I had a customer that wanted to set up some web servers in China so that they could sign up students for some classes at their school.
At first I just assumed that this is a straightforward matter of selecting a Chinese region in a public cloud, deploying a couple of web servers, and we'd be done by lunch. Easy!
Turns out... that this is actually technically achievable, as long as: You have a Chinese business registered in China, you have a photo ID that you register with the "local authorities" (in person!), pay in Renminbi from a Chinese bank account, and read and write Chinese.
No, really. That's the process. Really: https://docs.microsoft.com/en-us/azure/china/overview-checkl...
They want to make sure they have someone by the balls. It's either you personally, or someone willing to step up and take the risk of jailtime on your behalf if you publish anything the Grand Pooh Xi doesn't like.
Meanwhile, I can spin up a server in Dubai or South Africa or Brazil like... right now. No paperwork. No prostrating myself in front of the Police to beg for permission to be able to post government-approved content.
Meanwhile, on the map of AWS or Azure regions -- or on any CDNs map -- there's just a hole where China is. It's like those photos of Earth from space, where you can see the city lights glowing brightly everywhere except for North Korea, where there's just darkness.
Remind me, why do we do business with these people again? Why do we give them our money?
And they don't mention this on that page, but for every publc IP you want to use in China, you have to re-submit your ICP filing/license paperwork, listing every public IP you will use, and what it is used for. So don't accidentally destroy your AWS load balancer, or you'll need to re-file all your paperwork before you can bring your site back up! (AWS load balancers can't be configured with static IPs)
> Remind me, why do we do business with these people again? Why do we give them our money?
Because then we get money. It's the largest "emerging" market in the world. If you have a product that makes 1 million dollars in the US, do some localization work and launch it in China, and you've doubled your money. Every major corporation is actively working on launching in China, because it's obvious that they're leaving money on the table by not being in China.
Of course the laws in China are different, but I don’t see why they would be less protective of those laws as we are, even though I would agree that I think that our world is better to live in than theirs.
Where do you live? Because I know of no major country without rampant government censorship.
> They want to make sure they have someone by the balls. It's either you personally, or someone willing to step up and take the risk of jailtime on your behalf if you publish anything the Grand Pooh Xi doesn't like.
No offense but you make a good argument for why china restricts access. Your comment seems to come from a political operative than someone trying to spin up some web servers in china.
> Meanwhile, I can spin up a server in Dubai or South Africa or Brazil like... right now. No paperwork. No prostrating myself in front of the Police to beg for permission to be able to post government-approved content.
You make it sound like that's a good thing? It's not. Also, all those countries you listed have censorship...
I don't know. Why are you so desperate to do business in china? Shouldn't you be happy since you aren't doing business in china?
I don't understand people like you. You say we shouldn't do business with china. But you whine about not being able to do business in china.
Oh, I understand precisely why they do it. I don't think those reasons are good, and I don't like the GFW in general. This is the same criticism I level against the policies of North Korea, for example. The policies of NK are good for a small group of people in the "inner circle" of Kim Jong-un and no one else. Similarly, the current system in China is good for the people at the top of that system, and no one else.
> Why are you so desperate to do business in china?
I'm most certainly not desperate to do business in China. My customers are desperate, and I need to be able to provide services to them.
I have similar complaints about other limitations to smooth international trade and business. Some of these aren't even political.
- The lack of proper IPv6 support -- especially by cloud vendors -- makes it increasingly difficult to communicate with some areas of the world. Multiple layers of NAT aren't a permanent fix.
- No "regions" for the larger public clouds anywhere near central Africa or from Eastern Europe all the way to Siberia.
- Poor bandwidth even to some locations that are otherwise very friendly to foreign businesses. For example, Chennai had a submarine cable cut a few years ago that caused havoc for a bunch of my customers. Their outsourced staff just couldn't work half the day. It's not a politically motived firewall barrier, but a bandwidth barrier. The effect however is similar.
Do you really believe this? Because this screams paranoia to me. I have no idea how you got from GP's comment to suggesting they might be a political operative. I am legitimately baffled by your conclusion. Please explain.
Pre-GFW, the government was basically in a position where if there was anything illegal online (not just political stuff, but everything from gambling to piracy) they had no recourse. If they sent a takedown notice the company can basically say "why don't you make me".
So it makes total sense to require a local presence if you want to interact with the local market. The GFW in this case is a tool that the government can hit any company who doesn't comply with...
Frankly, the thing that really is worrying is that because this is so rational from an Internet governance perspective we might well see more and more countries follow this path... Not censorship per se but building up mechanisms to create a more fragmented Internet.
How strange it is to read such normalizing comment.
It's the same problem why Russian ransomeware groups can roam free and piracy is hard to deal with online.
What the laws are, thats politics. How to enforce them is just a matter of technology.
What the GFW shows is a means to an end. You may not agree with the particular end in the case of China and the CCP (I don't either) but the means itself is a result of addressing a rational need that all governments have.
