
China Tells Carriers to Block Access to Personal VPNs by February - valentinebm
https://www.bloomberg.com/news/articles/2017-07-10/china-is-said-to-order-carriers-to-bar-personal-vpns-by-february
======
iliketosleep
Previously, there was an implicit understanding that the Great Firewall was in
place to prevent unauthorised access to the Internet by the masses. This is to
prevent them from being influenced by foreign media, prevent too much
information leakage of citizen info (e.g. via facebook), and to give Chinese
tech companies a monopoly in China.

If, however, you had the will and ability to use VPN software, the government
usually turned a blind eye. Afterall, it was only a minority of people and
they usually had a genuine need. In fact, this is what made staying in China
tolerable. If this block does truly come into effect, they are essentially
closing the door to the outside world.

China was a country of reasonable compromises before, but with Xi Jinping's
nationalism, they are starting to think "why should we compromise at all?"

~~~
seanmcdirmid
That was never the official or even the implicit position. There has always
been a war with VPNs, want VPNs work and don't can change monthly, and it's
been like that for the last 10 years. Xi's nationalism is nothing new here,
they just think that the tech is good enough to cut off VPNS for good now.

China has been trying to close their internet since after the Olympics. It
isn't surprising that they would eventually succeed at it.

~~~
imron
Since well before the Olympics actually. I was in China when 9/11 happened and
for a brief period of time they opened access to a large number of previously
blocked foreign news sites so that people could read what was happening.

~~~
gcb0
why would people be checking a news site that was previously blocked? do you
go everyday "oh, let me try cnn.com... oh, still blocked. let's try tomorrow?"

~~~
imron
Well, first of all, it's not every day that a news event on the scale of 9/11
happens.

As for how I discovered they were unblocked, I got a phone call from my Mum
early in the morning after the attack (the attack happened during the Chinese
night time) and went in to the office (which had the only available internet
access), and one of my colleagues told me that the bbc and nytimes were no
longer blocked.

Not sure how he found out they were unblocked, but he'd been there most of the
night.

Then once you know one is unblocked you try them all :-)

------
powstudio
China is one black swan event away from an economic collapse and possible Arab
spring. The authoritarian Chinese government is starting to have some sense of
fear now. Between the 300%+ gdp/debt ratio, second real estate bubble bursting
in shanghai/tier1 cities, huge spike in shadow lending, stalled stock market,
complete frozen capital control, Trump's 100 day ultimatum to China regarding
trade deficit, demographics crisis, NK situation, south asia island situation,
protectionisms against China in europe/US/Japan, Foreign Direct Investments
leaving China, etc.

~~~
contingencies
_The preconditions of revolution exist in the UK, and most western countries.
The number of active pre-conditions is quite stunning, from elite isolation to
concentrated wealth to inadequate socialisation and education, to concentrated
land holdings to loss of authority to repression of new technologies
especially in relation to energy, to the atrophy of the public sector and
spread of corruption, to media dishonesty, to mass unemployment of young men
and on and on and on. [...] Preconditions are not the same as precipitants. We
are waiting for our Tunisian fruit seller. The public will endure great
repression, especially when most media outlets and schools are actively aiding
the repressive meme of 'you are helpless, this is the order of things.' When
we have a scandal so powerful that it cannot be ignored by the average Briton
or American, we will have a revolution that overturns the corrupt political
systems in both countries, and perhaps puts many banks out of business. Vaclav
Havel calls this 'The Power of the Powerless.' One spark, one massive fire._
\- Robert David Steele, ex-Marine, ex-CIA, Open Source Intelligence Expert in
_The Guardian_ , 2014-06-19 ... from my fortune DB @
[https://github.com/globalcitizen/taoup](https://github.com/globalcitizen/taoup)

~~~
bovitclan
Robert David Steele has interesting things to say about OSINT, but one must
take him with an entire cow lick of salt. After getting interested in his
ideas and watching several interviews with him, I was very disappointed. His
personal narrative is exaggerated; he advocates conspiracy theories that are
popular but ridiculous; he shows a certain arrogance. He looks & quacks like
an aggressive self promoter without much substance to offer.

This man has claimed to be the father of OSINT one day, and said that
Pizzagate was spot-on the next. No one with a clue about how to conduct an
investigation should have swallowed that.

