Encryption is not enough. You need to disguise your VPN traffic to make it look like standard HTTPS sessions (since they don't block HTTPS). For example in a traditional HTTPS session, if the client browser downloads, say, a 500kB image over HTTPS, it will send periodical empty TCP ACK packets as it receives the data. But when using a VPN that encrypts data at the IP layer, these empty ACK packets will be encrypted, so The Great Firewall will see the client sending small ~80-120 bytes encrypted packets, and will count this as one more sign that this might be a VPN.
That's why people in China have to use VPN tools that most westerners have never heard of: obfsproxy, ShadowVPN, SoftEther, gohop, etc. All these tools try to obfuscate and hide VPNs. I have a lot of respect for all these Chinese hackers like clowwindy who try to escape censorship, as it takes more technical prowess than you think to design a VPN that works in China.
I have noticed they have multiple situation, for example when everything's quiet internet is not so bad (despite the fact bandwidth is extremely low for huge amount of people), but when some news came out about government corruption, guess what ? some vpn does not work . In 2009 green movement they closed every https connection.(maybe that was red alert situation)
p.s : https://en.wikipedia.org/wiki/Deep_packet_inspection
p.s. : I use vps from netherlands for bypassing firewall. but It takes huge amount of time and a little money.but the point is 99.999% people don't have this option (I use shadowsocks, sometimes another tunnels) so they use internet the way is or some software like freegate and other but with extremely low speed unbearable lag.
p.s. : pptp, l2ps and others are closed right now. even president rohani couldn't manage the situation . I have heard he did want to do something but supreme leader and his people stopped him.
It turned out that RDP actually worked pretty well. I did hesitate to post this in case it's seen by the wrong people(!), though given it's a while since it was necessary to use, it may be blocked by now anyway.
I wonder if it was available because it was relatively little known and, if so, what other little known protocols might be available.
As a Chinese netizen I don't know if I should be proud that we have world-class advanced technology or be ashamed. Possibly ashamed.
Oh I just gave away so much secret. I'm so doomed. Everything above are just made up stories. Don't believe me. Don't track me down. Please.
These are our colleagues designing and implementing these tools of oppression. We should ask them why they exercise their talents in this way.
Chief among these was the Three Kingdoms War when up to 40 million are reckoned to have perished in military operations and from the destructive consequences of warfare. This is an enormous number, considering that the global population at that time is unlikely to have exceeded 400 million. More recently, the Taiping Rebellion claimed more than 20 million lives while the civil war that brought the Communist Party to power resulted in 7.5 million deaths, over and above the 20 million estimated to have been killed in the roughly contemporary Japanese invasion.
This is not the history we were taught at school but Chinese leaders are well aware of these facts.
When disorder breaks out in China, things turn very nasty indeed.
It is best, therefore, to avoid disorder at almost any cost."
That is why.
Or would you prefer to have China descend into the chaos of Rwanda or Sudan ?
Also, when quoting large blocks of text it is usually helpful to source that quote.
If they are using oppression to avoid disorder, they better have long term plan. Otherwise they are digging their own grave.
Not many people fear of chaos in the USA and not because they have the best firewall.
There are not millions of doomsday preppers in the US. And their obsession is not representative of public will or sentiment.
The comment you're replying to said:
>Not many people fear of chaos in the USA and not because they have the best firewall
So you seem to be saying that if the US had a Great Firewall the nutjobs who spend half their salary on underground bunkers and armament wouldn't. That's a pretty silly argument.
Incidentally, in most of those Chinese conflicts (4 out of 5 I believe), they were right. Many other wars were similar : starts with "immigration", numbers increasing, conflict, open conflict (and mass death), repression (of the losing side). Extermination is often tried but rarely succeeds. Well it succeeds in causing mass death, but it doesn't succeed in the sense that extermination is the result.
and i wonder if filling the apple form helped them finding him or it was just bad timing
Pretty much all the ISPs sell "international lines" as well. But only as part of their business packages. Usually it will run for about US$1k/mo - US$3k/mo with minimum 1-2 year contract for their "starter" package. Most tech companies in my area have them; they work very well. Essentially they are a hardline to Hong Kong and they ration out to subscribers.
