Cambridge Breached the Great Firewall of China

Darren Rayes writes to mention a ZDNet article on Cambridge academics' claims that they have breached the great firewall of China. They also claim that by misusing the firewall they can launch DDoS attacks against IP addresses behind the wall. From the article: "The IDS uses a stateless server, which examines each data packet both going in and out of the firewall individually, unrelated to any previous request. By forging the source address of a packet containing a 'sensitive' keyword, people could trigger the firewall to block access between source and destination addresses for up to an hour at a time."

Submit details!

With enough people working on it, we can temporarily block the entire country from the rest of the Internet. How's that for a fourth of July?

Legal action against Cambridge?

[zanderredux]

Isn't Cambridge deliberately creating an opportunity for the Chinese government to prosecute them?

What about those inside China using those exploits for legitimate ends?

Is Cambridge indirectly helping the Chinese government to fix firewall issues?

Are Cambridge researchers after fame at the expense of the freedom of the Chinese people?

Re:Legal action against Cambridge?

[ironwill96]

The sad thing is, they're not indirectly helping them - they ARE helping them. In TFA they state that they have reported their findings to the Chinese Computer Emergency Response Team. I assume these are the goons in charge of government censorship over there. I'm surprised after all the flak that Yahoo has caught for their chinese censorship assistance, that Cambridge would leap off that cliff as well by helping China to further block any ways for citizens to bypass the firewall and obtain information about "sensitive" topics. It really bothers me that so many in the U.S. who claim to value freedom so much (who are out blowing up fireworks today to celebrate such - fireworks mostly bought from China I might add), will help a country who values freedom so little.

Re:Legal action against Cambridge?

The University of Cambridge is an English university, not an American company, you (obligatory) insensitive clod!

(It's "obligatory" because it's the only way insightful anonymous coward comments get modded up.)

Re:Legal action against Cambridge?

[CaymanIslandCarpedie]

Cambridge would leap off that cliff as well by helping China to further block any ways for citizens to bypass the firewall and obtain information about "sensitive" topics. It really bothers me that so many in the U.S. who claim to value freedom so much (who are out blowing up fireworks today to celebrate such - fireworks mostly bought from China I might add), will help a country who values freedom so little.

FYI, Cambridge isn't a U.S. university.

Re:Legal action against Cambridge?

[jabuzz]

Wrong Cambridge, Cambridge Univeristy (fourth oldest in the world) is in the South East of England, and not in North America. Full marks you have displayed a typically parochial American outlook on the World.

Re:Legal action against Cambridge?

[TubeSteak]

Not that it's at all relevant, but Cambridge is very buddy buddy with MIT

http://www.cambridge-mit.org/cgi-bin/default.pl

/Just showing that they both have very smart technical people learning/researching there.

Re:Legal action against Cambridge?

[arivanov]

This will make the Chinese government mandates antispoofing by all ISPs. Which actually will be quite a good thing. As a result at least one country in the world will mostly drop off the D.O.S. map. Good thing all around actually.

Now an interesting Cambridge related question is how it relates to the Great Firewall of Britain, aka Clean Feed (TM) which the dictatorship of el presidente de partida Laborista Antonio Bliar has forced most ISPs to implement (in the name of the children and terrorism of course). Cambridge did some very good research in the failings of that system as well. It will be interesting to see if the same D.O.S. can be applied there. If that is the case there will be loads of fun all around in the days to come and some very Chinese measures being implemented by the Wall Street mandarins.

Re:Legal action against Cambridge?

[mrogers]

This paper was presented at the Privacy Enhancing Technologies Workshop, alongside with papers about Tor and Mixminion. I'm pretty confident that the authors aren't trying to help the Chinese government. What they are doing is embarrassing the Chinese government, presenting it with a difficult choice between dismantling its firewall and suffering DoS attacks, and publicising a method of circumventing the firewall. By using the normal channels for vulnerability disclosure, the authors protect themselves from politically-motivated accusations of "cyberterrorism".

Re:Legal action against Cambridge?

