Slashdot Mirror
Cambridge Breached the Great Firewall of China
Darren Rayes writes to mention a ZDNet article on Cambridge academics' claims that they have breached the great firewall of China. They also claim that by misusing the firewall they can launch DDoS attacks against IP addresses behind the wall. From the article: "The IDS uses a stateless server, which examines each data packet both going in and out of the firewall individually, unrelated to any previous request. By forging the source address of a packet containing a 'sensitive' keyword, people could trigger the firewall to block access between source and destination addresses for up to an hour at a time."
How exactly does a stateless IDS block connections for up to an hour? Are there other components to the firewall I'm not aware of, or does stateless mean something else these days?
An "active" spamfilter that automatically shoots down chinese spammers. The IP gets blocked off for an hour and can't spam anyone at all outside china.
Of course at the same time I can think of a million abusive applications for this...
...what would happen if I sent some packets from google.com to google.cn, containing words like 'democracy' and 'Falun Gong'.
As far as I understood it, the point is that the wall blocks out IPs outside of China that try to send "sensitive" data into China.
Not a big deal either. Just send the IP Address of any mailserver you want to protect with a packet containing something "sensitive".
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I'm sure they could firewall the entire country on a few PIX boxes *rolleyes*
They chose stateless because the lack of state table for every connection saves a *ton* of resources.
I highly doubt that they could get their population to accept them completely shutting off access to the outside world
Er, exactly which China are we talking about here. If the population don't accept things then they get run over by tanks.
init 11 - for when you need that edge.
Chinese firewall is nothing - try getting through the Saudi firewall. As I understand it, the Chinese are at least a bit less modest about what is banned, so you should be able to at least get some legit porn sites through Chinese internet. However Saudi internet would block not just porn sites, but womens rights websites, womens magazines websites, even medical sites - anything that would display a photograph or illustration of a naked woman or man was stricly banned. Even it was just part of a human body, i.e. shoulders up.
It's not something that is trivial to fix. Others can do a better job of explaining why, but for now, suffice it to say that it'd require a significant effort on the part of the Chinese Gov't.
Maybe it can be fixed in The Great Firewall of China v2.0
[Fuck Beta]
o0t!
I think there are some good points to the existence of the firewall. While the firewall itself is a bad thing, no doubt, the fact that the Chinese have access to the internet at all is a huge step forward for them. We're talking about a country that was totalitarian for centuries, with virtually no interest in or comprehension of indivdiual human freedoms.
It also speaks to the power of the internet's design. Here is a nation notorious for its control of information, and the techniques they use are easy to discover, and possible to circumvent. If China can't restrict the internet, then there's hope that other governments and maybe even multinational corporations won't be able to pull it off either.
With luck, the firewall will become an irony of the past, as the importance of human dignity becomes apparant to the Chinese government.
Clayton, speaking at the Sixth Workshop on Privacy Enhancing Technologies in Cambridge last week, said that the researchers had reported their findings to the Chinese Computer Emergency Response Team.
So the PRC dictatorship was directly told how to make their firewall better.
Way to go!
http://www.cambridge-mit.org/cgi-bin/default.pl
/Just showing that they both have very smart technical people learning/researching there.
[Fuck Beta]
o0t!
Their research is concerned with DRM ass hat tactics and such...pity!
Well done on writting a 'how-to' on pointers to make the firewall better. Im sure people out there new these things, and used them to their advantage. Now all holes will be plugged and even more censorship will rein in China. You have now had your 15mins of fame.
This is the same old tired argument we hear here on Slashdot over and over again. Expose the flaws and you either 1) alert the hackers on how to expose them or 2) Allow the admins to patch them. It's funny how depending on your political ideology, people will swing either way. How about a consistent opinion in favor of revealing flaws? Those who favor security by obscurity deserve neither.
This is not helping China. They know how their firewall works, they built it. They also know where Cambridge University is (unlike half the readers of Slashdot).
Slashdot is helping China by bringing the article to their attention.
This has been circulating in the security blogs for a week now. There are basically two schools of thought. One is that we might fix the IP stack to ignore/filter out RST packets. The second is that we might make it easier to turn on SSL.
Rather than monkey about with changing the protocols to ignore RST we would probably do better turning on SSL encryption on Wikipedia &ct with some cheap domain authentication certs.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
This will make the Chinese government mandates antispoofing by all ISPs. Which actually will be quite a good thing. As a result at least one country in the world will mostly drop off the D.O.S. map. Good thing all around actually.
Now an interesting Cambridge related question is how it relates to the Great Firewall of Britain, aka Clean Feed (TM) which the dictatorship of el presidente de partida Laborista Antonio Bliar has forced most ISPs to implement (in the name of the children and terrorism of course). Cambridge did some very good research in the failings of that system as well. It will be interesting to see if the same D.O.S. can be applied there. If that is the case there will be loads of fun all around in the days to come and some very Chinese measures being implemented by the Wall Street mandarins.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
There's a reason people never agree on security through obscurity. Hell you've generalized that people believing in it don't like public disclosure. I personally feel it can deter script kiddies as their scripts occasionally look for banners, etc. There are cases it can help. Not everyone is smart enough to use a program to determine OS type, or other fingerprinting strategies.
I think these researchers just proved once again that nothing is uncrackable. The idea of security is similar to the titanic. Its unsinkable until everyone owns your box. Don't make fun of the security through obscurity camp.. even if it can be futile at least we try something. (i also patch like crazy, run firewalls, review logs, etc)
I don't mind public disclosure as long as the company gets time to patch the product (up to 30 days). Since we're talking about china, well zero day is fine.
MidnightBSD: The BSD for Everyone
I think the point they're trying to show that information censorship is useless, and creates more security problems than it prevents. In addition, cheap solutions won't work. If China want's real censorship, then the very least we can do is force them to spend buco bucks on it, or force them into an all or nothing situation. Like it or not, China needs connectivity to the rest of the world more than the rest of the world needs connectivity to China.
China also has a very "wall" orientated culture. Somebody is going to have to teach the Chinese government the hard way that it doesn't work with information. In fact, Chinese culture already knows that, that's why most asian cultures have no traditional concept of copyrights and patnets. It's also why when we don't help the Chinese government we do help the Chinese people.
arrggghhh!! NO, do you know how long it took me to find an ISP that would actually support spoofed source packets, even though our use for them wasnt evil!!! Just because there is evil uses for a technology doesnt mean that there arent also positive uses!!!
The Such and Such is evil lets block it mentality is not a good thing(TM)...
I can understand why spoofed source packets are bad and the majority of the time they are being used for illicit purposes, but should we ban bit torrent because the majority of the bittorrent traffic isnt good(TM)
"I reject your reality, and substitute my own" - Adam Savage
Several problems with it:
The primary problem is that the list is not under direct public control of an independent and accountable body.
From there on it can be used for blocking any content El Presidente Antonio Bliar can deem undesirable. Further to that, one of the functions of Clean Feed is a transparent redirect which will redirect your traffic to a site different from the one you are requesting.
Considering the record of this government on telling the truth that is a very dangerous weapon to give to them. WMD, accidentally suicided government experts (what a violent suicide), you name them.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Here you are deeply mistaken.
After 7/7/2005 el presidente Antonio's Bliar government's cronies have visited nearly all ISPs and most of them now implement it.
If we do not do it for the children we always do it for the other "obvious" reason.
By the way, I do not have an objection to its existence. I have an objection to the fact that:
- The list declared function already differs from the actual.
- The list is not under the control of an independent authority, has no judicial oversight and can be manipulated.
- There has been no audit of the list effectiveness and no audit of the entries in it. Every time BT is asked for a detailed statistics break down they wiggle out and keep showing bulk aggregated ones.
- The propagation of the list to other ISPs outside BT have been done in an silent and outright clandestine manner. If the list is right its enforcement does not need visits from El partida Bliarista enforces to senior management.
So on, so fourth. It is the Great Firewall of Britain and its functionality is not entirely dissimilar. If it was not it would have been put under the control of an independent agency long ago.Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Ok, so putting some words like "Falun" in the SMTP server welcome message is going to stop all the spam via bulletproof Chinese hosting, right?
I am going to try that!
I'm going to take a very strong position here in my first-ever Slashdot post -- China absolutely should be hacked, on a systematic and worldwide-basis. Their desire to censor a whole country should be opposed on both moral and enlightened-self-interest grounds. But it will be tough at best to beat.
Ironically, the situation is a kind of reverse spam-antispammer set up, in which the folks trying to get through the defenses are the good guys. Amnesty International's Irrepressible.info, while terribly primitive, is at least a start, and I think everybody with a web site should play along and see what happens. A more advanced idea may be found at http://www.monashreport.com/2006/04/17/how-to-beat -chinese-censorship-operation-peking-duck/.
And if the censoring can be used for some kind of DOS, so much the better. Make it as expensive and difficult for the oppressors as ever possible.
To err is human. To forgive is good system design.