From an ISP perspective this is really hard to hide. If somebody announces my /16 from Pakistan and traffic goes there, it's going to get noticed. Like the time PTCL broke YouTube...
You basically can't bgp hijack without breaking basic internet connectivity for the legit users of the IP space (where it is intended to be announced to peers and transits), so anything lasting more than 30 seconds will generate a huge flurry of phone calls and noc emails.
There are third party services you can pay, and software you can set up yourself to watch for bgp announcements for "your" Arin/ripe/apnic/whatever prefixes, and generate alerts based on that. Pretty common stuff with Linux based systems (FRR, etc) that can hold the entire global v4+v6 routing table in RAM and do quick analysis on it.
Google "bgp hijack", this is a well known issue in the ISP operational community. RPKI validation of announced routes and best common practices for what you accept from your bgp neighbors go a long way.
Could someone explain how out-of-ordinary these hijacks are? I thought network traffic is similar to connecting flights: it's not uncommon to fly from NY to Seoul with a transit stop in China. Network traffic may follow a non-optimal path for various reasons, such as complicated deal/rebate structures among AS, third party ASN spoofing, technical failures within AS and state-sponsored hacks. The paper seemed to cherry-pick some examples of "hijacks" involving China. But it would be more convincing to show whether they are happening all over the world or are specific to China.
In addition, network traffic at ISP level are never intended to be secure. That's why we have/need end-to-end encryption.
Just like programming languages can only have two out of three concepts ( soundness, completeness, decidability ), the creators of the internet had to choose two out of three concepts ( openness, robustness, security ).
It's theoretically impossible to have a language that is sound, complete and decidable. It's probably also impossible to have an internet that is open, robust and secure.
Which one of "open, robust, secure" do you think Tor doesn't meet?
You can pick any 3 concepts and group them together like that, but it doesn't mean you can't have all 3, e.g. a house can be "large, cheap, and well-decorated" (e.g. if it is in the middle of nowhere).
"then an appropriate defence policy in response could state that no traffic to or from the US or ally is allowed to enter a China Telecom PoP in the US or in the ally's networks"
The fact that this is possible today seems incredible to me when i think of the number of times i've heard cybersecurity and cyberespionage was a priority of the US security agencies during the last decade.
On the contrary, I think as phrased that's a "break the internet" policy, especially if more than one country does it - what if China asks for a reciprocal version?
As someone with a trip to Beijing on the horizon, aside from using a VPN, are there any other best practices to keep data secure while traveling there?
(I live in China) I would advise against VPN entirely. I am unsure about the state ability to decrypt the content of the connection (heavily depends on how the VPN is configured really — weak and legacy ciphers, etc.). But they will detect it and eventually you'll start dropping packets like crazy.
A simple way to evade all of this is to use shadowsocks with a strong cipher and strong password between your computer in China and your server outside of it. Don't use any free server and don't use any commercial shadowsocks offerings. Set it up yourself, it's pretty easy.
On the mobile phone side of things. I wouldn't trust anything. Especially Apple that has been very complaisant with local authorities.
China plays a tactical game: they pretend (or we suspect, and they want us to) that they can do a lot of things. But nobody knows the extent of what they are actually capable of.
I don't really understand what kind of scientists would do such researches to help the government carry out the censorship more efficiently, over their fellow people...it's either those intellectuals have no brain, or no heart...
this is correct, SS is on the radar and is not as dependable as it used to be, there is a variant of SS that is said to be an improved version but it is still not 100% dependable.
Used to live in China. Can vouch completely for the Shadowsocks approach. It can't be blocked yet. Set up an endpoint at home or on EC2 and configure Streisand. Works great on mobile and desktop.
Shadowshocks is not a VPN at all. It's a connectionless SOCKS5 proxy. No hand-check, no key exchange, no protocol agreement.
VPN is not made to be undetected, only secure in the sense of data encryption. Shodowsocks has broader objectives.
On your local workstation, it exposes itself as a SOCKS5 proxy. But to communicate with the shadowsocks server, it uses a proprietary protocol which is not SOCKS5 and does have a key exchange process. Either way, these details don't affect its ability to be detected.
> VPN is not made to be undetected
"VPN" is not just one technology. Many vendors of VPN software do claim that their software is made to be undetectable. One example is shadowsocks, but there are other vendors who also claim that.
Thanks for the info, couple of things I didn't know. What I meant by "it's not a VPN" was mainly it doesn't make your computer part of another private network.
If I had to do it, I'd go full thin client. Store nothing. Bring a laptop that is basically a bare bones Linux + xfce desktop, and the ability to connect to external VPN + vnc-over-ssh2 session to a system you trust. Keep in mind that a rootkit installed on your thin client is a possibility, for keystroke logger or whatnot, so if you don't keep it with you and don't treat its physical security as a concern, all bets are off.
