Hacker News new | past | comments | ask | show | jobs | submit login
“Two days ago the police came to me and wanted me to stop working on this” (github.com/shadowsocks)
1543 points by realfuncode on Aug 22, 2015 | hide | past | favorite | 526 comments

I was visiting China recently (my first time there). I thought bypassing The Great Firewall was going to be as simple as an "ssh -D" SOCKS setup, or a "ssh -w" tunnel. Oh boy, I was wrong. If you try this, or even a basic OpenVPN setup, you will quickly find out your VPN works fine for about 5 minutes, but then latency increases to 5sec, 10sec, 30sec(!), and then everything times out. After some research I read online the government does deep packet analysis and uses machine learning to find heuristics to guess which TCP connection or UDP stream is likely being used as a VPN. When they think there is a high probability a VPN is detected, they simply start dropping all the packets.

Encryption is not enough. You need to disguise your VPN traffic to make it look like standard HTTPS sessions (since they don't block HTTPS). For example in a traditional HTTPS session, if the client browser downloads, say, a 500kB image over HTTPS, it will send periodical empty TCP ACK packets as it receives the data. But when using a VPN that encrypts data at the IP layer, these empty ACK packets will be encrypted, so The Great Firewall will see the client sending small ~80-120 bytes encrypted packets, and will count this as one more sign that this might be a VPN.

That's why people in China have to use VPN tools that most westerners have never heard of: obfsproxy, ShadowVPN, SoftEther, gohop, etc. All these tools try to obfuscate and hide VPNs. I have a lot of respect for all these Chinese hackers like clowwindy who try to escape censorship, as it takes more technical prowess than you think to design a VPN that works in China.

I am in Iran , you cannot believe it , same here , They use deep packet inspection too, they will shut every package down. every open vpn , cisco vpn , etc connection will lose connection every 2-3 min . Connection to outside web is almost impossible.

I have noticed they have multiple situation, for example when everything's quiet internet is not so bad (despite the fact bandwidth is extremely low for huge amount of people), but when some news came out about government corruption, guess what ? some vpn does not work . In 2009 green movement they closed every https connection.(maybe that was red alert situation)

p.s : https://en.wikipedia.org/wiki/Deep_packet_inspection

p.s. : I use vps from netherlands for bypassing firewall. but It takes huge amount of time and a little money.but the point is 99.999% people don't have this option (I use shadowsocks, sometimes another tunnels) so they use internet the way is or some software like freegate and other but with extremely low speed unbearable lag.

p.s. : pptp, l2ps and others are closed right now. even president rohani couldn't manage the situation . I have heard he did want to do something but supreme leader and his people stopped him.

A few years ago I had a friend visiting Iran who wanted unrestricted access to sites. I didn't have any personal Linux servers on the internet at the time, but I did have a Windows one with Remote Desktop licenses.

It turned out that RDP actually worked pretty well. I did hesitate to post this in case it's seen by the wrong people(!), though given it's a while since it was necessary to use, it may be blocked by now anyway.

I wonder if it was available because it was relatively little known and, if so, what other little known protocols might be available.

sadly with RDP you cannot have same experience.it is not about 1 or 2 site , for example for me , my vpn connection is always on because there is not internet without it.but with RDP loging into another machine , with all lag you see , is almost impossible at least for power user like me which most of the time have 50+ tab open in chrome in site's like youtube , android dev doc's, etc.

You can RDP into a machine and use the browser there.

But you have to send a packet every time the remote screen changes. It is much more demanding on network resources than a VPN and thus will be more difficult to use on a daily basis.

Why nos havig a local cache like wwwoffle (someone has to reimplement such a thing) or squid? that way you won't need a connection just to browse a bunch of (mostly static?) html pages... just sayin'.

You can get arrested for hosting illegal web content. All public facing servers in China must be registered at the government, or they can get raided.

I'm not sure but I suspect that they got the technology (hardware and software) from China too.

As a Chinese netizen I don't know if I should be proud that we have world-class advanced technology or be ashamed. Possibly ashamed.

Allegedly it's mostly or at least originally Cisco's technology: https://insidersurveillance.com/cisco-huawei-and-semptian-a-... .

At first China also used Cisco's stuff, but soon they could't keep up with the requirements of the Chinese govt. After that a man usually criticized to be "the father of GFW", FANG Binxing, came up and built more powerful censorship hardware and software for the govt at Beihang U. It is said that they now use supercomputers to parse, analyse and block (and even inject, remember GitHub?) all packages going through the Chinese network boundary.

Oh I just gave away so much secret. I'm so doomed. Everything above are just made up stories. Don't believe me. Don't track me down. Please.

There's one mistake on your statements. It's at Beiyou U that Fang Binxing get all those things dones.

It is not a secret at all....

And let's not forget BlueCoat.

These are our colleagues designing and implementing these tools of oppression. We should ask them why they exercise their talents in this way.

"Of the ten conflicts in human history with the highest death tolls, five were civil wars in China.

Chief among these was the Three Kingdoms War when up to 40 million are reckoned to have perished in military operations and from the destructive consequences of warfare. This is an enormous number, considering that the global population at that time is unlikely to have exceeded 400 million. More recently, the Taiping Rebellion claimed more than 20 million lives while the civil war that brought the Communist Party to power resulted in 7.5 million deaths, over and above the 20 million estimated to have been killed in the roughly contemporary Japanese invasion.

This is not the history we were taught at school but Chinese leaders are well aware of these facts.

When disorder breaks out in China, things turn very nasty indeed.

It is best, therefore, to avoid disorder at almost any cost."

That is why.

Or would you prefer to have China descend into the chaos of Rwanda or Sudan ?

Wait, I may be misunderstanding your comment, but are you saying you support censorship by the Chinese government on the basis of some paternalistic "those dang Chinese can't handle themselves and start a-killin' if they get to know too much, so it's better to keep them in the dark"?

Also, when quoting large blocks of text it is usually helpful to source that quote.

Oppression causes civil wars.

If they are using oppression to avoid disorder, they better have long term plan. Otherwise they are digging their own grave.

Not many people fear of chaos in the USA and not because they have the best firewall.

Millions of doomsday preppers may disagree.

> Millions

There are not millions of doomsday preppers in the US. And their obsession is not representative of public will or sentiment.

The comment you're replying to said: >Not many people fear of chaos in the USA and not because they have the best firewall

So you seem to be saying that if the US had a Great Firewall the nutjobs who spend half their salary on underground bunkers and armament wouldn't. That's a pretty silly argument.

Well, thousands anyway.

Historically, I believe it would be much more accurate to say that opportunity creates civil wars. People start wars because they think they can win.

Incidentally, in most of those Chinese conflicts (4 out of 5 I believe), they were right. Many other wars were similar : starts with "immigration", numbers increasing, conflict, open conflict (and mass death), repression (of the losing side). Extermination is often tried but rarely succeeds. Well it succeeds in causing mass death, but it doesn't succeed in the sense that extermination is the result.

Good statement so far. But wait... do you assume that censorship could cause another civil war or could avoid another civil war? And where is your reasoning or evidence?

It doesn't take much to motivate someone to do it. A paycheck is enough 99.99% of the time.

They probably appreciate having their family alive...or something. It'd be better if our colleagues who don't have their hands and relatives tied to create and proliferate liberating software.

Are you saying that Blue Coat (based in Sunnyvale, California) develops censorship tools in order to keep their family alive? Who is threatening them?