The danger of the GFW is not that China is using it for oppressive purposes. It's that it works and your local democracy may well also look to it to address the same need for governance it has.
Unless you're saying there's some going to be a "world government", different countries will continue to disagree on what is legal. And the path ahead is to either accept the impossibility of internet governance, or to build up more walls.
This is untrue. China (to survive as a dictatorship) may need to suppress any content. Without respect for laws.
Most country i have been to don't have this need. They need their law to be followed and use different means.
There is no difference between suppressing arbitrary content and suppressing illegal content. It doesn't matter if the decision to block comes from a dictator or the people's vote. The technology doesn't care. You either have the ability to block content or you don't.
One must erase any reference to an historical fact in a matter of hours.
The other need to dismentle a network of criminals.
There’s a huge difference between a point made in Realpolitik fashion vs saying it’s a norm.
It’s like having long discussions about how bad rape is vs dicussing actual policies how that could be resolved and saying that you can’t discuss policy because “it’s sounds too cold to my ears”.
Action wise, I'm personally gonna stock up on a diverse set of VPN technologies... I don't see this trend being bucked any time soon by the trend of where politics is going.
Funnily enough I traveled to another part of China then, and the Airbnb wifi had practically no GFW-type blocking. GFW is made up of local or provider-specific implementations that vary a lot. It was a small, rural town.
Since Airbnb is international, I guess if someone (assuming it's a small private operation) is offering rental service there, they might as well setup a proxy for foreign guests.
> Some solutions would sort of work, but unreliably, with extremely minimal bandwidth and would suddenly stop working after some time
The sad part is, anti proxy technology is also fairly advanced. Most of well-known VPN protocols such as OpenVPN, AnyConnect, IPSec and Wireguard etc can be identified via traffic analyze, once GFW detects suspicious traffic, it may launch probes to further investigate the service. That's why Chinese people use Shadowsocks, Clan and V2Ray, those proxies are designed to protect itself from these situations.
Shadowsocks and V2Ray require some know-hows to correctly setup. Notably, Shadowsocks requires AEAD ciphers to be relatively safe, and you should never run Tor through it due to flaws in it's transport protocol. As for V2Ray, avoid VMESS protocol since it's is known to be vulnerable to probe attacks.
DNS pollution was for sure only one means of the blocking. Even if the IP address of the site got resolved correctly, the site could not reached as a result of "Connection reset" or "Remote host closed the connection" errors. I thought the blocking was all the time and everywhere until I accidentally realized that I had just access some site without VPN connected and such state could last for from hours to days, as long as I did not access contents deemed sensitive, sites did not seem to matter that much as blocking would not be triggered until I clicked some links. HTTPS did not seem to help at all, so GFW must have the ability to do deep packet analysis. Such behaviors make sense to me as the network traffics in China are enormous even the government would not have enough resource to monitor everything all the time, so the practical approach would be using a little bit of heuristics and commencing blocking only when certain signals were triggered. Also I encountered a couple of times man-in-the-middle attacks as I noticed my browser were not happy with the site's certificates. Such attack might be carried out by the ISP as the certificates were self signed.
The sim can be purchased in any convince store in hk without identification.
That's the easiest solution in my eyes.
I believe Google's outline uses it
In the end, I'm not going to try that anymore, I haven't been in China for 2+ years now due to COVID, but next time, I'll hope my server is out of the blacklist again and hope I can access my (self-hosted) emails and other normal services that don't try to evade it.
The student VPN of another Asian university or the employee VPN of a well established company seemed to work last time. Not sure if that can be counted on reliably though...
Japan VPS location worked ok to access European sites, much
better than Hongkong based, but I guess thats the peering.
- Bidirectional DNS poisoning: China can send forged DNS responses if you try to access certain Chinese domains from outside the GFW. This isn't server-side enforced geoblocking.
- GFW uses a small space of forged IPs, some belonging to Facebook, Twitter, Dropbox which may be responsible for a non-negligible overhead in server costs responding to HTTP requests for irrelevant hostnames.
Can FB sue China in court for damages for the cost of serving these forged requests?
They had to pass a special law to allow the 9/11 families to sue https://en.m.wikipedia.org/wiki/Justice_Against_Sponsors_of_...
Sure they can. They can't win, but they can waste time and money.
The paper is also accompanied by an excellent presentation on the USENIX channel, https://www.youtube.com/watch?v=nPwsROLZrnc.
Both. Neither. (Is there a difference for us? I doubt it.)
the state of what's allowed through TGFWC changes constantly.
Interestingly, "time in China" is one time, because China has 1 official time zone. Even though it spans 5 geographical time zones. Unless you're in Xinjiang, in which case if you're talking to a Uyghur or Kazakh, they're using Xinjiang time, which is 2 hours behind Beijing Time. Unless you're watching a non-Uyghur/Kazakh TV channel, in which case the time is back in Beijing Time.