That is all to say, I believe we are in very troubled times, but I don't
believe we are on the verge of revolution.

~~~
contingencies
About the same as my views, but still a fair and handy antidote quote to
"China is on the brink of revolution!" as per OP!

------
chairmanwow
From my experience in China, it seems that the vast majority of Chinese
citizens have no idea what a VPN is and or why they would use it. Friends of
mine that are Chinese citizens that study abroad in the US make extensive use
of VPNs to circumvent the GFW.

Every technology company that I've come across in China has invested a great
deal of effort into establishing stable VPN connections. I have seen several
"VPN microservices" that act to tunnel all foreign-bound traffic out of the
country. In the vacuum of mature, western technologies many Chinese copycats
have popped up. I have been hoping that we would start to see more and more
Chinese technology companies exporting their technology [1]. With these new
legislative actions, it seems like a step in the wrong direction.

I'm struggling to come to terms with the restrictive policies that the Chinese
government continually struggles to hoist over their citizens. During the
midst of one of the most dramatic periods of economic development in history,
the Chinese government is moving to artificial isolate themselves from the
developing global economy?

[1] Strikingly: [https://www.crunchbase.com/organization/striking-
ly#/entity](https://www.crunchbase.com/organization/striking-ly#/entity)

~~~
dis-sys
Like it or not, the GFW helped to created the "most dramatic periods of
economic development" in Chinese history.

Back in 2010, when Google chose to exit China, many argued the exact same that
China is isolating itself from the outside. Such feeling is understandable
from a western point of view, I mean for anyone from a western background
there is simply no Internet if google/twitter/fb etc. are all unavailable.
However, a bold however, 7 years after Google's exit from China, it has been
proved again and again that the biggest motivation of GFW is the protectionism
aiming to help domestic Internet companies - and that actually paid off pretty
well.

You don't need Google/fb/twitter etc to have booming Internet/high tech
economy. Look at China's social media, online payment, e-commerce, online
gaming, AI, shared economy etc, did China miss out. Let me give you a bloody
simple number: I didn't use any cash or bank card/credit card in the last 45
days, everything, I mean 100% everything, was paid by mobile.

This is not about some cheap nationalism - it is _all_ about how many good
paying jobs can be made available in China for Chinese. It is the exact same
as the Making America Great Again crap. Blocking google/fb/twitter was the
first essential step to achieve that.

~~~
AzMoo_
Where are you in China? I just spent a week in a relatively small city in
Shandong and there were so many places that were cash only. Couldn't even use
card, let alone mobile.

~~~
beisner
I just spent the last 6 weeks in Beijing and Shanghai (currently in Shanghai)
and I have run into several places that don't even accept cash anymore, and
only accept WeChat Pay or Alipay.

------
EZ-E
With China, there is a big difference between what is said, what is law and
what is actually enforced.

What's likely to happen is that there will be a crack down, some satisfying
numbers will be shown to officials, and then everything will become back to
normal soon after.

There has been this kind of talk about cracking down on VPN before, and it's
still available, so wait and see

~~~
cctan
I have a hunch that these kind of news had been circulated before, officials
threw a few sacrificial lambs in to reach the quota, then the headlines fade
slowly into background.

------
larrysalibra
The same state-owned Chinese carriers will sell you products in Hong Kong that
when used in mainland China let you circumvent the great firewall.
[https://www.larrysalibra.com/hop-over-the-great-firewall-
wit...](https://www.larrysalibra.com/hop-over-the-great-firewall-with-
government-help/)

The regular crackdowns on VPNs mean that many who live in the region long
since stopped using them and switched to a mobile plan or prepaid sim from
China Mobile Hong Kong or Hong Kong Unicom that provides a Hong Kong IP
address and unfiltered internet while roaming in the mainland.

~~~
gcb0
but the regular Chinese cant easily take the train to Hong Kong.

------
bitcharmer
The way things are going I'm expecting to see the same initiative in the UK or
Germany sooner than you think.

That will stop them evil terrorists.

~~~
CamperBob2
A strange thing to downvote, considering that the UK government has basically
promised exactly this sort of measure.

~~~
topranks
Yep. Banning the use of strong encryption (introducing penalties for it,) is
the logical conclusion of what Theresa May has said she wants to do.

~~~
CamperBob2
Yes, it absolutely is. Outlawing private communications between citizens (or
subjects, in the UK's case) is not the first step down this particular
slippery slope, it's well past the halfway point.

I recommend watching a movie called _The Lives of Others_ , to those who don't
understand or agree. It should be available on either Netflix or Amazon, or if
all else fails, the Pirate Bay.

------
baybal2
Currently, https tunnels with replay attack protection hold strong.

UDP VPNs do fail at random right now, I guess GFW people arrived at the point
when they can't do anything about obfuscated and replay attack protected
endpoints other than blocking all UDP traffic at random

------
greggman
not being a network guru how easy is this? I have my VPN set to run over port
443 but I assume it would be easy to see enough of the traffic to see it's a
VPN and not an HTTPS connection. I'm assuming that could be obscured in some
way but then I've heard even if you can't see the contents you can generally
tell it's not HTTPS by looking at the traffic patterns?

~~~
wolfgang42
You can make it more difficult, but short of actually disconnecting China's
network from the rest of the Internet entirely I don't think there's any way
to completely prevent it.