[argoff]

I think the point they're trying to show that information censorship is useless, and creates more security problems than it prevents. In addition, cheap solutions won't work. If China want's real censorship, then the very least we can do is force them to spend buco bucks on it, or force them into an all or nothing situation. Like it or not, China needs connectivity to the rest of the world more than the rest of the world needs connectivity to China.

China also has a very "wall" orientated culture. Somebody is going to have to teach the Chinese government the hard way that it doesn't work with information. In fact, Chinese culture already knows that, that's why most asian cultures have no traditional concept of copyrights and patnets. It's also why when we don't help the Chinese government we do help the Chinese people.

Re:Legal action against Cambridge?

[einexile]

What's your problem with CleanFeed? Surely you sleep more soundly knowing the pedophiles in your neighborhood aren't wasting valuable kidnapping and raping time on Internet porn.

Re:Legal action against Cambridge?

[SoloFlyer2]

arrggghhh!! NO, do you know how long it took me to find an ISP that would actually support spoofed source packets, even though our use for them wasnt evil!!! Just because there is evil uses for a technology doesnt mean that there arent also positive uses!!!

The Such and Such is evil lets block it mentality is not a good thing(TM)...

I can understand why spoofed source packets are bad and the majority of the time they are being used for illicit purposes, but should we ban bit torrent because the majority of the bittorrent traffic isnt good(TM)

Re:Legal action against Cambridge?

[stonecypher]

Incidentally, there are more Cambridges in the US than in the UK

Er. No, there's exactly one of each over 10k people in each nation. Of course, since Cambridge in this context isn't a city at all, and since there's essentially nobody who actually thinks of MIT when someone says Cambridge who has even a passing familiarity with universities, this is essentially moot.

at least one of which is also notable for its large univerity. Used to confuse the fuck out of me, for one.

Probably because you're posting without reading articles, at which point it would have been bloody obvious. Making excuses for being a dumbass just makes you look dumber. Stop while you're only sorta behind.

Re:Legal action against Cambridge?

[stonecypher]

Part of valuing freedom is valuing Chinese self-governance. It's not freedom if we step in and replace it every time someone disagrees with us. Banging the drum and screaming freedom is not a good reason to go tell the Chinese they're running their own country wrong. That's what self-important plutocrats and warmongers who need justifications behind which to hide do.

Believe it or not, even America has to say "wow, China, you get to run your own country today" once in a while.

Re:Legal action against Cambridge?

[arivanov]

Several problems with it:

The primary problem is that the list is not under direct public control of an independent and accountable body.

From there on it can be used for blocking any content El Presidente Antonio Bliar can deem undesirable. Further to that, one of the functions of Clean Feed is a transparent redirect which will redirect your traffic to a site different from the one you are requesting.

Considering the record of this government on telling the truth that is a very dangerous weapon to give to them. WMD, accidentally suicided government experts (what a violent suicide), you name them.

Re:Legal action against Cambridge?

[arivanov]

Here you are deeply mistaken.

After 7/7/2005 el presidente Antonio's Bliar government's cronies have visited nearly all ISPs and most of them now implement it.

If we do not do it for the children we always do it for the other "obvious" reason.

By the way, I do not have an objection to its existence. I have an objection to the fact that:

• The list declared function already differs from the actual.
• The list is not under the control of an independent authority, has no judicial oversight and can be manipulated.
• There has been no audit of the list effectiveness and no audit of the entries in it. Every time BT is asked for a detailed statistics break down they wiggle out and keep showing bulk aggregated ones.
• The propagation of the list to other ISPs outside BT have been done in an silent and outright clandestine manner. If the list is right its enforcement does not need visits from El partida Bliarista enforces to senior management.

So on, so fourth. It is the Great Firewall of Britain and its functionality is not entirely dissimilar. If it was not it would have been put under the control of an independent agency long ago.

Re:Legal action against Cambridge?

[arivanov]

Another thought.

The govt record aside, what exactly prevents two enforcers from the Russian mafia walking into the house of the technical staff responsible for Clean Feed in the middle of the night with a gun?

Currently nothing.

