Encryption is not enough. You need to disguise your VPN traffic to make it look like standard HTTPS sessions (since they don't block HTTPS). For example in a traditional HTTPS session, if the client browser downloads, say, a 500kB image over HTTPS, it will send periodical empty TCP ACK packets as it receives the data. But when using a VPN that encrypts data at the IP layer, these empty ACK packets will be encrypted, so The Great Firewall will see the client sending small ~80-120 bytes encrypted packets, and will count this as one more sign that this might be a VPN.
That's why people in China have to use VPN tools that most westerners have never heard of: obfsproxy, ShadowVPN, SoftEther, gohop, etc. All these tools try to obfuscate and hide VPNs. I have a lot of respect for all these Chinese hackers like clowwindy who try to escape censorship, as it takes more technical prowess than you think to design a VPN that works in China.
I have noticed they have multiple situation, for example when everything's quiet internet is not so bad (despite the fact bandwidth is extremely low for huge amount of people), but when some news came out about government corruption, guess what ? some vpn does not work . In 2009 green movement they closed every https connection.(maybe that was red alert situation)
p.s : https://en.wikipedia.org/wiki/Deep_packet_inspection
p.s. : I use vps from netherlands for bypassing firewall. but It takes huge amount of time and a little money.but the point is 99.999% people don't have this option (I use shadowsocks, sometimes another tunnels) so they use internet the way is or some software like freegate and other but with extremely low speed unbearable lag.
p.s. : pptp, l2ps and others are closed right now. even president rohani couldn't manage the situation . I have heard he did want to do something but supreme leader and his people stopped him.
It turned out that RDP actually worked pretty well. I did hesitate to post this in case it's seen by the wrong people(!), though given it's a while since it was necessary to use, it may be blocked by now anyway.
I wonder if it was available because it was relatively little known and, if so, what other little known protocols might be available.
As a Chinese netizen I don't know if I should be proud that we have world-class advanced technology or be ashamed. Possibly ashamed.
Oh I just gave away so much secret. I'm so doomed. Everything above are just made up stories. Don't believe me. Don't track me down. Please.
These are our colleagues designing and implementing these tools of oppression. We should ask them why they exercise their talents in this way.
Chief among these was the Three Kingdoms War when up to 40 million are reckoned to have perished in military operations and from the destructive consequences of warfare. This is an enormous number, considering that the global population at that time is unlikely to have exceeded 400 million. More recently, the Taiping Rebellion claimed more than 20 million lives while the civil war that brought the Communist Party to power resulted in 7.5 million deaths, over and above the 20 million estimated to have been killed in the roughly contemporary Japanese invasion.
This is not the history we were taught at school but Chinese leaders are well aware of these facts.
When disorder breaks out in China, things turn very nasty indeed.
It is best, therefore, to avoid disorder at almost any cost."
That is why.
Or would you prefer to have China descend into the chaos of Rwanda or Sudan ?
Also, when quoting large blocks of text it is usually helpful to source that quote.
If they are using oppression to avoid disorder, they better have long term plan. Otherwise they are digging their own grave.
Not many people fear of chaos in the USA and not because they have the best firewall.
Incidentally, in most of those Chinese conflicts (4 out of 5 I believe), they were right. Many other wars were similar : starts with "immigration", numbers increasing, conflict, open conflict (and mass death), repression (of the losing side). Extermination is often tried but rarely succeeds. Well it succeeds in causing mass death, but it doesn't succeed in the sense that extermination is the result.
There are not millions of doomsday preppers in the US. And their obsession is not representative of public will or sentiment.
The comment you're replying to said:
>Not many people fear of chaos in the USA and not because they have the best firewall
So you seem to be saying that if the US had a Great Firewall the nutjobs who spend half their salary on underground bunkers and armament wouldn't. That's a pretty silly argument.
and i wonder if filling the apple form helped them finding him or it was just bad timing
Pretty much all the ISPs sell "international lines" as well. But only as part of their business packages. Usually it will run for about US$1k/mo - US$3k/mo with minimum 1-2 year contract for their "starter" package. Most tech companies in my area have them; they work very well. Essentially they are a hardline to Hong Kong and they ration out to subscribers.