I had a run-in with a particularly aggressive captive portal last week that
kept injecting ads into unencrypted pages (if I'm traveling on one of your
vehicles, _I don 't want to buy tickets to travel with you_), but fortunately
didn't firewall outgoing port 22 so I could use sshuttle to route 0.0.0.0/0
via an SSH connection to my personal server. This works with pretty much any
server you can run Python on, so I don't know of a good way to stop it unless
you're willing to block anyone from SSHing outside of the country (thus
preventing e. g. Chinese companies with a global market from running servers
in other countries).

~~~
greglindahl
ssh sessions reveal enough that an interactive session, a file transfer (scp),
and sshuttle routing someone web browsing look quite different from one
another. Sure, you can multiplex and throw in extra traffic, but it's not
trivial.

------
ajeet_dhaliwal
Expats/foreigners/immigrants make heavy use of VPNs according to friends I
have. I don't live in China but if I did and this was successful this would be
a serious reason to consider leaving for me, access to the internet and www is
just too important nowadays.

------
andy_ppp
So what we need is a VPN that looks like https traffic or is https forbidden
in China too? Is anyone working on this?

After a quick read it's apparent that even the most sophisticated defences are
going to be open to the one endpoint having loads of data against it. It would
need lots of different "real" IP connections and my guess peer to peer would
be difficult too.

Statistics and machine learning will always be good enough to evade attempts I
can think of here.

~~~
netsharc
Life finds a way? I could encode 0 to "duck" and 1 to "cat" and I can tell you
"duck duck cat duck, cat duck duck cat" and that's 0010 1001, i.e. the letter
I. Obviously it need to be more sophisticated than this. Then, you can use the
channels that no one's looking at, but I guess China is looking everywhere.

~~~
andy_ppp
That's fine but still most of your traffic will go to a single endpoint. It'd
be easy to analyse patterns in most surfing protection solutions...

------
geff82
You should not deal with censorshipping countries. Period. That's a dead end
road. If you are Chinese - fight for your natural rights. If you are a
foreigner: let them alone and try to do business with countries that provide
more freedom or that are at least on the right track (I fully understand that
not every country is equal or values freedom equally - but at least they
should move in the right direction).

~~~
gcb0
this mostly correct.

gotta love when people don't say this about china right away here, but talk
about building your product inside a platform owned by fb or apple and you get
the warnings instantly.

also, this is a good time to remember everyone to at least run a 1mbps tor
node at home. costs nothing.

------
reustle
I'm headed to china next week for a few weeks. I need access to at least
Gmail. Are there any suggestions here on an easy way to get around it for a
VPN noob? I'm usually fine using PrivateInternetAccess but I'm sure that is
blocked there.

~~~
tluyben2
VPNs still work; ExpressVPN gives good results. Although I usually just
forward gmail to outlook for the time being and will just use that for the
weeks I am there.

~~~
baybal2
The thing is that they block Gmail MX from time to time. Don't use google mail
for work there

~~~
tluyben2
No I forward all to Outlook.com and send from there as well. Sucks but works.

------
pmlnr
ssh -D8888 - SOCKS proxy port 8888. SSH is not VPN ;)

------
lngnmn
Time to get funds for 443 port vpn startups. ;)

Hint: TLS encrypted traffic following an appropriate browser-style handshake
cannot be distinguished from "legitimate" https.

~~~
kbaker
Yes, it can. By watching the size and timing of flows with 'regular HTTPS'
traffic vs 'VPN HTTPS' traffic, it can be distinguished.

~~~
Ajedi32
So write a program that emulates 'regular HTTPS' traffic patterns. On the
technical side of things, I'm pretty sure the VPNs have the upper hand in this
game of cat and mouse.

~~~
dylz
GFW does not just inspect traffic, it actively probes server IP:ports looking
for its responses, can replay packets you sent legitimately, and can
impersonate IP addr behind GFW.

As in, it is not only a passive observer periodically resetting connections,
it will also make its own to test the waters

~~~
ticoombs
I would love to see a write up about that. Got a source?

~~~
jitl
Here's a few that I dug up from 15 mins of googling:

\- In-Depth Analysis of the Great Firewall of China. Has other good sources at
the bottom:
[http://www.cs.tufts.edu/comp/116/archive/fall2016/ctang.pdf](http://www.cs.tufts.edu/comp/116/archive/fall2016/ctang.pdf)

\- How China is Blocking Tor:
[https://arxiv.org/abs/1204.0447](https://arxiv.org/abs/1204.0447)

\- Summary of "How China is Blocking Tor" from MIT Review:
[https://www.technologyreview.com/s/427413/how-china-
blocks-t...](https://www.technologyreview.com/s/427413/how-china-blocks-the-
tor-anonymity-network/)

