
How I got through Docker's censorship - rcarmo
https://www.parhamdoustdar.com/2016/05/15/how-I-got-through-docker-censorship/
======
Kiro
> I am a completely blind back-end programmer

So not only does he have to deal with the ridiculously hostile environment
being a programmer in Iran. He's also blind. That truly gives some perspective
on things.

~~~
parham90
Haha yes. Though being a blind programmer is not that bad; being in Iran is
why I am trying to find a job in another country and relocate.

~~~
anentropic
I sincerely wish you the best of luck!

------
asadlionpk
It boils my blood when a harmless fellow developer faces trouble due to
political mess created by dumb people.

~~~
lambdadmitry
I don't think it's that simple.

Let's perform a gedankenexperiment. There is a country A that "misbehaves" —
e.g. threatens its neighbourhoods and promises to hit them with nuclear
weapons ASAP (in other words, promises nuclear offense). Quick note: in this
context "country A" means "government of country A". There is also a country
(or an alliance) B that is overwhelmingly more wealthy than A, has more
military might and political power. What do you think B should do? Here are
the options:

1) ignore A until it directly threatens B;

2) use B's military, crush A's government, help A's people to rebuild the
country;

3) apply political and economical pressure to A, which in practice means "make
A citizens' life miserable so they deal with A's government themselves". It's
sometimes possible to apply the pressure selectively (e.g. to A's elites).

I agree with you that it's a morally ambivalent situation. However, I strongly
believe that an embargo (including "digital" one) causes less casualties than
"boots on the ground". Moreover, democracies don't fight each other, so in
this scenario A is (most likely) a dictatorship. Dictatorships are bad and I
believe that wealthy countries _should_ care about long-term wellbeing of
citizens of other countries, at least for their own self-interest. Your
opinions may differ, but it would be wrong to brush off the whole issue with
"political mess created by dumb people".

~~~
perakojotgenije
As someone growing up in a country that was under an embargo (born in '75 in
Yugoslavia, spent my teenage years in 90's Serbia, under Milošević rule) and
having seen it firsthand I can tell you that it never hits the ruling class
and politicians - it only hits the common people - the more poorer you are the
more you will feel it. Politicians and the rich people around them find the
way to bypass it.

During those times my both parents were having small private firms and were
trying to make end's meet which were difficult enough with the collapsing
economy and inflation and having no political connections with the ruling
class (they despised the serbian nationalism and were being active in the
then-opposition parties) sure didn't help them.

The one occasion I will never forget is when my parents decided to go to
Hungary to try to buy some glazes for my mother's pottery shop. They would've
bought some 20-30 kilos, smuggled it in our car and that would've been enough
for a next few months. When the shopkeeper in the Hungary heard they are from
Serbia he decided that he wouldn't want to sell them anything because "embargo
and war and stuff" and so my parents came home empty handed. They came to the
shop as private individuals and must have mentioned briefly where they would
be taking the merchandise (they both spoke hungarian) but the shopkeeper kept
looking at them as if they were personally responsible for all the things that
were going in the Bosnia at the time. We didn't have to close the shop, a few
weeks later they found another supplier and bought from there but it really
left a bitter taste in their mouths.

(shameless plug: this is now my brother's pottery shop who inherited it from
our mother who passed away 6 years ago, this is a small promo video he did
some time ago)

[https://www.youtube.com/watch?v=hD-
bREcrLEQ](https://www.youtube.com/watch?v=hD-bREcrLEQ)

~~~
lambdadmitry
Yeah, I see what you mean and I know the feeling [1]. However, I think in the
end the suffering becomes associated with the government anyway, so _in the
long term_ the strategy works. Here is some anecdotal evidence: current
sanctions against Russia are precisely targeting companies that belong to
elites. However, the Russian government imposed embargo on European food
producers, in effect imposing self-sanctions on a wide population (food became
a lot more expensive and really crappy here). They also managed to associate
raising food prices with Western actions in the public eye, the stunt that
worked really well at least on my parents and my friends' parents. However,
now (after a year and a half) the propaganda starts to wear off and people
become really unhappy with the government itself, despite their "rational
understanding" of who's responsible for their troubles (the West). So yeah,
it's a long game, but I can see the point of it.

The video is great, I wish best luck to your brother and his business!

[1]: I'm Russian and there is a ton of shit going on [in/because of] my
country and a lot of people are unhappy about it (Ukrainians in particular).
The issue is morally complicated AF and is closely related to a concept of
collective responsibility, which isn't a clear-cut either. Personally I
decided that it's wrong to completely separate myself from the actions of my
govt (I know I could do more to prevent its misdeeds), so I feel some guilt
about it and acknowledge when people have prejudices about me. Fortunately,
most people (even more amazing, most of Ukrainians, despite all the shit
Russia did to them) are nice and friendly when they see I don't consider
appropriate to snatch chunks of neighbour's land.

------
wtbob
'Censorship' is the wrong word: Docker isn't censoring information, but rather
refusing to do business with Syria, Cuba, North Korea & Iran. I expected this
article to be about Docker censoring items it serves.