I propose proud of the technologists, ashamed of the political system :)

be sure soon the dev will be cordially invited to write the deep inspector for that vpn if it ever leaves the ground.

and i wonder if filling the apple form helped them finding him or it was just bad timing

I heard rumors that that before Halal Internet was launched the censorship of Iran was relegated to Huawei, the same company that builds and maintains the Great Firewall...

Yes , I have heard it too . halal internet not going to launch , because Rohani is not believe in it and tries to postpone it every year(maybe they have technical issues too , I don't have information) . all military site's have ethernet and connect to each other with it.

wish you all the best. I pay 5$ for a digitalocean droplet to provide my family in Iran with an OpenVPN connection. This works quite well, we do not have any issues so far.

I have a friend in Iran and I let him use one of my servers as a proxy using the ssh -D flag. This has been working well so far as I know.

In my experience ... spending a lot of time working in China ... most people use Astrill or ExpressVPN. I'm surprised no one has mentioned them here yet. They own the VPN market in China. Almost every senior developer I've met here subscribes to one or the other -- with Astrill being far ahead in terms of user base. They both champion their "stealth" options and other than the odd day you don't really notice the GFW.

Pretty much all the ISPs sell "international lines" as well. But only as part of their business packages. Usually it will run for about US$1k/mo - US$3k/mo with minimum 1-2 year contract for their "starter" package. Most tech companies in my area have them; they work very well. Essentially they are a hardline to Hong Kong and they ration out to subscribers.

They key thing to understand about the GFW is that it's not about general censorship of the population. Frankly the government doesn't care if someone who is middle class, i.e., invested in the status quo, gets around the GFW. They are more concerned about conservatives in lower classes trying to organize to stop the move towards capitalism. And it's mostly about protecting the market now so local companies can get access to these lower classes as their position improves and they join the middle class.

I don't understand, who can afford US$1000 per month? I'm assuming only medium-large businesses, so do they divide up these "international lines" among their employees or something? Can these employees also use these lines at home, or only in the office?

It's for business of course, mainly international companies I guess. Local companies don't need to cross the firewall. Employees can only use these lines in the office. Actually most Chinese are not aware of the existence of the Great Firewall (GFW), really bad.

In the tech field, everyone is very very aware. I can't speak about other fields though. In my experience, pretty much anyone who is middle class or above knows about it. Granted middle class and above is only about 300 million of the almost 1.4 billion people -- so very much a minority. Granted China is huge and I mainly move in tech circles so YMMV.

It's not just international companies. Chinese companies are all about going overseas now. China is now a next exporter of investment. Plus it seems every company with an app that has a moderate amount of success wants to reach Chinese outside of the China -- they have more money -- and so need to integrate with blocked services like FB. And exporting Chinese online games to other developing nations is really taking off.

Thanks for your info. As a graduate student major in civil engineering in China, people around me come across the firewall when they need Google Scholar, which is rare also. Sometimes they come to me for help to get access to sites like Google Scholar. But, believe me, they don't care about what is GFW or anything about the censorship. yes, the big brother is watching and they want to be good netizens. Traditional industries like CE don't depend on internet much, so GFW does not have much influences on them. Even to programmers in internet companies, I doubt the proportion of people accessible to the free internet. Above is based on personal experiences and may not be that precise. Things are complicated in China anyway.

As an undergraduate student majoring in software engineering in China, I'm interning for a foreign company and we have access to free internet through proxies. And in my experience, most programmers regard free network as a necessity. And for people in large cities, it is true that they don't actually care about GFW, but I think many of them are at least aware of the existence of it, and sometimes break through it out of curiosity.

Yes, Astrill and Express VPN has been popular in China. But probably because they are too well-known, their services are not totally reliable. Instead, some smaller VPN providers now offer better services. Check out this test result: http://www.vpndada.com/best-vpns-for-china/

I visited your page expecting to see details of a testing methodology, along with results for a number of providers. However, the information you provide is no better than that provided by friends' anecdotes.

"Reason for Recommending: Reliable connection, fast speed. Fast customer support."

What do you mean by 'reliable'? What do you mean by 'fast'? Are you talking about latency or throughput?

"Reason for not recommending: sometimes hard to connect"

How many times out of ten? Using which VPN protocol(s)? Was this using PPTP, or OpenVPN over stunnel?

I run my own VPN servers (for myself and friends) but of course there is some ongoing maintenance effort to add new servers to replace those for which latency and/or throughput have declined. If there were a site with specific data about different companies' performance (over time), that would help me to decide whether it's still worth the effort.

I've had almost the opposite experience. VPN sort of worked, but I could not open a single HTTPS connection. The VPN problems I had I could trace to a bad WiFi connection (I had to lower my MTU and it worked fine).

Now, on previous trips I experienced what you mentioned. It seemed really like there was some machine learning going on, and after using a VPN for a while the connection would get bad. But I guess it might not be machine learning, there might just be a huge number of humans watching your traffic - which would explain why it is so inconsistent.

The thing that worked best for me is just using ssh -D (on most days). Our workplace uses ssh a lot for secure communication with outside china, so that couldn't possibly be blocked without hindering our work (and I believe 'they' have no interest in that). So whenever I had to access something for work that was sillily blocked (argh gmail), I just used the ssh connection that was open anyway.

Actually this is classic daily life of a chinese netizen: you are never quite sure what the cause of your network woes is (not without spending time digging into it). Is it due to ISP QoS, or is it reset by GFW, or is it just mere network failure?

And what most ppl do when facing this? They choose a local service instead of Twitter, Facebook, Youtube, Google. See, censorship is only a part (though a vital part) of the grand scheme.

This is a great talk about some of the methods China and other governments use to block the Tor network: https://www.youtube.com/watch?v=GwMr8Xl7JMQ

It's a pretty sophisticated arms race that's lead to some cool stuff, notably pluggable transports (like the obfsproxy you mentioned): https://www.torproject.org/docs/pluggable-transports.html.en

Unfortunately the companies that enable this deep packet inspection are often American companies working overseas. My friend who used to work at Cisco said they had internal slide decks about the improvements they could make to the Chinese firewall. Then there's Bluecoat in Sunnyvale (https://www.bluecoat.com/) building the censorship systems for the middle east.

Why do American companies sell this kind of stuff to China and non-democracies in the middle east? They must rationalize it in someway, but I think it's wrong.

> Why do American companies sell this kind of stuff to China and non-democracies in the middle east? They must rationalize it in someway, but I think it's wrong.

Pursuit of the almighty Free Market without regard for scruples or morality. Basically, public corporations base success only on money. If you as an executive refuse to bow down before Mammon[1,2] then you are replaced by someone who will. Seealso Charles Stross' excellent Invaders From Mars[3]. The Chinese government and other regimes pay big money for these tools.

[1] https://en.wikipedia.org/wiki/Mammon [2] https://en.wikipedia.org/wiki/Mammon_%28Dungeons_%26_Dragons... [3] http://www.antipope.org/charlie/blog-static/2010/12/invaders...

Note: that video is from 2011, and in my experience China's VPN blocking has changed significantly over that time. In 2011, I could use OpenVPN over UDP reliably, as long as I didn't use the same port for every connection. That is no longer the case, and I'm grateful for Shadowsocks as it's easy to set up (both server-side and Android client) than OpenVPN over stunnel.

Very interesting... I was just in China recently and was sshing into a box I had in the states for an impromptu SOCKS proxy. I did notice that things would work fine for up to an hour or so before things started bogging down. I would start seeing "channel x: open failed..." errors. However, closing the session and reconnecting would fix the problem... until it started lagging out again.