Phishing is netting them less and less people and most of the ones they catch nowdays in English speaking countries are sore losers with nearly empty bank accounts in "fringe" banks and building societies. Compare that to the number of account details they will catch just in one evening by redirecting all traffic to Barclays via a man-in-the middle. All they need is to simulate some "service problems" and repeat the login page 2-3 times to capture all numbers in the pin. After that...

Once you have deliberately built a provision to redirect all traffic in your network this can be used for all kinds of interesting purposes. It is only a matter of time until it is used for a heist of the scale seen in armed bank robberies.

Re:Congratulations

[Trigun]

Better they do it from the outside then the Chinese government find the guys doing it from the inside.

Mongolians?

[veinard]

Weird, I didn't know there were many mongolians at cambridge...

Stateless?

How exactly does a stateless IDS block connections for up to an hour? Are there other components to the firewall I'm not aware of, or does stateless mean something else these days?

Re:Stateless?

[Just+Some+Guy]

How exactly does a stateless IDS block connections for up to an hour?

Stateless != ruleless. For example, you could use OpenBSD's "pf" to create a stateless firewall that references an external rules file, then use a cron job to rewrite that rules file once an hour. That might be a pretty reasonable approach if you're filtering billions of packets per hour and can't afford to track state for each connection.

Re:Stateless?

[Just+Some+Guy]

That comment is bullshit. A lookup in the state table is actually _way_ more efficient than going through the ruleset for each packet, moreso if the ruleset is larger.

You misspelled "this".

State tables aren't happy magic O(zero) constructs - they take resources just like rulesets do. Imagine the case where a firewall is checking a billion simultaneous connections against a ruleset with only one entry. Do you honestly content that it'd be easier to look for the existence of a state table entry than to check for "dest addr == 1.2.3.4"? Especially if the ruleset were actually the output of FPGA that gets reconfigured on an hourly (or whenever) basis?

Or imagine that their blacklist granularity is a /24, figuring that blocking a "bad" addresses neighbors is probably desirable. In that case, they only have to track 16 million 24-bit network prefixes. Q: Is a.b.c.d blacklisted? A: It is if "blacklist[a*65536+b*256+c] == 1". I leave it to the reader to decide whether implementing an optimized version of that algorithm would be easier or harder than saving and checking state for millions of simultaneous connections.

Finally, my implementation would be inherently unsusceptible to a SYN flood. What happens when a stateful firewall gets a flood of incoming connections faster than it can make room to store them? That's also known as a DOS, which is generally something you don't want to design in to your system.

I can think of one useful application for this

[Ant+P.]

An "active" spamfilter that automatically shoots down chinese spammers. The IP gets blocked off for an hour and can't spam anyone at all outside china.

Of course at the same time I can think of a million abusive applications for this...

Solution?

[QuantumFTL]

I wonder what the chinese government would do if groups of individuals from around the world used techniques like this to DDoS the firewall. I highly doubt that they could get their population to accept them completely shutting off access to the outside world, and a stateful firewall would be considerably more expensive, assuming they wanted to keep their same (terrible) level of performance.

What does slashdot think about this?

Re:Solution?

[hoggoth]

> I highly doubt that they could get their population to accept them completely shutting off access to the outside world

Their population accepts a lot worse than losing Internet access.
I don't think a government that rolls tanks over dissidents is going to worry too much about cutting off their Internet.

I wonder...

[mike260]

...what would happen if I sent some packets from google.com to google.cn, containing words like 'democracy' and 'Falun Gong'.

Re:I wonder...

[Turn-X+Alphonse]

Yes because a Chinese firewall is going to black English words right? They'll block the Chinese words obviously.

Re:I wonder...

[TubeSteak]

http://www.google.cn/search?q=Falun

Falun Gong Is a Cult
www.china-embassy.org

Research Society of Falun Dafa and the Falun Gong organization under its control are held to be illegal
english.people.com.cn

Fifteen Falun Gong Cult followers attempted to sabotage cable TV network equipment
app1.chinadaily.com.cn

southcn:Falun Gong Cult OUTLAWED
www.newsgd.com

Here we should point out that the banning of "Falun Gong" by the Chinese government is also part of
www.chinaembassycanada.org

Falun Gong Practitioner Not Sorry for Killing Father, Wife
news.xinhuanet.com

Now compare all that to
http://www.google.com/search?q=Falun

Now, if the Chinese Gov't is making Google filter based on English keywords, you think they're not going to do the same with their uber-firewall?

Many Chinese schools teach english. It isn't like they only speak various Chinese dialects over there.

Re:I wonder...

[RWerp]

Interesting bit of facts you posted here. So Google does not simply censor keywords like "Falun". They block some web pages and let through others, those which say things convenient for the China government. Effectively, google.cn is an extension of the Chinese propaganda ministry. I wonder whether Google checks the content of the pages on its own, or does it get a list of the allowed pages from the Chinese? "Don't be evil" :))

Actually it would have to work the other way round

[Opportunist]

As far as I understood it, the point is that the wall blocks out IPs outside of China that try to send "sensitive" data into China.

Not a big deal either. Just send the IP Address of any mailserver you want to protect with a packet containing something "sensitive".

hard to believe

[CBHighlander]

I can't imagine why anyone would choose a stateless firewall over one the preforms stateful inspection on all traffic. There are so many options available (pix, checkpoint, or just a well built iptables system), it would seem you'd have to work at finding something stateless.

Re:hard to believe

[cperciva]

I can't imagine why anyone would choose a stateless firewall

Stateful firewalls scale poorly.

should we slashdot china's firewall?....

[edflyerssn007]

Should china's firewall be slashdotted so that it can't work anymore and therefore allow the people of china a free internet? (free as in not censored).

-ed

Re:should we slashdot china's firewall?....

[RWerp]

Your logic is faulty. The good guys get screwed anyway. So the least one can do, is to create some pain for the bad guys.

That isn't technically a DDoS

[Jeian]

DDoS is using multiple computers to "flood" a target off the Internet. This would be a plain DoS attack using a software weakness to deny service.

Re:That isn't technically a DDoS

[Armchair+Dissident]

A DDoS attack is an attack that is distributed across many machines colaborating to bring down a target machine. It does not necessarialy have to flood a target off the machine in the sense of a SYN attack. For that matter - as in the case of the SYN attack - it doesn't have to be from multiple identifiable sources; simply from many sources.

RTFA. The attack can be either from a single machine, or it can be distributed. The source of the attack is unimportant. Either a single machine can generate the packets containing proscribed words, or the task can be distributed across many machines, it is therefore perfectly correct to describe it as either a DoS or a DDoS.

FTFA:

Even though this technique would block communication between only two particular points on the Internet, the researchers calculated that a lone attacker using a single dial-up connection could still generate a "reasonably effective" denial-of-service attack. If an attacker generated 100 triggering packets per second, and each packet caused 20 minutes of disruption, 120,000 pairs of endpoints could be prevented from communicating at any one time.

Note that at no point was it suggested that either of the end-points in the attack need be involved. Ergo, anyone who is able to establish the appearance of an IP packet travelling from a destinatioin to a source is able to establish the appearance of an arbitrary number of packets travelling from an arbitrary number of destinations to a target source. If this is possible, then an arbitrary number of computers are able to send the manufactured packets, and you have a DDoS attack - it is distributed.

Indeed, reading the attack, it makes no sense for the attack to be a concern if a single source, and a single source only, is able to mount the attack, because the sole effect would be for that source to self-censor itself to a Chinese source. Precisely the opposite effect of the concern described.

Tiannamen Where?

[Silver+Sloth]

I highly doubt that they could get their population to accept them completely shutting off access to the outside world

Er, exactly which China are we talking about here. If the population don't accept things then they get run over by tanks.

Re:Tiannamen Where?

[QuantumFTL]

Well, protesting is one way to show that you "do not accept" something - that doesn't seem to work well in China. However, it's clear that the people in charge of China want the population to go along with their edicts, and furthermore think that it is a good thing. The PRC spends a lot of money on propaganda, etc, so that the population is kept under control. With 1.3 billion people, I'd say that's a good investment. Screwing up their internet connection to the "outside world" (or at least whatever isn't offensive) would set back those efforts significantly, especially in the growing middle class.

Re:Tiannamen Where?

[jeffstar]

I've always wondered what made this guy so brave

Re:Tiannamen Where?

[Joe+Decker]

Me too, it was an incredible symbol. The story of one of the photographers who captured that image is pretty amazing as well.

Re:Tiannamen Where?

[Breakfast+Pants]

Here's one with video: http://www.pbs.org/wgbh/pages/frontline/tankman/

Re:Fragmentation

[Tontoman]

Most firewalls will reassemble fragmented packets in order to perform content analysis. How to do it is in the TCP/IP RFC's.

Re:Congratulations

Well done on writting a 'how-to' on pointers to make the firewall better. Im sure people out there new these things, and used them to their advantage. Now all holes will be plugged and even more censorship will rein in China. You have now had your 15mins of fame.

Insecurity by obscurity.

www.PeenieWallie.com

Try the Saudi firewall

Chinese firewall is nothing - try getting through the Saudi firewall. As I understand it, the Chinese are at least a bit less modest about what is banned, so you should be able to at least get some legit porn sites through Chinese internet. However Saudi internet would block not just porn sites, but womens rights websites, womens magazines websites, even medical sites - anything that would display a photograph or illustration of a naked woman or man was stricly banned. Even it was just part of a human body, i.e. shoulders up.

Re:Try the Saudi firewall

Uh, no, they don't. Sattelite internet connections cost a shitload of money. When I was last there 3 years ago they were offering DSL broadband 1Mbit/sec for around the equivalent of $100/month (it cost a lot as it was unmetered, you could download GBs a day on it). Satellite dishes for television are something else. Again, from when I was last there, might be different now, there were a whole 2 Arabic channels on the Ku band but I think up to 50 on C band, and it cost SAR1000 (about $300) to have a guy come and install a C band dish and reciever. They weren't exactly a luxury, most everyone I saw, poor or rich had them because Saudi doesn't have a vast terrestial television infrastructure like anywhere else.

Re:Try the Saudi firewall

A year or so ago I have been tracing the downlink traffic on such a satellite (aiming at the turkey/arab area but not especially to saudi arabia, and as you would expect the downloaded content was mostly:
- porn
- the usual "movies found on the internet" you see on CNN only after much editing
- pictures of the same
- pictures and movies of local popstars

Re:Congratulations

[TubeSteak]

Well done on writting a 'how-to' on pointers to make the firewall better.

Actually, this flaw is inherent to the design of the great firewall.

It's not something that is trivial to fix. Others can do a better job of explaining why, but for now, suffice it to say that it'd require a significant effort on the part of the Chinese Gov't.

Maybe it can be fixed in The Great Firewall of China v2.0

Benefits of the wall

[debrain]

I think there are some good points to the existence of the firewall. While the firewall itself is a bad thing, no doubt, the fact that the Chinese have access to the internet at all is a huge step forward for them. We're talking about a country that was totalitarian for centuries, with virtually no interest in or comprehension of indivdiual human freedoms.

It also speaks to the power of the internet's design. Here is a nation notorious for its control of information, and the techniques they use are easy to discover, and possible to circumvent. If China can't restrict the internet, then there's hope that other governments and maybe even multinational corporations won't be able to pull it off either.

With luck, the firewall will become an irony of the past, as the importance of human dignity becomes apparant to the Chinese government.

six of one...

[Armchair+Dissident]

...half a dozen of the other.

Certainly TFA suggests that the DoS attack could be used against chinese government computers, but this could also be used against chinese citizens. An exploit is, after all, an exploit. So I would suggest that in the case of the DoS attack, reporting it to the appropriate people - in this case the Chinese authorities - was the right thing to do.

Unfortunately, in this case, the very flaw that allows a DoS against machines within China also permits those inside the firewall to ignore the resets sent back, so by reporting the DoS, they've also reported how the censorship can be circumvented. (or, by discovering the censorship circumvention they've unfortunately stumbled upon a DoS attack).

In this case, I really don't think that there is a One True Answer.

Ninjas rough up geeks

[anidiot]

When a bunch of ninjas rough up the geeks in Cambridge, don't be surprised.

Re:Ninjas rough up geeks

[WilliamSChips]

Why would the Chinese have ninja? Ninja are Japanese you n00b!

They're supposed to be helping them

I'm presenting a paper on Ignoring the Great Firewall of China at the 6th Workshop on Privacy Enhancing Technologies being held here in Cambridge this week. It turns out that this censorship system works by sending reset packets to each end of the connection, rather than blocking packets. If they don't dutifully close, but just discard the packets, the firewall is completely ineffective. More about this in the paper and in my security group blog posting. [http://www.cl.cam.ac.uk/~rnc1/]

Their research is concerned with DRM ass hat tactics and such...pity!

Re:Now they need a national-scale stateful firewal

[kohaku]

The way things are going, AOL will probably have an equivalent firewall in a few years time. Then they can rent it out. Hooray for the free world.

Re:Congratulations; Same old tired argument.

[posterlogo]

Well done on writting a 'how-to' on pointers to make the firewall better. Im sure people out there new these things, and used them to their advantage. Now all holes will be plugged and even more censorship will rein in China. You have now had your 15mins of fame.

This is the same old tired argument we hear here on Slashdot over and over again. Expose the flaws and you either 1) alert the hackers on how to expose them or 2) Allow the admins to patch them. It's funny how depending on your political ideology, people will swing either way. How about a consistent opinion in favor of revealing flaws? Those who favor security by obscurity deserve neither.

National Security

[subl33t]

Go ahead, mod me down.

Couldn't the Chinese government view this as an act of terrorism? In the interest of national security the Chinese government will start an ambiguous "War on Terror" after the the US "War on Terror" and "War on Drugs" which are _also_ unwinnable and declared solely to keep the ruling party in power via fear.

Cyber Attacks, a good thing??

[Theovon]

Is it just me, or does it seem rather unkind to go about declaring, "Look at me! I just conducted a cyber-attack against China!" Hey, I'm no fan of China's government or censorship, and I am aware that China have tried to attack other countries' computers, but two wrongs don't make a right. Unless we're doing something defensive to ward off an attack from China, I see little point in taunting them and giving them reason to tighten security even further. It just doesn't seem right.

This is not helping China

[Zeinfeld]

How in the name of @#$(@$#* is knowing how to circumvent the great firewall going to do any good if you don't tell anyone about it.

This is not helping China. They know how their firewall works, they built it. They also know where Cambridge University is (unlike half the readers of Slashdot).

Slashdot is helping China by bringing the article to their attention.

This has been circulating in the security blogs for a week now. There are basically two schools of thought. One is that we might fix the IP stack to ignore/filter out RST packets. The second is that we might make it easier to turn on SSL.

Rather than monkey about with changing the protocols to ignore RST we would probably do better turning on SSL encryption on Wikipedia &ct with some cheap domain authentication certs.

Re:This is not helping China

[Breakfast+Pants]

One guy makes a dumb post and now half of slashdot's readers are saying that half of slashdot's reader's don't know where Cambridge is?

Re:Congratulations; Same old tired argument.

[laffer1]

There's a reason people never agree on security through obscurity. Hell you've generalized that people believing in it don't like public disclosure. I personally feel it can deter script kiddies as their scripts occasionally look for banners, etc. There are cases it can help. Not everyone is smart enough to use a program to determine OS type, or other fingerprinting strategies.

I think these researchers just proved once again that nothing is uncrackable. The idea of security is similar to the titanic. Its unsinkable until everyone owns your box. Don't make fun of the security through obscurity camp.. even if it can be futile at least we try something. (i also patch like crazy, run firewalls, review logs, etc)

I don't mind public disclosure as long as the company gets time to patch the product (up to 30 days). Since we're talking about china, well zero day is fine.

Last weeks news - original post here

[erik_norgaard]

It appears the link to the source is missing - I first read about it last week on Schneiers blog, linking ot the original blog post found here:

    http://www.lightbluetouchpaper.org/2006/06/27/igno ring-the-great-firewall-of-china/

And for all the details, the paper to be presented is here:

    http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf

I think the interesting thing is that by configuring our end to ignore the invalid resets from the Great Firewall of China we can aid the distribution of otherwise censored material.

DDoS attacks against the GFC seems not to be that easy, as the article mentions the GFC is not one giant router at the backbone, but rather smaller machines closer to the end stations - the firewall is distributed accross an unknown number of gateways.

Oblig. Monty Python (parody) - The Terrorist Song

[usurper_ii]

The Terrorist Song
by Usurper_ii
(Sung to the tune of Python's The Lumber Jack Song)

I'm a terrorist and I'm OK
I read at night and I work all day.

The Government:
He's a terrorist and he's OK
He reads at night and he works all day.

I read a lot and I seek the truth
I go to the lavatory.
After OKC, I saw some things that didn't make sense to me.

The Government:
He doesn't believe our story about OKC,
We monitor when he goes to the lavatory.
On Wednesday night, he went to an unapproved web site.

Chorus:
He's a terrorist and he's OK
He reads at night and he works all day.

When, after 9-11 didn't all add up,
I met with others on the net, to talk it up.

The government:
He didn't believe our story about 9-11.
We followed him to unapproved web sites after hours.
In our report, well say he had bomb-making materials under his sink.

Chorus:
He's a terrorist and he's OK
He reads at night and he works all day.

I don't think a plane hit the Pentagon.
I think the World Trade Center buildings fell all wrong.
I wish I could convince my dear ol' mom!!

The government:
He's a terrorist and we're going to make him pay?!
We read his e-mail and didn't like what he had to say?!...

Just me:
I wish I'd been born, back when America was really free!!

The Government:
He's a terrorist and we're going to make him pay
He reads the Constitution and knows his rights.
He's just like McVeigh, Bin Laden, and al-Qaeda!!

Chorus:
He's a terrorist and he's OK
He reads at night and he works all day.

You are just as ignorant as the censored chinese.

What TV cameras? We're lucky that photos managed to get out of there, the Chinese secret police were assaulting, detaining, and destroying the film of journalists. The film that did get out was smuggled out.

And the line of tanks stopped because the single person driving the lead tank didn't know what to do. It wasn't a policy decision handed down by the PLA to not hurt anyone because of cameras. They had just finished killing dozens, possibly hundreds of innocent people. They were shooting automatic rifles into crowds of people in the middle of the street.

Re:Congratulations; Same old tired argument.

[John+Courtland]

The banner can tell you program version information and sometimes the host OS, machine architecture and running modules. Apache's webserver banner is a good example. It can, if set up to, tell you the version of apache, the version of PHP, the host OS kernel revision, and what processor is hosting that OS. That's a lot of information that really isn't necessary. Usually it's displayed when a ErrorDocument handler returns a 404 itself.

Re:Congratulations

[91degrees]

It's information.

They're academics.

Their whole raison d'etre is to learns and share their learning. The information itself is ethically neutral. It can be used for good or for bad.

Re:Actually it would have to work the other way ro

[pe1chl]

Ok, so putting some words like "Falun" in the SMTP server welcome message is going to stop all the spam via bulletproof Chinese hosting, right?

I am going to try that!

China ABSOLUTELY should be hacked

[CurtMonash]

I'm going to take a very strong position here in my first-ever Slashdot post -- China absolutely should be hacked, on a systematic and worldwide-basis. Their desire to censor a whole country should be opposed on both moral and enlightened-self-interest grounds. But it will be tough at best to beat.

Ironically, the situation is a kind of reverse spam-antispammer set up, in which the folks trying to get through the defenses are the good guys. Amnesty International's Irrepressible.info, while terribly primitive, is at least a start, and I think everybody with a web site should play along and see what happens. A more advanced idea may be found at http://www.monashreport.com/2006/04/17/how-to-beat -chinese-censorship-operation-peking-duck/.

And if the censoring can be used for some kind of DOS, so much the better. Make it as expensive and difficult for the oppressors as ever possible.