~~~
parham90
Yes. I'm sorry for the confusing title. This has been pointed out to me and I
agree. The reason it hasn't been changed is because it would change the
permalink.

Sorry for not giving you the information you were looking for.

------
unlinker
Censorship sounds like an inadequate term here.

~~~
paride5745
Agree.

Digital embargo is more appropriate IMHO.

~~~
parham90
Great suggestion. I'm debating whether to actually change it, but it'd end up
not matching the permalink. Hmm.

------
zwischenzug
Isn't this to comply with US law? Why blame Docker for that?

~~~
zodiac
He didn't blame docker

~~~
zwischenzug
The title is 'Docker's censorship', which is misleading. It's not Docker's
censorship, it's US state censorship.

------
theFlowState
Can someone not get in touch with this gentleman and just offer him a job
already? Beyond his obvious technical knowledge and analytical approach to
things, read through the comments here and you'll see a person who is
levelheaded, humble, and seems genuinely happy to foster discussion with
likeminded people. I wish I were a hiring manager at my company, but someone
out there has to be. Snap this guy up before someone else does.

~~~
pjc50
Sure, but does he want to emigrate and do you want to go to the trouble of
getting him a visa?

~~~
parham90
> Sure, but does he want to emigrate?

I'd love to. This is a dream that I'm striving for.

> do you want to go to the trouble of getting him a visa?

Now, that'd be a tough one for anyone to answer.

------
K0nserv
I've been using Freedome[0] for a few months now and I am really liking it.
While I don't use it to escape censorship and digital embargos it's adequate
for such purposes too. You can pick from exit IPs all over the world and
easily switch it.

I run all my traffic through Finland usually because they have fairly strong
data protection laws, especially compared to the UK where I live.

It's also a nice way to get around traffic shaping and other invasive measures
from your ISP. During peak hours I have better speeds for Netflix and the
likes through Finland than without VPN.

0:
[https://www.f-secure.com/en_GB/web/home_gb/freedome](https://www.f-secure.com/en_GB/web/home_gb/freedome)

~~~
parham90
Wow, so many awesome software. You'd think that as someone who has used VPNs
since the day he first connected to the Internet, I'd know all about these
things! :-)

Thanks a lot! I'll definitely try this one out!

------
neopallium
I have found using ShadowSocks [0] to work best for me here in China. VPNs
create one connection for all traffic (which is easier for China's GFW to
detect/block/slow down). ShadowSocks creates a new TCP/UDP connection for each
connection that it proxies.

My setup:

Cheap VPS server in Hong Kong [1] (5USD/month, 512 RAM, 2Mbit port) running
the ShadowSocks server (libev version). I have upgrade the port to 20Mbits for
an extra 10USD/month. The port could be upgrade to 50Mbits for 25USD/month.

For DNS I use ChinaDNS [2] to automatically filter out bad DNS results from
China's censorship. It works by sending DNS queries to all multiple DNS server
at the same time (give it a few local DNS servers and foreign DNS servers).
The foreign DNS connections are tunneled through ShadowSocks.

ShadowSocks can work as a Socks5 proxy, tunnel or transparent proxy [3].
Socks5 is the easiest to use and can even do DNS lookups on the server. I use
the transparent proxy [3] option, since it allows selecting which traffic
should go over the proxy.

The socks5 option will try to proxy localhost & lan conections to the proxy
server.

An optimized list of subnets can be generated using bestroutetb [4]. I load
the subnets for China (can private LAN) into an ipset hash and use iptables
rules to exclude those subnets from going over the proxy.

ChinaDNS [2] and bestroutetb [4] could be used for VPNs too. This could be
used when trying to access different services (US, UK, etc..) that don't allow
access from outside their country. Use one VPN for US and another for UK, then
use bestroutetb [4] to build subnet lists for each country route traffic over
the correct VPN.

0\. [https://shadowsocks.org/](https://shadowsocks.org/)

1\. [http://www.36cloud.com/](http://www.36cloud.com/)

2\.
[https://github.com/shadowsocks/ChinaDNS](https://github.com/shadowsocks/ChinaDNS)

3\. [https://github.com/shadowsocks/shadowsocks-
libev/blob/master...](https://github.com/shadowsocks/shadowsocks-
libev/blob/master/README.md#advanced-usage)

4\.
[https://github.com/ashi009/bestroutetb](https://github.com/ashi009/bestroutetb)

edit: fix formatting and port prices.