I thought it was just a consequence of being on spotty < 5mbps(ADSL?) connections. The internet situation was barely tolerable for a few weeks stay; I can't imagine what living in these conditions 24/7/365 is like.

I'm always brought up short when someone says/writes "24/7/365" because it really doesn't make sense.

"24/7" means 24 hours a day, seven days a week.

"24/365" means 24 hours a day, 365 days a year.

"24/7/365" means 24 hours a day, 7 days a week, 365 weeks a year?

I know, I know, it's become an idiom, and it's like "I could care less", and you can't try to understand it except as an atom that caries a meaning, but it just looks wrong to me.

Sorry - I'll now return you to your regular programming.

As an expression of time, its origin is a relation to business hours. 24 hours is "we don't close overnight." 7 days is "we don't close on weekends." 365 days is "we don't close on holidays." Those are the standard periods of unavailability.

If the sole holiday were a single Golden Week sometime in the year, the idiom may indeed have been "24/7/52", but holidays are simply scattershot like that.

The slashes aren't maths operators, they're language/grammar/shorthand. The lexeme as a whole is merely a mnemonic for the linger phrase: "24 hours per day, 7 days per week, 365 days per year."

It's not that the individual segments relate to each other. Rather they answer three sets of questions:

What are your daily hours? All of them. 24 hours / day.

What weekdays are you open? Again, all of them. 7 days/week.

What holidays do you observe per year? None, we're open 365 days/year.

Since there's rarely a monthly cycle to business closings and there aren't a standard number of days per month, that's elided.

It also helps to realize that human timekeeping is really based on three independent phenomena which are utterly unrelated. There are day-based units: seconds, minutes, and hours are all subdivisions of the period of rotation of Earth about its axis.

The month is based on the Moons orbit about Earth. That it is roughly 30 days is a notional convenience, similarly its rough divisibility by 4 into 7 day periods. The week is entirely synthetic (though profoundly persistent).

And the year on Earth's orbit about the Sun. Again, relationship to days and months are entirely arbitrary.

That's why it often seems time units are arbitrary. They are.

There's a brief book which Kay's this ought and traces the calendar through time, The Seven Day Cycle.

24/7/365 is dead. Long live 24/7/52!


  7 *days* per *week*
  24 *hours* per *day*
  365 *days* per... *year*
Why you'd read that as 365 weeks per year I'm not sure, because there's no pre-established convention that would lead you to interpret it that way (both 24 and 7 would have to be "per week"), and most people know there are 365 days in a year.

Just trying to help. ;-)

But it doesn't make sense to say:

  24 hours a day, 7 days a week, 365 days a year.
That just really doesn't make sense at all. I know that the numbers means, and are for, but if someone is saying every hour in the year, to say 24/7/365 is just nonsense.

Of course, this is a losing battle. People just don't care if what they say makes sense, they just say stuff and assume that people will understand. This is one of the things that makes language bizarre, miraculous, infuriating, and impossible to analyse. I note examples like this because they are caltrops on the road for NLP.

They are all relative timeframes by which a store my be closed; certain hours during the day, certain days during the week, and certain days during the year. Your inability to make sense of it doesn't affect the rest of us. It's like a creationist saying evolution doesn't make sense to them: at some point it is the result of a willful ignorance that you are bragging about. It doesn't make for very interesting trolling.

  > They are all relative timeframes by which
  > a store my be closed; certain hours during
  > the day, certain days during the week, and
  > certain days during the year.
Huh. That's a way of interpreting it I'd never seen. Thank you.

  > Your inability to make sense of it doesn't
  > affect the rest of us.
No, except that it may help people see that what they think is obvious isn't always obvious to others.

  > ... it is the result of a willful ignorance
  > that you are bragging about.
Well, that's obviously your interpretation, but if others see it that way then it explains the hitherto mysterious yoyoing of points on my comments.

  > It doesn't make for very interesting trolling.
I find it disappointing that you think I'd troll.

>what they say makes sense

I would argue that no single statement can make sense. Sense is made when multiple statements are combined.

It's really all just about appropriate cognitive load. Every statement must be processed and it's great to be as accurate as possible and as accurate as the consensus agrees to.

Anything higher quality than that falls under the category of "great writing," which only a handful of people cherish.

Hey, FWIW, you've completely convinced me to never use this phrase again.

So you read 24/7/365 as 7/24/365? That only makes sense to Americans, I guess.

I agree with the understanding that each segment of 24/7/365 addresses a different possible shutdown condition.

And I'll add that "I could care less" derives from the earlier "I couldn't care less", which makes a lot more sense. See http://blog.dictionary.com/could-care-less/

24/7/52 does seem more logical...

365 means they don't close for holidays. I don't know what 52 would mean.

There's 52 weeks in a year.

24 hours in a day, 7 days in a week, 52 weeks in a year.

What business closes for a week out of a year? Are there businesses which are 24/7/50?

Well, where I work at is 24/7/51.

Interesting, are you in Europe?

UK. Last week of the year (Christmas celebrations and so, you know) this joint shuts down.

Gotcha, here in the US most people will take off that week, but no business would ever shut down entirely for a week. You'd piss off all of your customers and associates. (Which is why American workers hate dealing with ones in the EU, they're always on vacation!)

Whoever doesn't stay home during the Christmas period in the US gets accolades from management, so there's incentive to work if you're career-focused.

> I thought it was just a consequence of being on spotty < 5mbps(ADSL?) connections.... I can't imagine what living in these conditions 24/7/365 is like.

In my experience splitting my time between North America and China, the difference is not terribly noticeable once you invest in a solid VPN -- which everyone does.

The network speeds here are generally far better than NA -- in tier 1 and tier 2 cities at least. If you're accessing site in China, i.e., not going through the GFW, the average is far better than you'd find in the US. However the GFW slows everything down. However, there are a handful of VPN providers that specialize in getting through the GFW: notably Astrill and ExpressVPN. This those on my phone, tablet, and laptop it's easy, you'd never know you were in China -- expect the odd day when you have to hunt for a different server. Most experienced developers here subscribe to one of them.

Also, a lot of tech companies subscribe to "international lines". Pretty much all the ISPs offer them to business customers. They are expensive but they work very well. Usually about US$1k/mo to US$3k/mo on contract. The international lines are just hard lines to Hong Kong.

Yea, in my most desperate I wrote a script that opened ~10 connections and kept restarting them and used HAproxy as a frontend. It was maybe helping, but honestly, I couldn't tell. Luckily I discovered shadowsocks soon after that.

Working in such network 24/7/365 means I have to spend about $90 per year on my vpn service, and keep vpn connection all the time when working. (otherwise google and SO will not come to save me from problems.)

Were your DNS queries going over SOCKS?

Back in 2006/2007 when I was doing web development, I knew a few people at F5 and Zeus Technology (developers of application firewalls at the time), and they said The Great Firewall was using loads of F5 tech with deep packet inspection for all data.

I assume 9 years later (don't know what the modern tech for web stuff is these day, but I assume encryption plays a key part) they're doing just as intrusive inspection and filtering of data.

Encryption is not enough. You need to disguise your VPN traffic to make it look like standard HTTPS sessions (since they don't block HTTPS).

In other words, steganography.

How do multinational companies' china offices get through the firewall? For example if my company uses Google apps, how do I ensure that my china office has access?

Pay one of the telcos (i.e China Unicom) for an MPLS circuit out of the country.

Also, international performance in general can be quite bad at peak times (i.e 30% packet loss), I suspect due to Comcast-style management of international transit. But if you buy a transit circuit from Unicom, no problem!