FYI, the great fire wall engineers have already found ways to inspect packets sent through OpenVPN...
A couple of weeks ago, I was asked by a friend who was traveling in China at the time to set up a VPN for him so he could use Gmail and other Google services there...I went for the easy way and used the OpenVPN for him, but to our disappointment, with that VPN tunnel, he still could not access google search page while many other pages on other domains were fine...I spent a few hours trying to figure out why, and then I came across these discussion,
My friend and I haven't experimented further; but I think one way that might work is to chain multiple VPNs or perhaps obfuscate your protocol a bit (i.e. make some minor customization yourself)...
It isn't that they need to inspect the contents of the packets, tcp and udp flow analysis will reveal VPN traffic patterns even if the crypto is perfect. What I've seen reported is that people using openvpn see it work for a while, then increasing latency and packet loss, then eventually total lack of ability to move traffic between the two endpoint IPs.
But if the government completely blocks out VPN uses in the country, lots of international business operating there will suffer and then they will complain, which is not something the government can ignore (at least not always)...VPN whitelist could be a solution, but I don't know how well that is implemented (if it has been implemented) -- not to mention keeping a perfect consistent whitelist at that scale would be difficult...in addition, there is always some false positive/negative in their flow pattern analysis -- those are statistical approaches after all...so there is some grey area here...
Anyway, back to that openvpn experiment I did with my friend, many websites were still accessible with my openvpn tunnel -- although Google was not among those sites -- this seems to imply that they were doing some package semantic analysis (i.e. deep packet inspection)...
If you have something that you genuinely need to keep from the Chinese, don't connect to the internet full-stop. Even SSL can be decrypted by their great firewall if they are suspicious enough. Even VPNs have no guarantee that someone with the right resources hasn't terminated the VPN themselves on the quiet!
I would still like to see them decrypt the traffic on demand. There are heaps of other attack vectors that are much easier to deploy. Also, looking at Qualys SSL Labs[0] it seems like most of the web does a good job at supporting secure and modern protocols. And it feels safe to assume that parent meant TLS, like most people do.
Or do like Uzbekistan has done, force all local computer stores to install a trusted root CA in the operating system before it gets to the hand of the end user. You can transparently MITM TLS1.2 if the system trusts the mitm operator CA. Maybe 0.01% of people even know where to look to examine their windows 10 machine's trusted CA list.
Naturally! Well - except for the diplomatic disaster this would turn into if you did it on foreigners.
I think most people exaggerate the technical capabilities of the Chinese government and how interesting they are for them. Sure, we shouldn't be naive, but a drop of realism is always good.
The difference is in the degree! I don't think the Chinese could or would decrypt all foreigners traffic (and I did mean TLS but use the more well-known SSL name) but if the question is "As someone with a trip to Beijing on the horizon, aside from using a VPN, are there any other best practices to keep data secure while traveling there?", the answer is very clearly don't connect to the internet.
I don't know the person who asked the question, whether he is a realistic government target or just some normal person but there are enough reports of cache poisoning, VPN control/blocking and Chinese hijinks to know that if you are worried about them, don't connect. Mind you, the same fear applies to the US and UK as well.
This is not what the article says happened. Rather, the researchers found that China was able to reroute traffic going to other countries to instead go to China, presumably to analyze or decrypt it, before sending it on to its original destination later.
And the US and the rest of the 5-eyes don't? that doesn't make it right, just more wrong, if you're angry that China is doing this then you should be equally because the US and 'friends' are doing it to you too
Being spied upon by a non-democratic nation is the same as being spied upon by a democratic nation if you're not a citizen - you don't hold any influence over either and neither is accountable to you.
So from an outside perspective the US and China are pretty much the same thing in that regard.
To top it off, the five eyes nations are spying on each other - so even if you're a citizen of one you're tolerating being spied upon by four other surveillance apparati that aren't accountable to you.
Its great to have non scientific theories we can fallback to, rely upon and pat ourselves on the back for when understanding how the world actually is.
Not only the 5 eyes, France and Germany do it. Most middle east Arabian states do it. Russia does it. Iran does it. Don't know about India, Pakistan, Indonesia, but it should be assumed that the gov secret population control services are selectively redirecting and sniffing up most of the traffic there also, at least on the European scale, i.e. ~10%.
This varient is particularly useful against anybody with a social justice argument. Let’s say I complain about Google and what appears to be systemic support for sexual coercion by male managers. You can trot out, “But it’s far worse at Uber, did you complain then? No? Have you taken an Uber since then? You have? You have no right to complain now.”
Or maybe I say that migrant children have been separated from their families. “You’re a Canadian. Did you speak out against Residentual Schools? No? Then shut up about migrant families.”
Bruce Schneier's blog post on this paper: https://www.schneier.com/blog/archives/2018/10/chinas_hackin...