg&cpn=fxFdthaMMJRQ3APf&ptk=malaysiakini%2Buser&ptchn=malaysiakiniRequest%20Headersview%20source'
# Timeout

Now other videos seem to be playing fine, so let's strip out the id parameter and see if some content level filtering is happening. What we will get from the following request is that it does connect, but we get 403 because we're not requesting any video and accessing an invalid url.

user@somewhereusa.com:~$ curl -v 'http://r2---sn-uh-30az.c.youtube.com/videoplayback?algorithm=throttle-factor&burst=40&cp=U0hVTFNNUF9GUENONV9LR1RCOmNEZS1kWjk5OUo4&expire=1367322116&factor=1.25&fexp=930901%2C929809%2C932000%2C932004%2C906383%2C906387%2C904479%2C904482%2C902000%2C901208%2C929903%2C925714%2C929119%2C931202%2C900821%2C900823%2C912518%2C911416%2C904476%2C908529%2C930807%2C919373%2C906836%2C929602%2C930101%2C926403%2C900824%2C912711%2C910075'

About to connect() to r2---sn-uh-30az.c.youtube.com port 80 (#0)
Trying 218.208.3.141... connected
Connected to r2---sn-uh-30az.c.youtube.com (218.208.3.141) port 80 (#0)
GET /videoplayback?algorithm=throttle-factor&burst=40&cp=U0hVTFNNUF9GUENONV9LR1RCOmNEZS1kWjk5OUo4&expire=1367322116&factor=1.25&fexp=930901%2C929809%2C932000%2C932004%2C906383%2C906387%2C904479%2C904482%2C902000%2C901208%2C929903%2C925714%2C929119%2C931202%2C900821%2C900823%2C912518%2C911416%2C904476%2C908529%2C930807%2C919373%2C906836%2C929602%2C930101%2C926403%2C900824%2C912711%2C910075 HTTP/1.1
User-Agent: curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
Host: r2---sn-uh-30az.c.youtube.com
Accept: /

HTTP/1.1 403 Forbidden
Last-Modified: Wed, 02 May 2007 10:26:10 GMT
Content-Type: text/plain
Connection: close
X-Content-Type-Options: nosniff
Date: Tue, 30 Apr 2013 05:36:31 GMT
Server: gvs 1.0
* Closing connection #0

Now we will try with everything stripped out but with the id parameter in url passed: id=6fd4265417fad968

user@somewhereusa.com:~$ curl -v 'http://r2---sn-uh-30az.c.youtube.com/videoplayback?algorithm=throttle-factor&burst=40&cp=U0hVTFNNUF9GUENONV9LR1RCOmNEZS1kWjk5OUo4&expire=1367322116&factor=1.25&fexp=930901%2C929809%2C932000%2C932004%2C906383%2C906387%2C904479%2C904482%2C902000%2C901208%2C929903%2C925714%2C929119%2C931202%2C900821%2C900823%2C912518%2C911416%2C904476%2C908529%2C930807%2C919373%2C906836%2C929602%2C930101%2C926403%2C900824%2C912711%2C910075&id=6fd4265417fad968'

# Timeout!
 
Now lets just try the url pattern "videoplayback" and "id=6fd4265417fad968" again we will get timeout showing that it's blocked.

user@somewhereusa.com:~$ curl -v 'http://r2---sn-uh-30az.c.youtube.com/videoplayback?id=6fd4265417fad968'

# Timeout! Blocked!

Let's do some more digging on what kind of filtering they have in place, by doing a manual request by telnet slowly, so that the information is less likely sent as a single packet. This time the connection passes through despite having id and video parameters.

user@somewhereusa.com:~$ telnet 218.208.3.141 80
Trying 218.208.3.141...
Connected to 218.208.3.141.
Escape character is '^]'.
GET /videoplayback?id=6fd4265417fad968 HTTP/1.0
 
HTTP/1.0 404 Not Found
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Tue, 30 Apr 2013 05:40:25 GMT
Server: sffe
Content-Length: 964
X-XSS-Protection: 1; mode=block
 
<!DOCTYPE html>
<html lang=en>
  <meta charset=utf-8>
  <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
  <title>Error 404 (Not Found)!!1</title>
  <style>
    {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}
  </style>
  <a href=//www.google.com/><img src=//www.google.com/images/errors/logo_sm.gif alt=Google></a>
  <p><b>404.</b> <ins>That’s an error.</ins>
  <p>The requested URL <code>/videoplayback?id=6fd4265417fad968</code> was not found on this server.  <ins>That’s all we know.</ins>
Connection closed by foreign host.
35
27
Kevin L's profile photoWen Jiun Yap's profile photoJung Kian Ng's profile photoSteason Tee's profile photo
16 comments
 
To clarify users on this, the blocking is done on Google's servers which are hosted in TMNet network. Which means regardless of which ISP you're using, if Google redirects you to serve video from one of their TMNet servers, it will be blocked (for about 90-120s). If you are served from another Google server not on TMNet network it should play fine.

TMNet and others doing the packet filtering censoring are messing around with their clients CDN servers.

The worrying trend from other sources is that additional URLs are being added to the block list including +DAP Malaysia 's FB page.
 
if you use Google's Public DNS, you can view these videos without resorting to encrypted requests.

However, they might have just "unblocked" these content after findings where made public.
 
+Nazrul Kamaruddin it's not DNS. Check the methodology, they seem to be able to packet filter CDN servers. As of now, the list of block urls seems to be increasing rather than being removed.
 
You are right. But I'm viewing these videos just fine on Unifi, without https. Or maybe because I'm on TIME's network.

What other content URLs that is being blocked?
 
+Nazrul Kamaruddin so far it seems P1 and TIME are ok, at least for Youtube, you're accessing CDN servers that are not blocked. For sure right now Maxis, Celcom and TMNet are affected.

For YouTube, the packet filtering isn't 100% effective.
 
I use Time BB at home and the videos and sites load fine for me. However, with my office network, which uses Unifi, all are blocked.
 
+Joshua Ong There is nothing of particular interest in these videos. The blocking of DAP Facebook pages was more directly malicious. What is worrying me more are the techniques and collaboration by ISPs. It seems to me to be testing and prelude to more extensive targeted blocks in near future. 
 
I guess there will only be real FOI when PR take over.
 
YES 3G has filtered the Isteri Bala video too.
 
+Joshua Ong for YouTube it's not at end user ISP. Some servers as in the original post are on TMNet's network. If YouTube requests content from these servers, it doesn't matter what service provider you use, even overseas ones. It's just that with some providers and overseas, YouTube requests from servers not in TMNet.
 
Is it violating Google's policy? Can Google sue Telekom Malaysia under the law of Internet Censorship or Freedom of Information?
 
+Zhen Hong Lee FOI is for requests of information from government. Very different law. Besides only Penang and Selangor have it.

Likely what's applicable is some sort of breach of contract between Google and service provider of their server hosting.

The Multimedia Act I believe has a section on no Internet censorship. That would be an interesting strategic litigation case. Though it will be need to be done by an individual, as we have no EFF like organization here in Malaysia. 
Add a comment...