Slashdot Mirror
Ultrasurf Easily Blocked, But So What?
Frequent Slashdot contributor Bennett Haselton writes
"A simple experiment shows that it's easy to find the IP addresses used by the UltraSurf anti-censorship program, and block traffic to all of those IP addresses, effectively stopping UltraSurf from working. But this is not a fault of UltraSurf; rather, it demonstrates that an anti-censorship software program can be successful even if it's relatively trivial to block it."
Read on for Bennett's analysis.
UltraSurf is an enormously popular program used to circumvent Internet censorship in countries like China (as well as schools and workplaces in mostly-free countries like the US, with mixed success). When you run UltraSurf on your computer, it re-routes your outgoing Internet traffic to external IP addresses controlled by UltraSurf, so that it looks to observers (and network censors) as if you are connecting to UltraSurf's IP addresses, rather than a website like YouTube or Facebook that may be banned on your network.
UltraSurf uses a list of thousands of external IP addresses, to make it non-trivial for an adversary to locate all of their IP addresses and block them all. However, using a few steps that would be obvious to many programmers facing the same problem, I did find a way to detect all the IP addresses that UltraSurf connects to, and block all of them so that UltraSurf stopped working. It would not be hard for a government censor operating the filter in a country like China to do the same thing. But this does not mean that UltraSurf's network is likely to collapse any day now; on the contrary, it means that it and similar programs are likely to flourish for years to come, since the censors obviously have other priorities.
Some background information first. Most Internet censorship circumvention tools fall into one of two categories (whose names I have just invented for the purpose of this article):
(1) Self-bootstrapping. If a program is self-bootstrapping, then in a censored country you simply run a copy of the program and it will establish a connection to an IP address outside the country, one of many in a large "cloud" of IP addresses controlled by the software program's publisher. Thereafter, your Internet usage is routed through that connection in order to evade your country's filter. UltraSurf and Tor fall into this category.
(2) Non-self-bootstrapping. To use one of these programs from a censored country, first you have to get a friend in a non-censored country to install the software on their computer (or their webserver, if they have one). Then they give this location (normally in the form of a URL) to their friend in the censored country, and their friend types that URL into their browser to circumvent their country's filtering. Psiphon is the best-known program in this group.
In 2006 I wrote that even though the first category of programs was more convenient to use (not requiring you to rely on a friend in an uncensored country), any program in that category could be blocked by an adversary willing to make only a modest amount of effort: Install the program, see what IP addresses it connects to, block those, see if the program connects to any other backup IP addresses, block those, and so on, until the program runs out of IP addresses to use. There are a few simple countermeasures that designers of a program could take, but they can also be defeated easily.
(For example, if the program randomly chooses an IP address from a large internally stored list, then you just have to run the program over and over until you've found most of the IP address chosen by its random algorithm. A cleverly written program could try to evade this as follows: Pick a set of IP addresses at random from the list, and then "lock in" to that set of IP addresses, so that future runs of the program on that PC will always connect to those IP addresses, ignoring the other ones in the list. This makes it a little bit harder for the censor to pry out all of the IP addresses in the program's internal list. But then you, as the censor, can either (a) run the program repeatedly, but find where the program stores its "locked set" and erase that between each run, so that on future runs the program will keep selecting a different IP address set, or (b) if you can't figure out where the program is storing its "locked set" between each run, then just install the program repeatedly on different machines.)
One way or another, if the program knows what IP addresses to connect to when it bootstraps itself, the attacker can trick the program into revealing all of them. The attacker doesn't even need to reverse-engineer the software to see the set of instructions that it's executing internally; they only need to be able to see the IP addresses that the program is connecting to.
Much later, I was able to reduce this to practice in an experiment on my own machine, using a Perl script, the built-in Windows "netstat" tool to list connections from locally running programs to outside IP addresses, and the "ipseccmd" tool to add new firewall rules blocking those IP addresses. After the script was left running overnight, it had collected and blocked all the IP addresses that UltraSurf apparently used, and on future runs, UltraSurf would display an error message saying that it couldn't find any IPs to connect to.