Edit: to add to the grand parent, I've actually found ssh -D/-w0 (for a TUN device) quite reliable from China. What I really want to do is run multiple connections from different end points with a routing protocol to do fast-failover.

> Pay one of the telcos (i.e China Unicom) for an MPLS circuit out of the country.

Don't suppose you could explain to us network plebs how that would bypass the Great Firewall?

It's a private network/route with traffic containing nothing but corporate data. Most multinationals facing this situation route out through HK, with a secondary failover usually in Taiwan or Singapore. Works a treat, but is costly and latency can be subpar.

It also doesn't solve the problem of mobile access to Google Apps for Chinese workers (Google Play Store & apps are not bundled by many (any?) Chinese OEM handset makers or carriers. You can root & sideload, or you can purchase phones outside the country and ship them to your employees, but even if you do this, there is still no guarantee they'll be able to access Google's apps while on cellular networks.

Google Apps will drain your battery when they can't access Google's servers. Roaming with a China Unicom Hong Kong sim card, like the cross border king, will give you gfw free access.

> Google Apps will drain your battery

Google Apps will also drain your battery if you are in a region where Google has no network-location data yet, because then Google will turn on your GPS, and send to their servers the pair of GPS-coords and strength of networks.

If you live in a suburb in Germany where almost no networks are known to Google, this means if you enable location services your GPS will try to get a fix 24/7, eating your battery in about 2 hours.

This is probably going to be an issue in China, too, considering that Google doesn’t have location data there.

I think you can turn this off. My phone has a setting called 'Scanning always available', which says "Let Google's location service and other apps scan for networks, even when Wi-Fi is off.". If I turn off this setting, and turn off wi-fi, then the problem you point out should be avoided, right?


But if you turn on WiFi and Location at the same time (which is not uncommon), then it will suck your battery dry in seconds. Turn any of those two off, and it works.

Oh. My phone has three options for 'Location mode':

- High accuracy (GPS, wi-fi, mobile)

- Battery saving (Wi-fi, mobile)

- Device only (GPS)

From what you say, it sounds like 'Device only' would save more battery than 'Battery saving'?

How do you setup a routing protocol to do fast failover? Is it easy?

For fast failover, you'd generally use BFD (bi-directional forwarding detection) in conjunction with a standard routing protocol like BGP, OSPF, or IS-IS. It's sufficiently complex to do on a proper networking platform, and even more difficult to do in a general purpose operating system. You can also just use aggressive timeout values with your routing protocol, but failover won't be quite as graceful.

As far as Microsoft office in Beijing, I think they VPN to their Tokyo office first. Their traffic is ensured by negotiating directly with the big telecom company. Disclaimer: I do not work for them.

This is correct

Source: worked there for a while

This is interesting, I'd love to read/hear more about it. Is the negotiation an above-board thing? What are the conditions and costs to getting this kind of exception ensured?

From what I've heard, it's something like 100 000 USD a year for a 100 Mbit connection.

Funny thing is: this is the same price payed in Brazil for a 100mbps MPLS link.

I've heard that commercial DCs and high-end hotels are less censored.

I'm in the Sheraton in Qingdao atm, and it's definitely less censored, I can access YouTube and Google Apps just fine; where as earlier today from a business down the road these websites were all blocked.

We have colleagues in china and generally speaking, you find an alternative, and host it on premise.

I believe this is the reason why they use Atlassian[1] products, where rest of us would use trello, e.t.c.

[1] company that created jira

Aren't there a dozen of bugtrackers, intranet collaboration software, CI tools and git hostings that they could download and install? What's so special with the Atlassian products?

those sucks a little less than, say, bugtraq, offer enterprise support on premises which you'd never use but you need to do the purchasing when you go for a big company and kind of have a big recognized name for their customization support even if their whole stack sucks.

I think the "enterprise support on premisses" is the main deal, along with the fact that we have already used it for some of our big projects.

Register your VPN with the authorities. We are atm doing this for a office in Beijing.

Is the primary purpose of your VPN to bypass GFW, or to provide access to your corporate network? I guess the latter would be considered a good reason.

yes, mainly to access the corp network.

Not all VPN services are censored, and not all VPN protocol triggers the reset. But you can bet whatever you get for free (thus likely popular), will get banned soon enough.

OpenVPN is like a prime suspect of a police procedural novel, it gets hunt down no matter what.

Personally experience: I did work for Microsoft Shanghai and VPN works just fine. You need to have the right set of tools, and better, have a good channel of negotiation with the government.

"Thanks" to the Great FireWall by one of the evilest governments, I might have to finally give up Gmail after many years struggling using it with the help of a wide variety of GFW-fighting tools. My deepest respect to all the authors.

This might sound a bit counter intuitive but they really hate OpenVPN and SSH tunnels - not to mention they are trivial to detect and the process is highly automated.

Traditional VPNs such as PPTP/IPsec as well as various forms of obfuscated proxies are generally not interfered with unless something major happens. A lot of the alleged "censorship" are actually symptoms of high latency and packet loss on home connections.

I suppose that means OpenVPN and SSH are too secure for the Chinese government to eavesdrop on. PPTP, on the other hand, has been known to be insecure for ages.

So... could you avoid detection by passing an SSH tunnel through a PPTP VPN? Add enough layers, and the censors might not bother to unwrap all of them.

Given that most US websites are now over HTTPS, breaking PPTP won't actually give Chinese government much information to eavesdrop on. They may know that someone is accessing Google or Twitter, but they cannot know the actual keywords or tweets they are reading.

Note that Chinese government does not have backdoor access to those US websites, nor do they control a significant fraction of Internet infrastructure.

What about Chinese signed root certs?

That is why it is recommended to untrust every Chinese CA from your system. It won't affect daily browsing even for most Chinese users. The super majority of Chinese websites, even state owned ones, buy certificates from US companies.

Yes you can. Shadowsocks was intended for the similar purpose of tunnelling traffic and it is a bit more flexible than GRE-based VPNs

IPsec is blocked now.

Blocked for a few established VPN providers e.g.Astrill. The protocol itself is not blocked per se.

You won't get a stable site2site ipsec tunnel for long. That's why you have to Register your vpn vor go mpls.

I currently use a mixture of PPTP and Shadowsocks. Shadowsocks (even to the same servers) seems to successfully connect a little more often, and drop a little less often. Otherwise, performance seems similar, and goes up and down.

Some of my friends have had success with VPNGate.


It's based on SoftEther VPN, which happens to be open-source and cross platform.


I'm using it for most of my VPN setups and I've generally found it to be superior to OpenVPN in every aspect (performance, usability, protocol support, obfuscation, etc).

This was exactly what I experienced in summer at China this year, no openvpn(not even commercial one or Linode self-hosted one), no ssh-tunnel, no other used-to-work vpn solutions.

For ssh it sometimes work for a few days then the whole IP/host is blocked.

I did not have to time try obfsproxy, shadowsock or whatever, but it really really sucked, to make things worse, my Nexus phone could not get any updates etc either, as Google is also _fully_ blocked, I felt I was back to Stone age there.

I have a good amount of recent experience with this. I found that it wasn't just a matter of your connection getting blocked; if you leave it up you'll experience some unreliable good periods (so, say, a torrent would download through the VPN overnight without a problem, but if I wanted to use the internet at any particular time, my connection was unlikely to be working). But yeah, I ended up signing up with Astrill.

When I was in China last year I had no problems using OpenVPN on my Holland based server.

Hotel WiFi may not be as restricted as the average citizen's connection. Local 3G/4G service may be more restricted than your home provider's roaming service. It's a bit of a crapshoot, but the GFW is definitely targeted more towards locals than visitors.

