

A look at the inner workings of the Great Firewall of China - hughesey
http://viewdns.info/research/dns-cache-poisoning-in-the-peoples-republic-of-china/?

======
0x12
Here is another look at the inner workings of that marvel of technology:

<http://www.wired.com/threatlevel/2008/05/leaked-cisco-do/>

and

<http://www.nytimes.com/cfr/international/slot1_021606.html>

If China got their gear through shell companies in the West that would be one
thing but to find outright proof that Cisco (and Juniper Networks) knew the
destination of the hardware they sold and were cooperating with the Chinese
authorities on this is unforgivable.

Their excuse is that 'other companies would do the same thing if they didn't
do it'.

Selling hardware with deep packet inspection capabilities to repressive
regimes should be against the law.

And maybe DPI should have never been added as a feature to begin with, the
downsides of a feature like that are much larger than the upsides.

~~~
smutticus
I've been involved in conversations with ISPs in different countries who are
required by law to intercept their customers traffic. On one particular
occasion I remember being told by an ISP in Germany that they wouldn't buy
from us unless we developed a feature that allowed them to snoop on their
users. It's called 'lawful interception'.

We developed this feature and sold them equipment. Am I a bad person? Where do
you draw the line?

ISPs all over the world are looking at their users' traffic. Some of them are
doing it nefariously while others are being required by law to do so against
their will. It's shouldn't be the job of a vendor to determine right from
wrong.

Before you go condemning networking vendors think about weapons manufacturers.
American companies routinely sell guns to countries that use them against
their own citizens. And nothing comes of it.

~~~
0x12
> Before you go condemning networking vendors think about weapons
> manufacturers. American companies routinely sell guns to countries that use
> them against their own citizens.

Yes, and that is something that ought to be illegal too.

Whether you're a bad person or not is not for me to say, you can make that
judgment for yourself. Personally I would refuse to build such a feature and
likely it would cost me my job. Then someone else, maybe you, would step in to
do it anyway. So in the end my resistance would amount to 'nothing'. But I'd
sleep a lot better because of that, as long as you don't lose sleep over it
you're doing fine.

We all get to make these decisions on an individual basis.

~~~
true_religion
> Whether you're a bad person or not is not for me to say, you can make that
> judgment for yourself.

If you're not saying that these people are "bad people" then what's your basis
of demanding that their actions be illegal?

~~~
enjalot
Laws aren't always based in morality, even when they align with morals. Even
when a person commits a "bad" act, that does not necessarily make them a "bad
person."

After all, only God can judge them, right? ;)

~~~
awakeasleep
I think it doesn't make them a 'bad person' because people are always capable
of changing (even if it only happens once in a while). And it doesn't make
them a bad person because our actions are mostly a reaction to our
environment, and we don't always have a correct/full view of it to begin with.

So, applying your judgments to a person who reacts to their environment based
on limited information and experiences, and saying they are fundamentally good
or bad may not be totally logical.

Then the saying "only God can judge" means that an omnipotent being, who
perfectly understands everything, is the only being capable of perfect
judgments and certain condemnation or praise.

------
enjalot
First off, I take issue with starting an article by citing an emperor from
over 2000 years ago to bolster a claim about a modern government.

That said my brother is in China now, and I setup a squid proxy for him using
AWS (in singapore). Unencrypted it does no good, facebook and youtube actually
cause the proxy to stop working for him briefly (without a proxy its a
coinflip wether they will load or not).

So he just sent me a public key so I can setup an SSH tunnel. That should do
it, too bad it's impractical to set up 1billion+ SSH tunnels for the citizens
over there!

~~~
pyre

      > r from over 2000 years ago to bolster a claim about a
      > modern government.
    

It may be specious reasoning, but I read justifications for a number of things
coming out of China that appeal to their long history. E.g. Country X was part
of China X hundred years ago, therefore it has always been a part of China and
we are just reclaiming what is ours.

~~~
enjalot
That is fair too, China has more history than any other country, and only few
cultures can claim to be as old.

When asked about democracy most Chinese I have spoken to refer to their last
hundreds years of history, which is filled with all kinds of turmoil. When
thinking of managing a billion people stability is an easy concept to appeal
to.

~~~
tokenadult
_China has more history than any other country_

No. That would be Iraq or Egypt. Writing was invented much earlier in the
Fertile Crescent and in the Nile Valley than in China.

<http://oi.uchicago.edu/OI/MUS/ED/TRC/MESO/writing.html>

It always jars me (I was a Chinese major as an undergraduate) when people
refer to "5,000 years of Chinese history," because that is wrong by 2,000
years. China only has 3,000 years of history, and the actual history of China,
as for most countries, includes accounts of pre-historical legends that go
back before accurate, recorded history.

It is correct (other comments in this thread) that Chinese political
philosophers mostly came up with rationales for strong central authority
rather than rationales for individual liberty like the Greek and Roman
political philosophers, but that was a bug rather than a feature.

------
dongsheng
DNS Cache Poisoning is one method to perform censorship, however people could
bypass it by distributing customized /etc/hosts file, when youtube and twitter
were first blocked, it's widely used. Then ppl behind GFW realized that, they
deployed keyword detection and IP blocking. Nowadays, to access "outside
world" Chinese ppl have to use VPN or encrypted proxies.

------
trotter_cashion
I wonder how strategic they're being in their choice of IPs returned. Sending
a large number of invalid requests from IPs all over China to foreign servers
could help in masking their hacking attempts against those servers.

------
moonlighter
In the end, it won't matter whether the Chinese Communist Party controls
routers and deploys DPI scans. It's irrelevant, because lasting change usually
comes from WITHIN. In the not too distant past, Eastern Germany suffered a
similar fate; people couldn't receive western airwaves, phones were monitored,
mail got searched... the 'Stasi' had almost 'the perfect control' setup. And
they still collapsed. _From within_. Ditto for the new arab spring. It's just
a matter of time.

------
vjeux
Can they use Google Public DNS to avoid this issue?

<http://code.google.com/speed/public-dns/>

~~~
Karunamon
No, because it's not that Chinese DNS servers are returning bogus data, it's
that the DNS servers are returning correct data, which is being modified
before it gets to you.

You could point your system to Google DNS (assuming for a moment that it isn't
blocked, which it is), but then your DNS results would still be twiddled in
transit.

------
leonlee
Does this mean that you can still browse websites like Facebook or Twitter by
directly typing in the IP address?

------
danbmil99
Can someone speak with authority as to how easy it is (or isn't) for tech-
savvy Chinese to get around the GFOC, and what techniques are used?

~~~
IsaacL
The most common methods are using web proxies and VPNs. Web proxies usually
get blocked fairly quickly, whereas VPNs normally cost money. I don't know
what you mean by "tech-savvy" but both are widely used by ordinary citizens.