They key thing to understand about the GFW is that it's not about general censorship of the population. Frankly the government doesn't care if someone who is middle class, i.e., invested in the status quo, gets around the GFW. They are more concerned about conservatives in lower classes trying to organize to stop the move towards capitalism. And it's mostly about protecting the market now so local companies can get access to these lower classes as their position improves and they join the middle class.
It's not just international companies. Chinese companies are all about going overseas now. China is now a next exporter of investment. Plus it seems every company with an app that has a moderate amount of success wants to reach Chinese outside of the China -- they have more money -- and so need to integrate with blocked services like FB. And exporting Chinese online games to other developing nations is really taking off.
"Reason for Recommending: Reliable connection, fast speed. Fast customer support."
What do you mean by 'reliable'? What do you mean by 'fast'? Are you talking about latency or throughput?
"Reason for not recommending: sometimes hard to connect"
How many times out of ten? Using which VPN protocol(s)? Was this using PPTP, or OpenVPN over stunnel?
I run my own VPN servers (for myself and friends) but of course there is some ongoing maintenance effort to add new servers to replace those for which latency and/or throughput have declined. If there were a site with specific data about different companies' performance (over time), that would help me to decide whether it's still worth the effort.
Now, on previous trips I experienced what you mentioned. It seemed really like there was some machine learning going on, and after using a VPN for a while the connection would get bad. But I guess it might not be machine learning, there might just be a huge number of humans watching your traffic - which would explain why it is so inconsistent.
The thing that worked best for me is just using ssh -D (on most days). Our workplace uses ssh a lot for secure communication with outside china, so that couldn't possibly be blocked without hindering our work (and I believe 'they' have no interest in that). So whenever I had to access something for work that was sillily blocked (argh gmail), I just used the ssh connection that was open anyway.
And what most ppl do when facing this? They choose a local service instead of Twitter, Facebook, Youtube, Google. See, censorship is only a part (though a vital part) of the grand scheme.
It's a pretty sophisticated arms race that's lead to some cool stuff, notably pluggable transports (like the obfsproxy you mentioned): https://www.torproject.org/docs/pluggable-transports.html.en
Unfortunately the companies that enable this deep packet inspection are often American companies working overseas. My friend who used to work at Cisco said they had internal slide decks about the improvements they could make to the Chinese firewall. Then there's Bluecoat in Sunnyvale (https://www.bluecoat.com/) building the censorship systems for the middle east.
Why do American companies sell this kind of stuff to China and non-democracies in the middle east? They must rationalize it in someway, but I think it's wrong.
Pursuit of the almighty Free Market without regard for scruples or morality. Basically, public corporations base success only on money. If you as an executive refuse to bow down before Mammon[1,2] then you are replaced by someone who will. Seealso Charles Stross' excellent Invaders From Mars. The Chinese government and other regimes pay big money for these tools.
I thought it was just a consequence of being on spotty < 5mbps(ADSL?) connections. The internet situation was barely tolerable for a few weeks stay; I can't imagine what living in these conditions 24/7/365 is like.
"24/7" means 24 hours a day, seven days a week.
"24/365" means 24 hours a day, 365 days a year.
"24/7/365" means 24 hours a day, 7 days a week, 365 weeks a year?
I know, I know, it's become an idiom, and it's like "I could care less", and you can't try to understand it except as an atom that caries a meaning, but it just looks wrong to me.
Sorry - I'll now return you to your regular programming.
If the sole holiday were a single Golden Week sometime in the year, the idiom may indeed have been "24/7/52", but holidays are simply scattershot like that.
It's not that the individual segments relate to each other. Rather they answer three sets of questions:
What are your daily hours? All of them. 24 hours / day.
What weekdays are you open? Again, all of them. 7 days/week.
What holidays do you observe per year? None, we're open 365 days/year.
Since there's rarely a monthly cycle to business closings and there aren't a standard number of days per month, that's elided.
It also helps to realize that human timekeeping is really based on three independent phenomena which are utterly unrelated. There are day-based units: seconds, minutes, and hours are all subdivisions of the period of rotation of Earth about its axis.