The Chinese authorities neither understand how FOSS works nor the Streisand Effect.

Not having to worry about != not understanding

I'm curious, what is the risk of getting caught, and what is the penalty?

Spending on what you do, detainment, torture, death.

Based on my experience, if you set up a VPN server (such as OpenVPN) by yourself and use it in China, you will see strange behaviours and the VPN server might stop working after some time. As a result, I've given up using my VPN but been using third party VPN service, which works better. Here's a list of VPNs that currently works in China: http://www.vpndada.com/best-vpns-for-china/

"you will quickly find out your VPN works fine for about 5 minutes, but then latency increases to 5sec, 10sec, 30sec(!), and then everything times out"

I recall the same thing occurring in Shanghai with many of the popular webmail services, they'd work briefly, usually just long enough to log in and get a glimpse at an inbox, then it would time out endlessly and that'd be it.

> Encryption is not enough.

I use an unencrypted PPTP VPN and the connection is really fast and stable here (Shenzhen, China Telecom). I have tried OpenVPN and ssh but both were much slower. FWIW, I don't believe using a VPN is illegal in China (though operating a VPN service without a license most likely is) and pretty much every single foreigner I know uses one.

PPTP is not secure. You need to open another, more secure, tunnel within your PPTP session.

According to a recent file. Using a VPN isn't illegal. But hosting an unregistered VPN service in China is illegal. And the right of using an unregistered VPN service is not guaranteed.

Per the other comment, MS-CHAP2 is crackable. The PRC govt is probably happy to encourage people to think they're secure using it.

Yes, that was my point. They are happy to let people circumvent the firewall as long as they're still able to read the traffic.

How do foreign organizations with email and internal applications inside the firewall do business in China? Do they simply have to make an exception to their security policies for employees based in China? Put them on Baidu email accounts instead? Or are IT departments of big lumbering fortune-500s also dependent on these tools?

No. Big foreign corporations, like in all countries, VPN back to their home country. The same all over the world.

Internal policy dictates this, all over the world.

Email is usually on self-hosted Exchange.

Corporate firewall blocks stuff like Youtube and Facebook - also the same over the world, but some users with the business need can access whatever the business need dictates.

Some large companies just bypass the national firewall for speed reasons - this is negotiated with the government on an individual basis - pragmatically this makes sense, as the traffic is 100% encrypted back between fixed sources and destinations, and inspecting it just wastes resources for all parties. Some corporations may also have their websites for the public access bypass any filtering, also for speed reasons (for example, internet banking).

So exemptions from the VPN detection/shutdown mechanism can simply be negotiated by those with the political clout to do so?

Indeed. The point of the GFW is to prevent political unrest. MNC's workers are unlikely to be fermenting dissent at work. Deploying the GFW on their connections doesn't really aid the government as a whole in terms of staying in power, but it does mean that MNCs will get pissed off and may reduce their presence in China.


Weird, was just there a month ago for two weeks and used https://www.expressvpn.com/ with no issue. I mostly cruised reddit / the internet so maybe there wasn't enough volume.

It depends. I am a bit surprised that reddit is not blocked. Neither is hackernews. Apart from classic Google, Facebook, Twitter, AWS is targeted intensely for its role in "affiliated freedom", to the point releases on github are blocked, others not as much.

Why go through Internet access providers in first place? Just get a radio transmitter and start broadcasting on short waves with encrypted digital modes... at least for short, critical transmissions.

At 1.2kbps?

Q: "Would you like a free, uncensored system to talk to anyone in the world? On top of that you could also send data at 1.2 kpbs, again free and uncensored. You just need to swich frequencies quite often and randomly, in order to avoid that the bad guys will track you down..."

A: "No, 1.2kpbs is not enough, thanks but I prefer censorship."

Is that what you're saying?

Sorry, I've already had my fill of stupid arguments on the internet for the next couple days. Maybe some other time we can get together and do our best to misunderstand eachother.

Haha. Ok. And sorry.

using ssh tunnel works just fine in china but they detect it and start blocking the ips. You can usually get a few weeks before they block the ip address. It works better if the server is from a legitimate source like an edu.

Most of the detection is focused on blocking vpns and they are very good and disrupting vpn traffic

Sounds like an overseas vendor needs to drop a blanket of satellite internet coverage over mainland China.

Sounds like you live in a world where you didn't notice that China became the second most powerful economy, and which will become the most powerful economy within a decade or so. Of course they're going to have the military to go with that:


The great firewall is a cowardly, non-confrontational technical infrastructure. I don't see China using a multi-billion$ missile system to shoot down a harmless foreign communications satellite that also served people outside of China. They're smarter than that.

... usage of which would be detected, and the users arrested and hauled off for "questioning" about spying and/or being a terrorist.

And using a VPN doesn't have these risks?

Of course it does, but they have a less expensive and more effective means of enforcement, which is just to shut it down. That's effective because the actions they take at a single location apply to a large number of infringements.

But if they can't shut it down via technology, they'll most likely shift to individual enforcement and harassment. In that case they have to chase people one at a time, so to get widespread effectiveness they have to make sure that each individual case frightens as many people as possible. That means that the individuals targeted will be punished more severely.

Enforcement 101.

Escalating the issue could be a good thing, even if people suffer. The problem with technological oppression like censoring or pervasively surveilling the Internet is that it's invisible and there's very little organised outcry. Just look at Snowden revelations. Nothing has changed, and most people simply don't care. Effectively once the requirements for bypassing the GFW become harder to deploy than a few clicks, from an easy to follow guide, the majority of the population will just accept this oppression.

My point was not whether this would be a good thing or bad, but to point out a likely consequence.

More likely they'd just buy up all the satco's and run the thing out of business.

Spoofing GGP tends to work very well in these situations.

which leads me to two questions:

1. if you need custom vpn, why even have apple devices?!

2. why focus on vpn over their network instead of mesh?

What is this supposed to mean?


"Removed according to regulations."

As a matter of fact I did, thank you.

Let me just find the nearest cliff to jump off.

For people who are not aware of this: Shadowsocks is a popular and very simple tool to circumvent Great Fire Wall in China. It is written to reduce characteristics in network traffic so that GFW cannot easily block it by deep traffic analysis. clowwindy is the original author.

And to add more context: Shadowsocks isn't just a tool nowadays, it's a group of applications that target both developers and common folks.

People have built successful VPN services using Shadowsocks, and they are available on many platforms, like routers and embedded systems.

And the iOS version is more or less the author's recent efforts to build a VPN client that can run on non-jailbroken iPhone, much like Cisco AnyConnect.

I think shadowsocks' popularity as a whole concerns the chinese government, so they do their usual rooting out the leader thing: now that shadowsocks org is headless in the literal sense (no owner, no main repo), they hope its development will die out.

What is to stop any non-chinese person from rehosting the old code? I mean, they obviously wouldn't like it and if I was said person I'd never visit China's sphere of influence again...

I guess nothing.

There are plenty of people on HN who are i) wealthy ii) interested in beating censorship.

It'd be nice to see some effort going into creating software to beat censorship; having excellent translations of the documentation into a variety of languages; etc.

There are tons of forks of it on GitHub, naturally. I had to go to one to figure out what the project was.


Who is the target audience of this software and how does it work? Do non technical users set this up on a VPS provider and then connect to it? I'd imagine most developers in China would just SSH tunnel their way out.