They key thing to understand about the GFW is that it's not about general censorship of the population. Frankly the government doesn't care if someone who is middle class, i.e., invested in the status quo, gets around the GFW. They are more concerned about conservatives in lower classes trying to organize to stop the move towards capitalism. And it's mostly about protecting the market now so local companies can get access to these lower classes as their position improves and they join the middle class.
It's not just international companies. Chinese companies are all about going overseas now. China is now a next exporter of investment. Plus it seems every company with an app that has a moderate amount of success wants to reach Chinese outside of the China -- they have more money -- and so need to integrate with blocked services like FB. And exporting Chinese online games to other developing nations is really taking off.
"Reason for Recommending: Reliable connection, fast speed. Fast customer support."
What do you mean by 'reliable'? What do you mean by 'fast'? Are you talking about latency or throughput?
"Reason for not recommending: sometimes hard to connect"
How many times out of ten? Using which VPN protocol(s)? Was this using PPTP, or OpenVPN over stunnel?
I run my own VPN servers (for myself and friends) but of course there is some ongoing maintenance effort to add new servers to replace those for which latency and/or throughput have declined. If there were a site with specific data about different companies' performance (over time), that would help me to decide whether it's still worth the effort.
Now, on previous trips I experienced what you mentioned. It seemed really like there was some machine learning going on, and after using a VPN for a while the connection would get bad. But I guess it might not be machine learning, there might just be a huge number of humans watching your traffic - which would explain why it is so inconsistent.
The thing that worked best for me is just using ssh -D (on most days). Our workplace uses ssh a lot for secure communication with outside china, so that couldn't possibly be blocked without hindering our work (and I believe 'they' have no interest in that). So whenever I had to access something for work that was sillily blocked (argh gmail), I just used the ssh connection that was open anyway.
And what most ppl do when facing this? They choose a local service instead of Twitter, Facebook, Youtube, Google. See, censorship is only a part (though a vital part) of the grand scheme.
It's a pretty sophisticated arms race that's lead to some cool stuff, notably pluggable transports (like the obfsproxy you mentioned): https://www.torproject.org/docs/pluggable-transports.html.en
Unfortunately the companies that enable this deep packet inspection are often American companies working overseas. My friend who used to work at Cisco said they had internal slide decks about the improvements they could make to the Chinese firewall. Then there's Bluecoat in Sunnyvale (https://www.bluecoat.com/) building the censorship systems for the middle east.
Why do American companies sell this kind of stuff to China and non-democracies in the middle east? They must rationalize it in someway, but I think it's wrong.
Pursuit of the almighty Free Market without regard for scruples or morality. Basically, public corporations base success only on money. If you as an executive refuse to bow down before Mammon[1,2] then you are replaced by someone who will. Seealso Charles Stross' excellent Invaders From Mars. The Chinese government and other regimes pay big money for these tools.
I thought it was just a consequence of being on spotty < 5mbps(ADSL?) connections. The internet situation was barely tolerable for a few weeks stay; I can't imagine what living in these conditions 24/7/365 is like.
"24/7" means 24 hours a day, seven days a week.
"24/365" means 24 hours a day, 365 days a year.
"24/7/365" means 24 hours a day, 7 days a week, 365 weeks a year?
I know, I know, it's become an idiom, and it's like "I could care less", and you can't try to understand it except as an atom that caries a meaning, but it just looks wrong to me.
Sorry - I'll now return you to your regular programming.
If the sole holiday were a single Golden Week sometime in the year, the idiom may indeed have been "24/7/52", but holidays are simply scattershot like that.