The month is based on the Moons orbit about Earth. That it is roughly 30 days is a notional convenience, similarly its rough divisibility by 4 into 7 day periods. The week is entirely synthetic (though profoundly persistent).
And the year on Earth's orbit about the Sun. Again, relationship to days and months are entirely arbitrary.
That's why it often seems time units are arbitrary. They are.
There's a brief book which Kay's this ought and traces the calendar through time, The Seven Day Cycle.
7 *days* per *week*
24 *hours* per *day*
365 *days* per... *year*
Just trying to help. ;-)
24 hours a day, 7 days a week, 365 days a year.
Of course, this is a losing battle. People just don't care if what they say makes sense, they just say stuff and assume that people will understand. This is one of the things that makes language bizarre, miraculous, infuriating, and impossible to analyse. I note examples like this because they are caltrops on the road for NLP.
> They are all relative timeframes by which
> a store my be closed; certain hours during
> the day, certain days during the week, and
> certain days during the year.
> Your inability to make sense of it doesn't
> affect the rest of us.
> ... it is the result of a willful ignorance
> that you are bragging about.
> It doesn't make for very interesting trolling.
I would argue that no single statement can make sense. Sense is made when multiple statements are combined.
It's really all just about appropriate cognitive load. Every statement must be processed and it's great to be as accurate as possible and as accurate as the consensus agrees to.
Anything higher quality than that falls under the category of "great writing," which only a handful of people cherish.
And I'll add that "I could care less" derives from the earlier "I couldn't care less", which makes a lot more sense. See http://blog.dictionary.com/could-care-less/
24 hours in a day, 7 days in a week, 52 weeks in a year.
Whoever doesn't stay home during the Christmas period in the US gets accolades from management, so there's incentive to work if you're career-focused.
In my experience splitting my time between North America and China, the difference is not terribly noticeable once you invest in a solid VPN -- which everyone does.
The network speeds here are generally far better than NA -- in tier 1 and tier 2 cities at least. If you're accessing site in China, i.e., not going through the GFW, the average is far better than you'd find in the US. However the GFW slows everything down. However, there are a handful of VPN providers that specialize in getting through the GFW: notably Astrill and ExpressVPN. This those on my phone, tablet, and laptop it's easy, you'd never know you were in China -- expect the odd day when you have to hunt for a different server. Most experienced developers here subscribe to one of them.
Also, a lot of tech companies subscribe to "international lines". Pretty much all the ISPs offer them to business customers. They are expensive but they work very well. Usually about US$1k/mo to US$3k/mo on contract. The international lines are just hard lines to Hong Kong.
I assume 9 years later (don't know what the modern tech for web stuff is these day, but I assume encryption plays a key part) they're doing just as intrusive inspection and filtering of data.
In other words, steganography.
Also, international performance in general can be quite bad at peak times (i.e 30% packet loss), I suspect due to Comcast-style management of international transit. But if you buy a transit circuit from Unicom, no problem!
Edit: to add to the grand parent, I've actually found ssh -D/-w0 (for a TUN device) quite reliable from China. What I really want to do is run multiple connections from different end points with a routing protocol to do fast-failover.
Don't suppose you could explain to us network plebs how that would bypass the Great Firewall?
It also doesn't solve the problem of mobile access to Google Apps for Chinese workers (Google Play Store & apps are not bundled by many (any?) Chinese OEM handset makers or carriers. You can root & sideload, or you can purchase phones outside the country and ship them to your employees, but even if you do this, there is still no guarantee they'll be able to access Google's apps while on cellular networks.
Google Apps will also drain your battery if you are in a region where Google has no network-location data yet, because then Google will turn on your GPS, and send to their servers the pair of GPS-coords and strength of networks.
If you live in a suburb in Germany where almost no networks are known to Google, this means if you enable location services your GPS will try to get a fix 24/7, eating your battery in about 2 hours.
This is probably going to be an issue in China, too, considering that Google doesn’t have location data there.
But if you turn on WiFi and Location at the same time (which is not uncommon), then it will suck your battery dry in seconds. Turn any of those two off, and it works.
- High accuracy (GPS, wi-fi, mobile)
- Battery saving (Wi-fi, mobile)
- Device only (GPS)
From what you say, it sounds like 'Device only' would save more battery than 'Battery saving'?