SSH dynamic port forwarding is no longer working for years. It is so easily picked up by GFW and minutes later it is gone together with the whole SSH connection. So does PPTP and L2TP VPN. GFW has been upgraded so many times for the past few years. The target audience is developers. The install is super simple via one line of `pip install`, the start code for daemon is also one line with the configuration inline or through <10 lines of json. On the client side the author and other contributors developed native clients that allow connection by supplying just 1 password and 1 server address. Super simple and highly reliable to this day.

So looking at the code for the Go implementation, it appears to be just a stream cipher encrypted version of SOCKS5 [1,2].

1. https://github.com/shadowsocks/shadowsocks-go/blob/master/sh...

2. https://github.com/shadowsocks/shadowsocks-go/blob/master/cm...

(Not the best code, a couple of race conditions in there)

@olalonde GFW is known to tighten the control on national holidays or any event they see fit. The day after Tianjin explosion, IKEV2 stopped working for 1 day on my network (I was in Beijing). PPTP from time to time suffer the same issue though I couldn't say when. Also check your ip location, I found out one provider was having reliable PPTP connection about a week ago, and it turned out they were just relaying traffic in a data center in China. Those traffic are not blocked by GFW as long as it is domestic and I could only imagine that data center simply forwarded the traffic onward using other means.

Why not just wrap all your SSH packets as HTTPS?

I believe that the traffic patterns (up/down request amount and timing) will still look sufficiently different from a 'normal' https connection to be detected and cut off within an hour.

This I wonder as well. stunnel + openvpn used to work. Not sure if it still does.

SSH tunnel is just too easy for the GFW to detect, it's so unstable that you cannot even browse the web with it.

Yes, setting up a VPS provider would be the most common way. There are Shadowsocks implementations that supports multiple users so that more than one person can use it simultaneously. There are also commercial solutions for Shadowsocks that you can just purchase an account instead of setting up your own server.

There are many import/export companies in China, they are also the target audience of this software. Gmail is important for them.

SSH still work, but it's not designed to give a high throughput, so ideally one would not want to watch a youtube clip over SSH. And DPI can identify and kill SSH session when there are too much traffic happening over it (ie. no obfuscation is taking place to hide SSH traffic)

I believe GFW doesn't do traffic analysis just yet. Otherwise shadowsocks won't stand a chance either.

This is the end of a century. People in China had used 4 kinds of tools to skip the GFW: freegate, openvpn, goagnet, shadowsocks.

freegate is a traditional http proxy or socks proxy built by Falun Gong (https://en.wikipedia.org/wiki/Falun_Gong). They built lots of software with the same technology: freegate gpass freeu dynapass... People share this kind of banned software sending to each others just like teenagers share adult videos. After update of GFW, it become un-available and un-usable.

openvpn turns break GFW as a business, people sells openvpn account at $1.66 a month regularly. They sell this kind of services package including pptp l2tp ssh openvpn to those who need a free network.

goagent is a free software written by Phus Lu. It use Google's application engine as server so you can use it without paying money.So it replaced openvpn since it cost $0. After China banned Google, this way become more and more hard.

shadowsock is a protocol designed by clowwindy. It become a environment. People use python, C, nodejs, golang, rust, obj-c, java to write their own client and server. Some organization share their server for free, some people sell account and provide high speed. shadowvpn works as a VPN while shadowsocks works as a socks5 proxy, but share the same technology.

This is the end of shadowsocks. I means recently more and more evidence shows that GFW has finally find a way to recognize shadowsocks's packets. Then they stopped the development of shadowsocks.

That's all. The winter of China's network comes.

> That's all. The winter of China's network comes.

Is there technical reason to believe that shadowsocks or similar technology is the last stand against automated censorship?

I would just say this is just yet another stage in the censorship/anti-censorship cycle.

You may not be seeing the big picture here. Censorship is about rulers cementing their rule, and may well ultimately lead to complete tyranny.

There's no guarantee that "the censorship arms race" will continue, even in your specific nation-state.

For example, I bet there's not much anti-censorship software being developed in North-Korea, because people don't want themselves and their entire families tortured to death.

The real problem here is not that we might be lagging behind governments with our anti-censorship tools. The real problem is the existence of governments to begin with, because as long as they do, they will want to control their subjects as closely as possible.

Policitians and the real rulers behind the scenes are all psychopaths.

They see us as human livestock, and any one of them would be perfectly happy with a global North-Korea, as long as they personally would be in the tiny ruling elite, with all the riches and power a psycho could ever dream of.

I think that is what he meant. Winter is seasonal after all.

I think maybe he meant it as a Russian winter

> I means recently more and more evidence shows that GFW has finally find a way to recognize shadowsocks's packets.

Hmm... okay, so they defeat shadowsocks by recognizing the packets.

> Then they stopped the development of shadowsocks.

But if they already had shadowsocks beat, why do they make a public show of shutting it down?

Sounds more like they recognize that they don't have the GFW technology to defeat shadowsocks on-going development over time. Which suggests all you need is a new developer.

I don't know if this is the case, but I think it's entirely possible to know that shadowsocks is being used widely without being able to do anything about it at the network level. I think that's plausibly how shadowsocks is designed to avoid the GFW in the first place.

For example, if their capabilities to identify shadowsocks traffic is not particularly specific, filtering would result in undesirable impact on other traffic. They can also have other out-of-band estimates for the extent of shadowsocks use (presence of the software on seized or searched equiment, observed chatter, informants, etc).

actually doing both makes a lot of sense.

a: build a method of detection and prevention and

b: find and coerce developer to stop improving software,

#b is required assuming the developer(s) is considered to be an above average adversary. When there is no silver bullet solution a cat+mouse game is inevitable. That further increases the value of this action.

#a being done at same time as #b has an effect on the collective behavior of the adversary. I'm sure various members for the RIAA and MPAA are wondering how they could have dealt with "filesharing" in a similar manner during the Napster days. But in the end it only buys you time in a cat+mouse games. meh, im sure there is some sun tzu art of war blah blah somewhere saying the same. more poetically of course.

There's no such thing as overkill.

Everyone can just use Lantern (https://www.getlantern.org). They already are, but in greater numbers since the Shadowsocks announcement (https://github.com/trending).

This wasn't a thorough deletion. The shadowsocks-iOS project has been switched to the 'rm' branch, but the 'master' branch still contains all the source code: https://github.com/shadowsocks/shadowsocks-iOS/tree/master There's also a downloadable 2.6.3 release with a built .dmg and source code: https://github.com/shadowsocks/shadowsocks-iOS/releases

Even if it does get completely removed, a duplicate exists on GitLab: https://gitlab.com/mba811/shadowsocks-iOS (No guarantee that it has all the commits prior to deletion, or that it hasn't been modified from the original in some way.)

I can only hope the police in clowwindy's country don't know how to switch GitHub branches.

I don't know what you're talking about. That repo is totally empty. Nothing to see here, move along.


The last commit on the GitLab mirror is cf485148bd9f4d4520d13e2169997cd72464f3c0. On GitHub, it's not the last one, but it's on the first page (not that much commits since).

Because it's the same SHA, and because of the way git works, we know that all the history before it is exactly the same on GitHub and GitLab.

That duplicate will get flushed after they run the 'git pruned' on the 2AM cronjob. Nothing to worry about.

What are you taking about? Does not work. Cannot access the code.

That mostly a side effect of GitHub's caching mechanism. It's all gone now.

All of the links in the post you're replying to still work fine for me.

No, it's not there. You must just be seeing something in your browser cache. It's all gone forever. cough wink cough

Years ago, news said China "banned" bitcoin, years later miners in China live just fine. I guess this is not going to be so different.