It's not that the individual segments relate to each other. Rather they answer three sets of questions:
What are your daily hours? All of them. 24 hours / day.
What weekdays are you open? Again, all of them. 7 days/week.
What holidays do you observe per year? None, we're open 365 days/year.
Since there's rarely a monthly cycle to business closings and there aren't a standard number of days per month, that's elided.
It also helps to realize that human timekeeping is really based on three independent phenomena which are utterly unrelated. There are day-based units: seconds, minutes, and hours are all subdivisions of the period of rotation of Earth about its axis.
The month is based on the Moons orbit about Earth. That it is roughly 30 days is a notional convenience, similarly its rough divisibility by 4 into 7 day periods. The week is entirely synthetic (though profoundly persistent).
And the year on Earth's orbit about the Sun. Again, relationship to days and months are entirely arbitrary.
That's why it often seems time units are arbitrary. They are.
There's a brief book which Kay's this ought and traces the calendar through time, The Seven Day Cycle.
7 *days* per *week*
24 *hours* per *day*
365 *days* per... *year*
Just trying to help. ;-)
24 hours a day, 7 days a week, 365 days a year.
Of course, this is a losing battle. People just don't care if what they say makes sense, they just say stuff and assume that people will understand. This is one of the things that makes language bizarre, miraculous, infuriating, and impossible to analyse. I note examples like this because they are caltrops on the road for NLP.
> They are all relative timeframes by which
> a store my be closed; certain hours during
> the day, certain days during the week, and
> certain days during the year.
> Your inability to make sense of it doesn't
> affect the rest of us.
> ... it is the result of a willful ignorance
> that you are bragging about.
> It doesn't make for very interesting trolling.
I would argue that no single statement can make sense. Sense is made when multiple statements are combined.
It's really all just about appropriate cognitive load. Every statement must be processed and it's great to be as accurate as possible and as accurate as the consensus agrees to.
Anything higher quality than that falls under the category of "great writing," which only a handful of people cherish.
And I'll add that "I could care less" derives from the earlier "I couldn't care less", which makes a lot more sense. See http://blog.dictionary.com/could-care-less/
24 hours in a day, 7 days in a week, 52 weeks in a year.
Whoever doesn't stay home during the Christmas period in the US gets accolades from management, so there's incentive to work if you're career-focused.
In my experience splitting my time between North America and China, the difference is not terribly noticeable once you invest in a solid VPN -- which everyone does.
The network speeds here are generally far better than NA -- in tier 1 and tier 2 cities at least. If you're accessing site in China, i.e., not going through the GFW, the average is far better than you'd find in the US. However the GFW slows everything down. However, there are a handful of VPN providers that specialize in getting through the GFW: notably Astrill and ExpressVPN. This those on my phone, tablet, and laptop it's easy, you'd never know you were in China -- expect the odd day when you have to hunt for a different server. Most experienced developers here subscribe to one of them.
Also, a lot of tech companies subscribe to "international lines". Pretty much all the ISPs offer them to business customers. They are expensive but they work very well. Usually about US$1k/mo to US$3k/mo on contract. The international lines are just hard lines to Hong Kong.
I assume 9 years later (don't know what the modern tech for web stuff is these day, but I assume encryption plays a key part) they're doing just as intrusive inspection and filtering of data.
In other words, steganography.
Also, international performance in general can be quite bad at peak times (i.e 30% packet loss), I suspect due to Comcast-style management of international transit. But if you buy a transit circuit from Unicom, no problem!
Edit: to add to the grand parent, I've actually found ssh -D/-w0 (for a TUN device) quite reliable from China. What I really want to do is run multiple connections from different end points with a routing protocol to do fast-failover.
Don't suppose you could explain to us network plebs how that would bypass the Great Firewall?