Source: worked there for a while
I believe this is the reason why they use Atlassian products, where rest of us would use trello, e.t.c.
 company that created jira
OpenVPN is like a prime suspect of a police procedural novel, it gets hunt down no matter what.
Personally experience: I did work for Microsoft Shanghai and VPN works just fine. You need to have the right set of tools, and better, have a good channel of negotiation with the government.
Traditional VPNs such as PPTP/IPsec as well as various forms of obfuscated proxies are generally not interfered with unless something major happens. A lot of the alleged "censorship" are actually symptoms of high latency and packet loss on home connections.
So... could you avoid detection by passing an SSH tunnel through a PPTP VPN? Add enough layers, and the censors might not bother to unwrap all of them.
Note that Chinese government does not have backdoor access to those US websites, nor do they control a significant fraction of Internet infrastructure.
It's based on SoftEther VPN, which happens to be open-source and cross platform.
I'm using it for most of my VPN setups and I've generally found it to be superior to OpenVPN in every aspect (performance, usability, protocol support, obfuscation, etc).
For ssh it sometimes work for a few days then the whole IP/host is blocked.
I did not have to time try obfsproxy, shadowsock or whatever, but it really really sucked, to make things worse, my Nexus phone could not get any updates etc either, as Google is also _fully_ blocked, I felt I was back to Stone age there.
I recall the same thing occurring in Shanghai with many of the popular webmail services, they'd work briefly, usually just long enough to log in and get a glimpse at an inbox, then it would time out endlessly and that'd be it.
I use an unencrypted PPTP VPN and the connection is really fast and stable here (Shenzhen, China Telecom). I have tried OpenVPN and ssh but both were much slower. FWIW, I don't believe using a VPN is illegal in China (though operating a VPN service without a license most likely is) and pretty much every single foreigner I know uses one.
Internal policy dictates this, all over the world.
Email is usually on self-hosted Exchange.
Corporate firewall blocks stuff like Youtube and Facebook - also the same over the world, but some users with the business need can access whatever the business need dictates.
Some large companies just bypass the national firewall for speed reasons - this is negotiated with the government on an individual basis - pragmatically this makes sense, as the traffic is 100% encrypted back between fixed sources and destinations, and inspecting it just wastes resources for all parties. Some corporations may also have their websites for the public access bypass any filtering, also for speed reasons (for example, internet banking).
A: "No, 1.2kpbs is not enough, thanks but I prefer censorship."
Is that what you're saying?
Most of the detection is focused on blocking vpns and they are very good and disrupting vpn traffic
But if they can't shut it down via technology, they'll most likely shift to individual enforcement and harassment. In that case they have to chase people one at a time, so to get widespread effectiveness they have to make sure that each individual case frightens as many people as possible. That means that the individuals targeted will be punished more severely.
1. if you need custom vpn, why even have apple devices?!
2. why focus on vpn over their network instead of mesh?
"Removed according to regulations."
Let me just find the nearest cliff to jump off.
People have built successful VPN services using Shadowsocks, and they are available on many platforms, like routers and embedded systems.
And the iOS version is more or less the author's recent efforts to build a VPN client that can run on non-jailbroken iPhone, much like Cisco AnyConnect.
I think shadowsocks' popularity as a whole concerns the chinese government, so they do their usual rooting out the leader thing: now that shadowsocks org is headless in the literal sense (no owner, no main repo), they hope its development will die out.
There are plenty of people on HN who are i) wealthy ii) interested in beating censorship.
It'd be nice to see some effort going into creating software to beat censorship; having excellent translations of the documentation into a variety of languages; etc.
(Not the best code, a couple of race conditions in there)
Yes, setting up a VPS provider would be the most common way. There are Shadowsocks implementations that supports multiple users so that more than one person can use it simultaneously. There are also commercial solutions for Shadowsocks that you can just purchase an account instead of setting up your own server.
freegate is a traditional http proxy or socks proxy built by Falun Gong (https://en.wikipedia.org/wiki/Falun_Gong). They built lots of software with the same technology: freegate gpass freeu dynapass... People share this kind of banned software sending to each others just like teenagers share adult videos. After update of GFW, it become un-available and un-usable.
openvpn turns break GFW as a business, people sells openvpn account at $1.66 a month regularly. They sell this kind of services package including pptp l2tp ssh openvpn to those who need a free network.
goagent is a free software written by Phus Lu. It use Google's application engine as server so you can use it without paying money.So it replaced openvpn since it cost $0. After China banned Google, this way become more and more hard.
shadowsock is a protocol designed by clowwindy. It become a environment. People use python, C, nodejs, golang, rust, obj-c, java to write their own client and server. Some organization share their server for free, some people sell account and provide high speed. shadowvpn works as a VPN while shadowsocks works as a socks5 proxy, but share the same technology.
This is the end of shadowsocks. I means recently more and more evidence shows that GFW has finally find a way to recognize shadowsocks's packets. Then they stopped the development of shadowsocks.
That's all. The winter of China's network comes.
Is there technical reason to believe that shadowsocks or similar technology is the last stand against automated censorship?
I would just say this is just yet another stage in the censorship/anti-censorship cycle.
There's no guarantee that "the censorship arms race" will continue, even in your specific nation-state.
For example, I bet there's not much anti-censorship software being developed in North-Korea, because people don't want themselves and their entire families tortured to death.
The real problem here is not that we might be lagging behind governments with our anti-censorship tools. The real problem is the existence of governments to begin with, because as long as they do, they will want to control their subjects as closely as possible.
Policitians and the real rulers behind the scenes are all psychopaths.
They see us as human livestock, and any one of them would be perfectly happy with a global North-Korea, as long as they personally would be in the tiny ruling elite, with all the riches and power a psycho could ever dream of.
Hmm... okay, so they defeat shadowsocks by recognizing the packets.
> Then they stopped the development of shadowsocks.
But if they already had shadowsocks beat, why do they make a public show of shutting it down?
Sounds more like they recognize that they don't have the GFW technology to defeat shadowsocks on-going development over time. Which suggests all you need is a new developer.
For example, if their capabilities to identify shadowsocks traffic is not particularly specific, filtering would result in undesirable impact on other traffic. They can also have other out-of-band estimates for the extent of shadowsocks use (presence of the software on seized or searched equiment, observed chatter, informants, etc).
a: build a method of detection and prevention and
b: find and coerce developer to stop improving software,
#b is required assuming the developer(s) is considered to be an above average adversary. When there is no silver bullet solution a cat+mouse game is inevitable. That further increases the value of this action.
#a being done at same time as #b has an effect on the collective behavior of the adversary. I'm sure various members for the RIAA and MPAA are wondering how they could have dealt with "filesharing" in a similar manner during the Napster days. But in the end it only buys you time in a cat+mouse games. meh, im sure there is some sun tzu art of war blah blah somewhere saying the same. more poetically of course.
Even if it does get completely removed, a duplicate exists on GitLab: https://gitlab.com/mba811/shadowsocks-iOS (No guarantee that it has all the commits prior to deletion, or that it hasn't been modified from the original in some way.)
I can only hope the police in clowwindy's country don't know how to switch GitHub branches.
Because it's the same SHA, and because of the way git works, we know that all the history before it is exactly the same on GitHub and GitLab.
I'm saying that the result is not going to be so different, as in people will still use shadowsocks to circumvent the firewall and won't get "disappeared" or whatsoever.
Someone in this subthread mentioned something about a commit hash. This is important.
Even with root account, you are not in full control of your Mac - you are sandboxed by Apple.
It's a big step in the wrong direction [opinion], especially because it does nothing to verify "integrity". It prevents changes to the System directory by conventional means (and injection into system processes).
If malware were to figure out a way to disable SIP from userland, it could install itself in such a way that nothing short of disabling SIP could uninstall it.
But lets say you don't find a vulnerability in SIP userland detection, and instead find a kernel exploit to get around the protection:
If malware were to figure a way around it, then even antivirus software can't uninstall it. Only Apple can. It's not FUD.
SIP holes will be found, and Apple will patch them just like other security flaws.
With the condition that you have to upgrade to the very latest system :)
However, this argument falls down a little if malware doesn't actually need to modify system files, which it doesn't for most typical evil stuff I can think of.
Since all System locations will now be signed (as part of the move to SIP), it means that the basic Apple recovery partition will be able to purge any such malware by a simple signature verification.
(I have limited experience with OS X - only briefly played around with driver development and bootloaders in the 10.4 era with osx86 - and I did have to boot from the DVD a few times when I made the system unbootable.)
This raises the question, what good is root if it's not really root anymore?
The idea is that a combination of a SecureBoot-style trusted boot sequence and technologies like Intel's SGX instructions to create an area that is protected from everything else, root included.
Ever since (heavily controlled) iOS was accepted by the tech crowd as a replacement for a proper General Purpose Computer, we've been slowly loosing more and more control. At least there seems to be workarounds for this particular OSX "feature". It is incredibly important to stop this trend now; it will be a lot harder to work around these restrictions when it gets hardware support.
It's easier than that. It's just a kernel argument to disable it. Simply add "rootless=0" to your boot-args and you have control of your machine back.
I'm running the 10.11 beta and I've already had to disable rootless because I like to have /usr/local as a symlink to somewhere else and by default the rootless configuration prevents writes to /usr. :-/
They know that rootless will break some applications/drivers, plus some types of development may need it disabled.
At the very least, the OS needs to be reinstalled from an off-disk source, and that's assuming you haven't been hit by something sophisticated enough to put itself in firmware. We're fast approaching an era where you need to trash the hardware. You should never trust an OS install that was ever compromised, and making it more difficult to do so is a good thing in my book.
"all dtrace probes that target a system restricted process will not be matched" (i.e. will fail unless SIP is disabled).
I'd read a book written by LinYutang, called My Country and My People. All my understandings of my country after reading this book are not same as nowaday China.
What's wrong? I don't know. I just wanna have freedom for Googleing. I just wanna the people in this country be happy not only because they get enough to eat.
The right to be forgotten impedes on total information awareness and the desire to make the perfect rational decision with your money.
This is a good thing. Total information is not perfect information because of bias and context. Someone seeking such information will process it through a biased lens and never attain perfection. In that case, the individual under the lens will lose out.
I hope one day I'll live in a country where I have freedom to write any code I like without fearing.
I believe you guys will make great stuff with Network Extensions.
There are relatively few countries in which the government both could and would interfere with someone's publication of code, and I think only in China is there both widespread computer use and internet access, on the one hand, and state security actors (the civil police, actually) who have the sophistication and funding to intervene with specific projects such as this one.
Did you mean to ask what country he was in?
> Since World War II, many governments, including the U.S. and its NATO allies, have regulated the export of cryptography for national security considerations, and, as late as 1992, cryptography was on the U.S. Munitions List as an Auxiliary Military Equipment. ...
> As of 2009, non-military cryptography exports from the U.S. are controlled by the Department of Commerce's Bureau of Industry and Security. Some restrictions still exist, even for mass market products, particularly with regard to export to "rogue states" and terrorist organizations. Militarized encryption equipment, TEMPEST-approved electronics, custom cryptographic software, and even cryptographic consulting services still require an export license
> ... Other countries, notably those participating in the Wassenaar Arrangement, have similar restrictions.
It's probably even more insidious, because simply confirming the existence of an NSL can be a crime punishable by significant custodial sentences. In the USA, posting "The police asked me to delete this code" could land in you federal pound you in the ass prison for 10+ years.
It's not about interfering with someone's publication of code. It's about neutralizing threats to rulers' rule.
China's rulers shut this guy down because his tool might enable too much free speech among the masses, which, in turn, would pose a threat to the government's rule.
As for the idea that "it couldn't happen here!", see how the US government "interfered" with someone's publication of articles: https://www.youtube.com/watch?v=dUYMPZ4nEOY
See also: https://www.youtube.com/watch?v=u2ebudnWlh4
Both those conferences occur in a single country, one which was not even able, under its own laws, to effectively suppress the distribution of cryptographic code when it was legally considered to be militarizable as a weapon.
And the point isn't that they weren't able to suppress crypto code; it's that they tried.