The only thing that's "banned" regarding bitcoins in china is that financial institutions arn't allowed to trade them. You can mine them, you can set up companies that mine them, you can trade them if you're not a financial institution.

And as an aside they're the easiest way to exchange money when overseas. It's like a bank where the bank meets you at your hotel and gives you cash, and you never have to worry that your PIN won't work or your home bank will decide not to honor your transaction for fraud protection.

Yes, it's more like regulation that poorly implemented. But less people knew it at the time according to what the news and bitcoin users in China said. As a result, news related to China still can impact the price greatly sometimes, which leads people ask has China really banned bitcoin or not? You could find many discussions in term of this at the time. Of course people by now understand the "ban" itself is limited.

This is different. China(ese government) has a much, much stronger incentive and political resolution to reinforce their Internet speech control than crackdown a couple of bitcoin miners.

> Implying bitcoin has nothing to do with free speech.

I'm saying that the result is not going to be so different, as in people will still use shadowsocks to circumvent the firewall and won't get "disappeared" or whatsoever.

Edit: letters


Someone in this subthread mentioned something about a commit hash. This is important.

I find this comment amazing:


Even with root account, you are not in full control of your Mac - you are sandboxed by Apple.

This is the result of a recent change in OS X 10.11, called System Integrity Protection.

It's a big step in the wrong direction [opinion], especially because it does nothing to verify "integrity". It prevents changes to the System directory by conventional means (and injection into system processes).

If malware were to figure out a way to disable SIP from userland, it could install itself in such a way that nothing short of disabling SIP could uninstall it.

But that's the thing, you can't disable SIP from userland. It can only be disabled when booted into recovery mode. So yes, it absolutely does verify integrity, because it makes it so malware cannot embed itself into the system. Your last sentence there is 100% pure grade A FUD. You may as well just say "every security measure is bullshit, because if malware were to figure a way around it, then it wouldn't work". It's a meaningless statement.

It's a boot argument to the kernel, stored in NVRAM. These arguments are normally mutable. Apple had to write code to prevent modifying said arguments. Said code can have flaws.

But lets say you don't find a vulnerability in SIP userland detection, and instead find a kernel exploit to get around the protection:

If malware were to figure a way around it, then even antivirus software can't uninstall it. Only Apple can. It's not FUD.

Don't be alarmist, worst case a cleaning tool would have to be run from recovery mode, but nuke and pave is usually the recommended cause of action if you get a infected with a rootkit.

SIP holes will be found, and Apple will patch them just like other security flaws.

> Apple will patch them just like other security flaws

With the condition that you have to upgrade to the very latest system :)

There are a few exceptions but generally you can stay one or two versions behind. While Apple annoyingly don't state how long they support OS releases, they currently ship security patches for 10.8 and 10.9. The last patch for Lion was just before the 10.10 release.

It is FUD since it is not impossible to make these changes, it's just (intentionally) more difficult than casually supplying a sudo password. Anyone can detect signature changes in a system directory and anyone can boot to a recovery volume (either the default Apple one or one provided by an anti-virus company, if desired) to make whatever corrective change they want.

This is absolutely FUD. Even if you're correct and malware finds a way around it, then it obviously doesn't work, which means antivirus software could use the same mechanism to kick out the malware.

Unless the malware uses the backdoor/exploit then patches it out once it's inside. It has complete system control, after all.

If you have some malware that actually needs to modify system files, that still significantly ups the ante. Sure, if you have a kernel exploit, you can do it, but currently malware does not need any exploits to take over a system if it can convince a user to download and type in their password to install - Gatekeeper is one mechanism to prevent this, but I've personally been served multiple ads offering malware with a valid Developer ID signature, so it's tricky... (though I don't know how aggressively Apple is working to revoke their certificates). The difference in skill required between just writing an installer disguised as legitimate software on one hand, and continuously coming up with working exploits on the other, is pretty huge. And in any case, the easiest-to-exploit OS X privilege escalation vulnerabilities are things like rootpipe that don't compromise the kernel.

However, this argument falls down a little if malware doesn't actually need to modify system files, which it doesn't for most typical evil stuff I can think of.

what if some os x malware finds a way past the limitations on editing system files? the malware would become undeletable

It wouldn't be undeletable, it would just involve booting into a recovery volume (either the automatic Apple recovery partition or a user supplied volume).

Since all System locations will now be signed (as part of the move to SIP), it means that the basic Apple recovery partition will be able to purge any such malware by a simple signature verification.

Does it actually do that? I haven't heard of it... But just reinstalling the OS accomplishes the same, slightly less quickly. Of course, if the malware is nasty enough, it might modify user settings to make a program run automatically, e.g., by adding it as a startup item, which, unless that OS reinstall included a patch, could then exploit the bug again and reinstall itself to the system locations. Not much Apple can do about that.

Does booting an alternate OS still work to get around it, or have Apple thought of that route and somehow blocked it too?

(I have limited experience with OS X - only briefly played around with driver development and bootloaders in the 10.4 era with osx86 - and I did have to boot from the DVD a few times when I made the system unbootable.)

This raises the question, what good is root if it's not really root anymore?

This has been the plan for several years. I remember seeing block diagrams for GlobalPlatform's Trusted Execution Environment[1] that were based on the idea of the "Rich OS" (OSX, Linux, etc) being able to run more or less normally, with something that isn't really a hypervisor providing the "secure"/"trusted" environment.

The idea is that a combination of a SecureBoot-style trusted boot sequence and technologies like Intel's SGX instructions to create an area that is protected from everything else, root included.

Ever since (heavily controlled) iOS was accepted by the tech crowd as a replacement for a proper General Purpose Computer, we've been slowly loosing more and more control. At least there seems to be workarounds for this particular OSX "feature". It is incredibly important to stop this trend now; it will be a lot harder to work around these restrictions when it gets hardware support.

[1] http://i.imgur.com/rjbzWyB.jpg

> Does booting an alternate OS still work to get around it, or have Apple thought of that route and somehow blocked it too?

It's easier than that. It's just a kernel argument to disable it. Simply add "rootless=0" to your boot-args and you have control of your machine back.

I'm running the 10.11 beta and I've already had to disable rootless because I like to have /usr/local as a symlink to somewhere else and by default the rootless configuration prevents writes to /usr. :-/

Apple has stated that the "rootless=0" boot argument to disable System Integrity Protection is temporary and will be gone in the GM version of El Capitan. Allowing this route to disable the feature would defeat the entire purpose of it.

Apple have recently made a few changes to how you enable/disable System Integrity Protection...


Source? They said in the WWDC session (http://asciiwwdc.com/2015/sessions/706) that the process to disable rootless may change during the beta, but didn't say that it won't be possible in the GM.

They know that rootless will break some applications/drivers, plus some types of development may need it disabled.

The supported mechanism for disabling System Integrity Protection is via the recovery partition.

Does this break homebrew? Or does it only block writes to entries in /usr and not subdirectories like /usr/local ?

You are allowed to write to /usr/local. But making /usr/local itself into a symlink requires writing to /usr which is prohibited. So I was screwed but for the normal case it should work fine.

There is a supported option to disable SIP from recovery mode, so there's no need to get around it per se. (Recovery mode because it would be hard to impossible to verify the user's intent when malware that already has root privileges is running...)

>nothing short of disabling SIP could uninstall it

At the very least, the OS needs to be reinstalled from an off-disk source, and that's assuming you haven't been hit by something sophisticated enough to put itself in firmware. We're fast approaching an era where you need to trash the hardware. You should never trust an OS install that was ever compromised, and making it more difficult to do so is a good thing in my book.