It also doesn't solve the problem of mobile access to Google Apps for Chinese workers (Google Play Store & apps are not bundled by many (any?) Chinese OEM handset makers or carriers. You can root & sideload, or you can purchase phones outside the country and ship them to your employees, but even if you do this, there is still no guarantee they'll be able to access Google's apps while on cellular networks.
Google Apps will also drain your battery if you are in a region where Google has no network-location data yet, because then Google will turn on your GPS, and send to their servers the pair of GPS-coords and strength of networks.
If you live in a suburb in Germany where almost no networks are known to Google, this means if you enable location services your GPS will try to get a fix 24/7, eating your battery in about 2 hours.
This is probably going to be an issue in China, too, considering that Google doesn’t have location data there.
But if you turn on WiFi and Location at the same time (which is not uncommon), then it will suck your battery dry in seconds. Turn any of those two off, and it works.
- High accuracy (GPS, wi-fi, mobile)
- Battery saving (Wi-fi, mobile)
- Device only (GPS)
From what you say, it sounds like 'Device only' would save more battery than 'Battery saving'?
Source: worked there for a while
I believe this is the reason why they use Atlassian products, where rest of us would use trello, e.t.c.
 company that created jira
OpenVPN is like a prime suspect of a police procedural novel, it gets hunt down no matter what.
Personally experience: I did work for Microsoft Shanghai and VPN works just fine. You need to have the right set of tools, and better, have a good channel of negotiation with the government.
Traditional VPNs such as PPTP/IPsec as well as various forms of obfuscated proxies are generally not interfered with unless something major happens. A lot of the alleged "censorship" are actually symptoms of high latency and packet loss on home connections.
So... could you avoid detection by passing an SSH tunnel through a PPTP VPN? Add enough layers, and the censors might not bother to unwrap all of them.
Note that Chinese government does not have backdoor access to those US websites, nor do they control a significant fraction of Internet infrastructure.
It's based on SoftEther VPN, which happens to be open-source and cross platform.
I'm using it for most of my VPN setups and I've generally found it to be superior to OpenVPN in every aspect (performance, usability, protocol support, obfuscation, etc).
For ssh it sometimes work for a few days then the whole IP/host is blocked.
I did not have to time try obfsproxy, shadowsock or whatever, but it really really sucked, to make things worse, my Nexus phone could not get any updates etc either, as Google is also _fully_ blocked, I felt I was back to Stone age there.
I recall the same thing occurring in Shanghai with many of the popular webmail services, they'd work briefly, usually just long enough to log in and get a glimpse at an inbox, then it would time out endlessly and that'd be it.
I use an unencrypted PPTP VPN and the connection is really fast and stable here (Shenzhen, China Telecom). I have tried OpenVPN and ssh but both were much slower. FWIW, I don't believe using a VPN is illegal in China (though operating a VPN service without a license most likely is) and pretty much every single foreigner I know uses one.
Internal policy dictates this, all over the world.
Email is usually on self-hosted Exchange.
Corporate firewall blocks stuff like Youtube and Facebook - also the same over the world, but some users with the business need can access whatever the business need dictates.
Some large companies just bypass the national firewall for speed reasons - this is negotiated with the government on an individual basis - pragmatically this makes sense, as the traffic is 100% encrypted back between fixed sources and destinations, and inspecting it just wastes resources for all parties. Some corporations may also have their websites for the public access bypass any filtering, also for speed reasons (for example, internet banking).
A: "No, 1.2kpbs is not enough, thanks but I prefer censorship."
Is that what you're saying?
Most of the detection is focused on blocking vpns and they are very good and disrupting vpn traffic
But if they can't shut it down via technology, they'll most likely shift to individual enforcement and harassment. In that case they have to chase people one at a time, so to get widespread effectiveness they have to make sure that each individual case frightens as many people as possible. That means that the individuals targeted will be punished more severely.
1. if you need custom vpn, why even have apple devices?!
2. why focus on vpn over their network instead of mesh?
"Removed according to regulations."
Let me just find the nearest cliff to jump off.