~~~
lucaspiller
As someone who is pretty much oblivious to how the censorship works in China:
Why do you use such a slow and expensive VPS, and why Hong Kong?

~~~
eric-hu
I'll take my best shot at guessing his answers. The Great Firewall employs
many techniques for censorship. The simplest block sites and poison your dns
cache. Http packets are inspected to deterministically decide whether are
block a connection.

Https is an improvement, but they still use machine learning to make estimates
on encrypted contents of packets. If packets going to and from a location
(i.e. Your vpn server) meet some criteria with some confidence, they perform
attacks on that connection and subsequent connections To the same endpoint.
I'm not sure on the specifics, but these attacks will cause ~90% of that
connection's traffic to drop. The system is dynamic, so your countermeasures
have to be as well.

I'm guessing HK because it's physically and politically close. It's considered
Chinese territory, but not under China's GFW. I've heard from friends that GFW
censorship is more aggressive around sensitive times (i.e. Tiananmen square
anniversary) and news.

If any of this is wrong or inaccurate, someone please correct me. I'd love to
have a better mental model of the GFW so that I could better work remotely
from there.

~~~
neopallium
I have read that the GFW will also try to fingerprint a server if packet
analysis shows that it might be a VPN.

VyperVPN has a stealth protocol (Chameleon) which tries to obfuscate the VPN
connection to make it look like other types of connections. Other VPN
providers might be doing the same thing.

When I first came to China about 3 years ago, I tried using a VPN service but
it wasn't reliable and connecting was always slow. So I tried running my own
OpenVPN server on a VPS in HK (different provider [0]).

What I found at that time was that the GFW seemed to detect the VPNS's TLS
connection and delay some packets which caused the connection setup to
timeout. I even created my own obfuscating TCP tunnel (written in Lua) and
tunneled OpenVPN through that. The obfuscation made OpenVPN work much better.

I still had latency issue when doing a long download. I later found out that
the latency issue was caused by my VPS provider having a 2Mbit bandwidth cap
on traffic to China from the server (they don't say anything about this limit
or how much it would cost raise the limit on their website [0]). Also I found
that if I apply the 2Mbit rate limit on the VPS server, then latency didn't go
sky high (slowly growing to 10 or 12 second ping times before dropping again).
It has only been in the last 3-4 months that I have known about this issue and
moved to a new provider.

I started using ShadowSocks because it uses a protocol that doesn't have any
easy to detect fingerprints (all of the data in the protocol is encrypted), so
it doesn't really need obfuscation to hide the connection from the GFW. Also
ShadowSocks creates many connections (one for each proxied connection), so
even if the GFW delays some of the packets, it will not cause a stall of all
connections.

But I think the biggest thing that I like about ShadowSocks is that it doesn't
need time to setup a VPN connection, the tun0 device and routing rules. So
when my laptop connects to a different WiFi network, everything just works
(except I sometimes need to reset the DNS tunnels, but I could automate the
reset).

0\. [http://www.vpshosting.com.hk/](http://www.vpshosting.com.hk/)

------
lewisl9029
I generally use VPN Gate [1] for all my IP-spoofing needs. The actual VPN
servers are hosted by volunteers around the world.

The client and server software VPN Gate uses is the open source SoftEther VPN
[2], which I also use to host and connect to my own VPN. It's pretty great.

[1] [http://www.vpngate.net/en/](http://www.vpngate.net/en/)

[2] [http://www.softether.org/](http://www.softether.org/)

~~~
parham90
Awesome, thanks! I'll definitely try these out!

~~~
subliminalpanda
If you're up for going the VPS route, there's an awesome project called
Streisand on github that automates the entire process that sets up the server
with multiple VPN protocols as well as TOR bridges:

[https://github.com/jlund/streisand](https://github.com/jlund/streisand)

Good luck!

------
chris_wot
I did this because I live in another country where the U.S. has sanctioned me
from seeing a variety of things I could pay for if I lived in the U.S. -
Australia. I'm just not under a regime that will kill you if they catch you...

Works great for websites, but can SOCKS5 transparently redirect DNS traffic?
In the end I setup an OpenVPN server and setup port redirecting for DNS.

~~~
parham90
Well, I'm not doing anything political, so no one will catch me and kill me.
I'm using it for exactly the same reasons as you, namely that the United
States won't let me view some content, listen to some music and stuff. Even
though I have to pay illegally to access this content (which is when I use my
Canadian IP), I still am paying for them and must be able to use them.

~~~
chris_wot
How do you pay? Credit cards are normally issued from a geographic region and
you need ID to get one in another country due to AML measures...

~~~
parham90
I used another friend's credit card. There are some services here where some
guy in another country who is originally Iranian will charge a fee to take
your Iranian Rials and send them to a PayPal account, or go and pay for a
service on another website on your behalf.

It costs extra money, but oh well. It's better than staying ignorant and not
being able to improve and learn more.

~~~
chris_wot
So I need to convert AUD to USD to Rials and send them to an Iranian guy in
the U.S. to pay for a Netflix account with a third party U.S. credit card and
then figure out how to proxy my way through someone's U.S. Internet connection
via a SOCKS5 proxy.

What could possibly go wrong? :-)

~~~
parham90
LOL!

When you put it like this, it seems very impossible. But I've been doing the
second part of it for two years, so if you need any help with that, just let
me know. Haha.

~~~
chris_wot
Australia has a policy of capturing all metadata from ISPs. I suspect I might
actually be more at risk of getting a knock on the door from our security
agencies than you would be. And if I'm suspected of terrorism I can be held in
jail for seven days without charge on a continually renewing basis.

Don't think I'll risk it :-(

~~~
pjc50
Australia is not going to arrest you for using a proxy, unless you're using it
to do something else illegal. Let's be realistic about the relative threat
level in Australia vs Iran.

~~~
chris_wot
Yeah, because government agencies haven't been worried about Iranian terrorism
in Australia since Man Honis took hostages in Martin Place and a teenager of
Iranian background shot and killed a police accountant in Parramatta last
year.

For myself, I know I'm not a terrorist, but transferring money like that looks
mighty suspicious and it wouldn't be hard for the security agencies to get the
wrong idea. They don't have to prove anything. Just ask Muhamed Haneef whether
they make errors. Mick Keelty refused to even acknowledge the AFP treated an
innocent man very badly. If you think a guy like the head of the AFP is this
incompetent, then you should watch your step if you live in Australia.

It's not like I can defend myself in a court of law now, is it? Terrorism gets
an end run around due process in Australia. And we've already seen how it can
turn out - pretty fucking badly.

------
danpalmer
> A few days ago I got a call from a lady that is studying her Masters degree
> in computer science (can you believe it?)

This comment is not ok.

~~~
realusername
I guess he was probably surprised since ladies doing computer science masters
in Iran must not be that common I guess. I understood it this way.

~~~
parham90
Exactly. I changed the article to better reflect these though. I'd personally
get offended if someone actually meant to say something like this, and since I
don't want people to think I'm making such a ridiculous statement, I edited
the text to clarify.

~~~
lambdadmitry
Your are amazingly considerate and polite. It's very refreshing to see a civil
replies like this. Thanks a lot!

~~~
parham90
And you're surprisingly smart, which you demonstrated through your
gedankenexperiment. I'm glad that writing about my experiences has allowed me
to read one paragraph of the thoughts of people so much smarter than me. These
are brief glimpses, but they definitely humble me.