How do SIP and dtrace interact?

From https://developer.apple.com/videos/wwdc/2015/?id=706

"all dtrace probes that target a system restricted process will not be matched" (i.e. will fail unless SIP is disabled).

Not really surprising, though: Apple has been making OS X a little worse with every iteration.

Tell me about it. I recently bit the bullet and upgraded to 10.10 after waiting for quite a while. Man... Firefox has been crashing regularly since then, the Mail.app will also crash every now and then, and to top it off, the system itself has crashed twice on me over the past... two weeks. Sigh

Try installing a fresh copy, or do some HDD/RAM checks. I have been running 10.10 since it came out (+Firefox) without any problems.

I am doing my best to NOT update my OSX, every time I update it, the thing get slower, it is really annoying.

El-Cap is the fastest version yet in my experience and seems to be getting important security fixes too.

Windows 10, now OS X... and meanwhile I have installed Linux on all my workstations. Looks like big corporations are shooting themselves in the foot.

I think you have that backwards. You, as the person with physical access, is in full control as SIP can be controlled from recovery mode. Processes running as root are no longer trusted to have full access to the system. This is definitely a step in the right direction.

This is an iOS app, not a Mac app.

Yes, but from the same commenter earlier: "I want to try this api on MAC OS 10.11. I understand the reason why I need to ask apple for some permission to publish the app with this api to app store, but I can't believe that I have to ask them for permission to run this api on my development machine."

It's possible that commenter is misguided. The documentation on NETunnelProviderManager[1] says it needs the extension and that you should send an email to get it, but there's no indication as to whether there's anything stopping you from granting yourself this entitlement on a development machine (obviously Apple needs to approve it for an app on the MAS; I don't know what limitations there are for non-MAS apps in this regard).

[1] https://developer.apple.com/library/prerelease/mac/documenta...

Where by "extension" I of course meant to say "entitlement".

Wow. OSX ... it was nice knowing you.

As a Chinese developer, I got more and more disappointed to my country.

I'd read a book written by LinYutang, called My Country and My People. All my understandings of my country after reading this book are not same as nowaday China.

What's wrong? I don't know. I just wanna have freedom for Googleing. I just wanna the people in this country be happy not only because they get enough to eat.

Don't worry, western leaders have figured out one doesn't need democracy or free speech for capitalism to function, China set an example. So with all the spying , ban of encryption , limits on freedom of the press with laws such as "the right to be forgotten" or making illegal to criticize cops or politicians in Spain , we have already entered in a post democratic era . And people in Europe take their freedom for granted forgetting they had to fight to death to win their freedom at first place.

The right to be forgotten is actually a powerful mechanism to protect individuals. Though, the law should possibly revised such that it only applies to individuals that are not a public figure, who can prove to have little or no range of responsibilities.

The right to be forgotten flies in the face of capitalism. You cannot assume you act in perfect self-interest without total and perfect information. The first can be easy to acquire, the second harder.

The right to be forgotten impedes on total information awareness and the desire to make the perfect rational decision with your money.

This is a good thing. Total information is not perfect information because of bias and context. Someone seeking such information will process it through a biased lens and never attain perfection. In that case, the individual under the lens will lose out.

In what way has that book changed your way of thinking?

+1 for Lin Yutang, he is an amazing writer who sparked my interest in China. I lived there two years and met my wife. Xie xie Lin Xiansheng!

“Two days ago the police came to me and wanted me to stop working on this. Today they asked me to delete all the code from GitHub. I have no choice but to obey.

I hope one day I'll live in a country where I have freedom to write any code I like without fearing.

I believe you guys will make great stuff with Network Extensions.


Not being facetious here - what country do you live in that you think the government can't/won't interfere with your code?

Perhaps I am misunderstanding your use of English, because it is difficult to see how this is not a facetious question.

There are relatively few countries in which the government both could and would interfere with someone's publication of code, and I think only in China is there both widespread computer use and internet access, on the one hand, and state security actors (the civil police, actually) who have the sophistication and funding to intervene with specific projects such as this one.

Did you mean to ask what country he was in?

The US does "interfere" with the publication of some code. I'm thinking of cryptography code. Quoting from https://en.wikipedia.org/wiki/Export_of_cryptography_from_th... .

> Since World War II, many governments, including the U.S. and its NATO allies, have regulated the export of cryptography for national security considerations, and, as late as 1992, cryptography was on the U.S. Munitions List as an Auxiliary Military Equipment. ...

> As of 2009, non-military cryptography exports from the U.S. are controlled by the Department of Commerce's Bureau of Industry and Security. Some restrictions still exist, even for mass market products, particularly with regard to export to "rogue states" and terrorist organizations. Militarized encryption equipment, TEMPEST-approved electronics, custom cryptographic software, and even cryptographic consulting services still require an export license

> ... Other countries, notably those participating in the Wassenaar Arrangement, have similar restrictions.

But in the US, you can sue the government: https://en.wikipedia.org/wiki/Bernstein_v._United_States

I think you mean "at least", rather than "but"? You'll notice the WP quote I gave includes restrictions post-Bernstein (and links to that case). Even these restrictions count as 'interfer[ing] with someone's publication of code', no?

I'd add the USA to that list - plenty of evidence that National Security Letters have been used to stifle/gain access to/alter coding projects in the interests of US GOV.

It's probably even more insidious, because simply confirming the existence of an NSL can be a crime punishable by significant custodial sentences. In the USA, posting "The police asked me to delete this code" could land in you federal pound you in the ass prison for 10+ years.

> There are relatively few countries in which the government both could and would interfere with someone's publication of code

It's not about interfering with someone's publication of code. It's about neutralizing threats to rulers' rule.

China's rulers shut this guy down because his tool might enable too much free speech among the masses, which, in turn, would pose a threat to the government's rule.

As for the idea that "it couldn't happen here!", see how the US government "interfered" with someone's publication of articles: https://www.youtube.com/watch?v=dUYMPZ4nEOY

See also: https://www.youtube.com/watch?v=u2ebudnWlh4

I think there are more than a few countries where this sort of thing could easily happen. Tech talks get canceled at the behest of the powers that be with some regularity, I don't think requests to take down source code would be out of the question.



You think that, but your links are to two cancelled presentations at conferences, neither of which has any clear connection with the 'powers that be', unless you consider the SEI and Carnegie Mellon University to be the 'powers that be'.

Both those conferences occur in a single country, one which was not even able, under its own laws, to effectively suppress the distribution of cryptographic code when it was legally considered to be militarizable as a weapon.

Do you think you're allowed to talk about the government suppressing you?

And the point isn't that they weren't able to suppress crypto code; it's that they tried.

Maybe China? There's a bit of Chinese in the author's other repos: https://github.com/clowwindy?tab=repositories

Yes it's china, because chinese government fears that the citizens who lived in china know about the truth of government's corruption.

Knowing about corruption, and being able to get away with it are 2 separate things I think. If you don't abuse people human rights) and give them a good life; you can get away with a lot of corruption I presume.

Dear Alex, although this may sound like a revelation, but governments do not fear. They are fictitious entities. Non-humans. One may think about them as a software.

Dear ommunist, I think you are right, governments like "Matrix" which control every childprocess.

No, dear. They are just putting childprocesses into existence. If there is no state, there are no citizens.

From the fact that there's lots of other stuff related to networking/tunneling, and the username has some "Chinese characteristics" to it, I also think it's China.


I find this is a very gentle warning compared to what we hear about secret law enforcement in general and China in particular. Isn't the practice to stage a suicide after deleting his repositories?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact