2011-knockel-three
findings extracted from this paper
-
TOM-Skype maintains two separate encrypted keyword lists: one triggering both message suppression and silent upload to a Chinese server, and a second triggering surveillance only. Version 5.1.4.10 introduced a distinct surveillance-only keyfile downloaded from a separate URL (skypetools.tom.com/agent/keyfile_u), allowing the censor to monitor users without alerting them via censorship.
-
TOM-Skype keyword list encryption evolved from a simple XOR cipher in versions 3.6/3.8 to 256-bit AES-ECB in versions 5.0/5.1. Surveillance traffic was encrypted with DES-ECB using hardcoded ASCII keys embedded in the binary (SURVEIL_KEY4.0 = 'X7sRUjL\0'; SURVEIL_KEY3.6 = '32bnx23l'), both recovered via known-plaintext attack and DLL injection respectively.
-
The TOM-Skype keyword blacklist contained numerous user-coined neologisms added after the originals were censored—e.g., 'Lu Si' (a homophone for the Tiananmen date '64') and 'Oscar best actor winner' (a euphemism for Wen Jiabao)—demonstrating an adversarial arms race in which evasion vocabulary spreads freely until censors detect and blacklist the neologisms. The authors observed that some sensitive concepts (e.g., '64' rendered as '32+32' or '8 squared') spawn so many variants that the neologism strategy may not scale for the censor.
-
The TOM-Skype censorship keyfile was substantially updated on 4/22/2011—possibly correlated with US-China human rights talks on 4/27–4/28/2011—and contained exact phrases lifted verbatim from 2011 Jasmine Revolution protest coordination documents, including specific intersection meeting points such as 'McDonald's in front of Chunxi Road in Chengdu'. This demonstrates real-time, operationally targeted keyword blacklisting within days of new coordination material appearing.
-
The 158-word surveillance-only keyword list in TOM-Skype 5.1.4.10 focused predominantly on specific Beijing demolition sites and addresses (e.g., 'Ling Jing Alley demolition'), plus five Shouwang church keywords—none of which triggered message suppression. Messages matching these keywords were silently uploaded to a server, demonstrating that the censor operates event-specific surveillance lists targeting localized grievance communities independent of its censorship blacklist.