Slashdot Mirror
Defeating China's National Firewall
Bruce Schneier is reporting on his blog that a recent paper is discussing how to defeat China's national firewall. From the article: "However, because the original packets are passed through the firewall unscathed, if both of the endpoints were to completely ignore the firewall's reset packets, then the connection will proceed unhindered! We've done some real experiments on this -- and it works just fine!! Think of it as the Harry Potter approach to the Great Firewall -- just shut your eyes and walk onto Platform 9¾."
Okay, now that you let the cat out of the bag, how long before the Great Chinese Firewall gets this hole plugged?
On the otherhand, the more they try to squeeze star systems, the more they will slip out of thier han (or something like that).
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
...is a billion Chinese walking into the great wall of China...all at once.
Purple, because ice cream has no bones.
Thanks for doing the security analysis for us. We appreciate your hard work and excellent documentation.
Your Pal,
Wen
there is no need to sign your posts. this isn't usenet. your username is right there above your post. stop it.
No one is monitoring that protocol
Wouldn't this be easily detectable and probably illegal (for someone in china)? It sounds like a good way to get in trouble.
that most of the Chinese people don't know/care about the firewall?
Send email from the afterlife! Write your e-will at Dead Man's Switch.
That's the last time you break down my shitty firewall!
Jeez, why is it everytime chinese build a wall, those damn mongolians gotta break it down?
The revolution will not be televised... but it will have a page on Wikipedia
How the heck is it anything like shutting your eyes and walking onto Platform 9¾?
Maybe if the Chinese authorities found you on board this 'train', they could act like those terrible dementor things I guess.
It is irresponsible for people to post ways of bypassing the security restrictions a sovereign nation has enacted upon its people. If the Chinese people don't like the way their government is restricting their access to information then they have a moral obligation to overthrow that government, either peacefully via voting in the next election, or by force using a militia formed from the people. By showing the Chinese people ways to exist comfortably within the restrictions imposed by an immoral government we're not helping them to reach a better place in life.. namely a free and democratic Republic of China.
If I'm correct, and I think I am:
This has the potential to triple the traffic through their firewall as resets are sent for every packet. So consequently, not only is it an illegal act of hacking (even by US standards) but the potential does exist for a resulting DOS attack that could take the firewall down completely.
Kids have to much time on their hands. No matter how "horrible" Chinese internet policy is by US standards, it's their damned network segment. Let them work it out for themselves.
Another consultant who stuck it out.
"We are the Priests, of the Temples of Syrinx..."
But even in the west I feel more comfortable using Tor, a (well, close enough) anonymizing proxy.
I used to use JAP (a similar project but the client was Java based and less transparent) but Tor is considerably faster. Throughput up to 60K/sec on a 512k/sec DSL line (as fast as it ever goes with no proxy) means that it's practical to use for all traffic and makes the needle much harder to find in the haystack.
Think of the Children; Sleep with your Sister
See the parallel?
Engineering is the art of compromise.
Could we just think of this as the "Indiana Jones and the Last Crusade" approach?
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Everyone knows that its many miles long... one single attack cannot bring it down...
sig goes here!
Just a thought.
the_crowbarHave you read the Moderator Guidelines
Or you just type in:
idspispopd = Walk through wall in noclip style
If you mod this up, your slashdot background will turn into a beautiful sunset!
The chinese internet doesn't belong to the chinese government, it belongs to the chinese people. When they have a real democracy then "they" (the people) can decide how to run it. Until then we shouldn't respect how "they" (the government) want to run the internet any more than we would if some bank robbers were holding hostages and "they" (the robbers) wanted to decide how to run the bank.
What, and turn the filtering firewall into a /dev/null where no packets can get in *or* out... yeah, that'll show 'em!
The revolution will not be televised... but it will have a page on Wikipedia
Don't you mean...
Firewall 1,306,313,812; Haxors 1 ?
Do you recall that little American Revolution way back in the mid 1770's? You know, the one the then-English colonies were LOSING? The U.S. would have been in quite a pickle without the French providing financial and military aid. Sure, it was in their own self-interest, but that makes their aid no less valuable.
Just because a Revolution receives assisstance from the outside makes it no more or less legitimate.
SirWired
Gimmicks like these wont last long. How many chinese would actually search for information against their government? Even if they do, they will always have the fear of being caught. Until every Ying Yang realizes the need to overthrow the system, nothing is going to happen.
I think your post got cut off. Would you please repost?
You can pick up from "Here's how you can get those poor miserable people the drugs they want and need..."
Thanks!
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Third party off-to-the-side resets are actually hard to do against a modern OS. Remember that big TCP reset against Cisco routers that could tear down BGP sessions... The fix was to be more restrictive on accepting reset packets. To do a third-party reset you have to be able to send the reset in real-time or each endpoint will have advanced their sequence window (actually the ack window is what matters). The reset will be properly ignored as invalid because each endpoint has moved on which would be impossible if one had actually sent the reset.
A third party spoofer can play games with the TCP Timestamps to effectively shut down a connection and he only has to be near-realtime. Send the right value and all of the legitimate packets get dropped by the OSes PAWS checks. I'll leave that one as an exercise to the reader.
They're Mongorians!
And before someone lambasts me for making fun of Engrish, I should clarify that I'm amused by all variations of the English language. A good number of my fellow Maltese citizens butcher English, for example, even though it's supposed to be a first language. Only in Malta can you fill your car up with pitlor (petrol), have your football team lose on a pineltri (penalty), and make windows out of enimielju (aluminium). By the way, those aren't Maltese words, those are what many Maltese people think the English words actually are. Oh, and they also think that Hoover, Jablo, Kenwood, and Geyser literally mean a vacuum cleaner, polystrene foam, a cake mixer, and a hot water heater, respectively.
Here's the South Park clip about Mongorians from YouTube.
*blinking cursor*
Why do you think that the only legitimate way to deal with a bad government is to overthrow it, by election or force? What's wrong with getting a bad government to change its ways?
Do you think that any time a government is doing something bad, that the government should be overthrown (or voted out)? What if a government is doing some really wrong things, but it's also doing some good things? Suppose you think that a President has done one thing that's very wrong, but that aside from that one thing, he's done a fantastic job. Are you morally obliged to vote that President out? Imagine it's 1948. You think Truman did a terrible thing when he used nuclear weapons in Japan, but you approve of everything else he's done, and you don't like Dewey. Are you morally required to vote for Dewey anyway?
Do you think that armed rebellion is the only way for a non-democratic government to become democratic? If so, why do you think this? There are examples in recent history of non-democratic governments becoming democratic without a shot being fired (e.g., most of Eastern Europe). Or think about the way the U.K. changed from a non-democratic monarchy to a parliamentary democracy with a figurehead monarch.
Have you thought about what would be involved in overthrowing China's government by force? For some period of time, China would be without any government at all. Think how wonderful it would be for a country with a population of over a billion and a large supply of nuclear weapons to find itself suddenly without a government.
One way to get a government to stop trying to regulate something is to make its efforts to regulate it spectacularly ineffective. This happened in the United States with Prohibition. Why can't it happen in China?
Why yes, I do. It is why I am a Libertarian. It is a huge waste of time, effort and money to stop drugs. Instead the government should regulate the HELL out of them like they do Cigarettes and Alcohol, and tax them into oblivian. Prolly would get rid of the Income Tax with the revenue.
.........
AND it would clean up the Drug Cartel Violence found in Brazil, Argentina, Mexico
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
This sort of reminds me of the way the Mongols defeated the Great Wall of China.
Did they tear the wall down? No.
Did they march around one end of the wall? No.
They simply bribed a guard to open the gates.
Maybe China shouldn't be so fixated on walls.
Then he'll go home to his wife and kids, proud that he's done a good job. If you're here, raise your hand.
Kind of funny, eh, that repression has been outsourced to us now. (Yes, Cisco helped set up the great firewall, sold the equipment, and worked extensively to prevent free access by Chinese citizens.)
The baby's fine -- please stop sending business cards.
Yes you are right. BOTH ends need to drop the resets. But all they need are for a few web proxies on the outside to dop packets. I could set one up in my house in 20 minutes. I imagine a few thousand people could set up proxy servers. This is so simple to do. You do not even need to write software in can be done with a firewall rule
Illegitimate? Whatever, dude. The Chinese are, with the exception of Americans, the most patriotic people I've ever come into contact with -- nationalist fervor is so ingrained here it's absolutely frightening. They're not interested in revolt and on the whole are happy with the status quo. They love their country and go on and on about it. Really. If there were a vote tomorrow there is no doubt in my mind that the CCP would win.
During the Chinese civil war, the Communist party was overwhelmingly supported by the people.
Your assertion that non-democratic societies are illegitimate suggests that most societies in history have been illegitimate. I'm not sure that's a particularly useful definition of legitimacy.
mugabe was once a hero on the street in zimbabwe
ask the street what they think of him now
i have no doubt that nationalism is fervent in china. i also have no doubt that a chinese person can separate pride in china from pride in the CCP. i am proud to be an american, but i don't like the bush administration. see how that works?
additionally, in 2008, i know bush won't be in the white house anymore. and i will get to add my voice to who the next leader will be. and so i am happy with how my government works, even though i don't like its composition right now
that's called legitimacy in the eyes of the people. it creates confidence, stability. can your average chinese citizen say the same about their relationship with their government?
my point is very simple, but if you don't want to accept it, that's fine: but democracy is the only form of government known to mankind that manufactures legitimacy. every other form of government, legitimacy decays over time
i'm certain other governments have and will retain mythical status in the eyes of their people, even if they aren't democratic, for decades even
but unless the people are consulted again, that legitimacy will eventually decay into resentment
it's a simple straightforward concept
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I've been living in China for the past year, and have asked lots of people about this. The only people who care about the firewall are foreigners, because the firewall blocks foreign sites. The vast majority of Chinese don't care that they can't read bbc.co.uk. What they DO care about is the staggering number of domestic blogs and news sites that get shut down each month for being labled "obscene" or "seditious," and no amount of internet wizardry is going to let you access a site whose server has been confiscated and webmaster imprisoned. I suppose Google could step up to the plate and start caching all of these doubleplus ungood blogs before they get taken down, and then perhaps bypassing the firewall would be useful, but I'm not going to hold my breath waiting for that to happen.