(Interestingly, netstat also showed that UltraSurf frequently opened connections to www.google.com over SSL -- that is, accessing URLs that would begin with "https://www.google.com/" -- so that traffic between the program and the Google website would be encrypted, and the contents would be invisible to censors in China. When I saw it was doing that, I added an exception to the script so that the Google IP addresses would not be blocked. Perhaps it was submitting search terms to Google in order to find pages that give the location of the latest UltraSurf connection points, or perhaps it was checking a GMail account created by UltraReach that stores messages containing more IP addresses; I didn't reverse-engineer UltraSurf to find out. But even if this was UltraSurf's clever means of obtaining new IP addresses, the system still runs up against the same problem: Any IPs that can be connected to by the UltraSurf client, can also be ascertained by the attacker who watches UltraSurf to see where it connects to, and then blocks those IPs as well.)
Naturally I had mixed feelings about pointing this out publicly, since I agree with UltraReach's goal of providing unfiltered access to users in China and other censored countries. But this idea is sufficiently obvious, that I don't think anything is lost by demonstrating it. There may be programmers interested in creating even more programs to help users in censored countries, and it would be counterproductive for those programmers to believe that existing programs like UltraSurf "magically" evade the censors by using some complex algorithm to hide the IP addresses that they connect to. In fact, the program doesn't conceal the IP addresses that it connects to (how could it?), and it would be straightforward to design and build a new program that did roughly the same thing. We should give UltraReach credit for the right things: they made a tool that provides unfiltered access to millions of people, they made the tool small and easy to use, and they arranged with their partners to subsidize the unfiltered Internet connections at no expense to those end users (although see some caveats, which have been pointed out the Hal Roberts at the Berkman Center, about the price of this "free" access). But the one thing UltraReach did not do is find a way to get around the problem of an attacker installing the problem to see what IP addresses it connects to. That's not a criticism of UltraReach; this is presumably an impossible problem to solve.
(Side note about counter- and counter-counter-measures: If UltraReach does think that censoring countries might try harder to block UltraSurf at some point in the future, they should start releasing different versions of the product every month that use different sets of IP addresses. Release one version for September 2009 that uses one set of IP addresses, then another version in October 2009 that uses another set, and so on. Then if the censors decide in December 2009 to start seriously trying to block all UltraSurf IP addresses, they'll be able to find and block all the IP addresses used by the Dec09 version, just by installing a copy of the program and observing it. But, users who downloaded previous months' versions of the program will be able to continue using their copies. If the Chinese censors wanted to find and block the IP addresses used by preivous months' copies of UltraSurf, they would have to either (a) figure out how to distinguish UltraSurf traffic from other Internet traffic, not an easy thing since UltraSurf uses encrypted traffic on port 443, the same port used for encrypted Web traffic, or (b) obtain copies of the program that users had downloaded in previous months, which is no longer as trivial as simply observing the current version of the program. The more often UltraReach swaps out a new version of UltraSurf that connects to a new set of IP addresses, the harder it will be for the Chinese censors to find all the sets of IPs used by previously released versions. However, once the Chinese censors start trying seriously to block UltraSurf, even though the trick just described will allow previous downloaders of the program to continue surfing freely, all new users who download the program after that point, can be easily blocked -- because the Chinese censors can just watch how often a new version of UltraSurf is made available for download, and block the IPs used by that copy.)
But I think the fact that the Chinese have not done this reveals something usually overlooked about the nature of the anti-censorship arms race. The situation is frequently cast as a battle between the evil geniuses who run the government filters and the good geniuses who write the software to get around the filters, while the grateful citizens of the censored country are the beneficiaries. But if the government censors haven't even done some simple experiments like this in order to block UltraSurf, they must not think it's a high priority to stop the program from working. This in turn suggests that the number of people using UltraSurf in a country like China, while large in absolute numbers, don't constitute a large enough proportion of the population to worry the government. Presumably either the ideas leaking in through an unfiltered Internet are not reaching a large enough proportion of the population, or the ideas are not expected to take hold in enough people's minds to reach a tipping point that causes a problem for the ruling party.
It's not that the Chinese censors don't care about controlling the Internet and the effect that it has on their citizens' thinking. The Chinese have reported fielded a droid army of about 50,000 cubicle drones to help fight Internet propaganda battles, such as drowning out anti-government posts on public forums. Why would they spend such enormous efforts to generate forum posts, but not make the effort to find and block all UltraSurf IP addresses? Because the battlefront is about defaults. If the user tries to access a site and it's blocked, then only a tiny proportion will make a significant effort to circumvent the block. (The exception would be when an extremely popular site like YouTube is blocked; operators of Web proxy sites report that during these periods, they get so much traffic from Chinese users trying to view YouTube videos, that the servers often crash.) Similarly, if users see that 90% of the posts on a given forum are on one side of the issue, then they're more likely to think that's the majority viewpoint (whether they agree with it or not). Hence the usefulness of the army of 50,000 to invade forum threads. Defaults matter; would Internet Explorer have ever displaced Netscape's browser (kids, ask your parents) if it hadn't been the default browser in all versions of Windows?
So the moral for any would-be designers of new anti-Internet-censorship tools, is not to worry too much about whether there's a theoretical way (or even a practical way) that the censors could shut the tool down. UltraSurf became enormously popular without solving that problem, and perhaps another tool could as well.
UltraSurf is an enormously popular program used to circumvent Internet censorship in countries like China (as well as schools and workplaces in mostly-free countries like the US, with mixed success). When you run UltraSurf on your computer, it re-routes your outgoing Internet traffic to external IP addresses controlled by UltraSurf, so that it looks to observers (and network censors) as if you are connecting to UltraSurf's IP addresses, rather than a website like YouTube or Facebook that may be banned on your network.
UltraSurf uses a list of thousands of external IP addresses, to make it non-trivial for an adversary to locate all of their IP addresses and block them all. However, using a few steps that would be obvious to many programmers facing the same problem, I did find a way to detect all the IP addresses that UltraSurf connects to, and block all of them so that UltraSurf stopped working. It would not be hard for a government censor operating the filter in a country like China to do the same thing. But this does not mean that UltraSurf's network is likely to collapse any day now; on the contrary, it means that it and similar programs are likely to flourish for years to come, since the censors obviously have other priorities.
Some background information first. Most Internet censorship circumvention tools fall into one of two categories (whose names I have just invented for the purpose of this article):
(1) Self-bootstrapping. If a program is self-bootstrapping, then in a censored country you simply run a copy of the program and it will establish a connection to an IP address outside the country, one of many in a large "cloud" of IP addresses controlled by the software program's publisher. Thereafter, your Internet usage is routed through that connection in order to evade your country's filter. UltraSurf and Tor fall into this category.
(2) Non-self-bootstrapping. To use one of these programs from a censored country, first you have to get a friend in a non-censored country to install the software on their computer (or their webserver, if they have one). Then they give this location (normally in the form of a URL) to their friend in the censored country, and their friend types that URL into their browser to circumvent their country's filtering. Psiphon is the best-known program in this group.
In 2006 I wrote that even though the first category of programs was more convenient to use (not requiring you to rely on a friend in an uncensored country), any program in that category could be blocked by an adversary willing to make only a modest amount of effort: Install the program, see what IP addresses it connects to, block those, see if the program connects to any other backup IP addresses, block those, and so on, until the program runs out of IP addresses to use. There are a few simple countermeasures that designers of a program could take, but they can also be defeated easily.
(For example, if the program randomly chooses an IP address from a large internally stored list, then you just have to run the program over and over until you've found most of the IP address chosen by its random algorithm. A cleverly written program could try to evade this as follows: Pick a set of IP addresses at random from the list, and then "lock in" to that set of IP addresses, so that future runs of the program on that PC will always connect to those IP addresses, ignoring the other ones in the list. This makes it a little bit harder for the censor to pry out all of the IP addresses in the program's internal list. But then you, as the censor, can either (a) run the program repeatedly, but find where the program stores its "locked set" and erase that between each run, so that on future runs the program will keep selecting a different IP address set, or (b) if you can't figure out where the program is storing its "locked set" between each run, then just install the program repeatedly on different machines.)
One way or another, if the program knows what IP addresses to connect to when it bootstraps itself, the attacker can trick the program into revealing all of them. The attacker doesn't even need to reverse-engineer the software to see the set of instructions that it's executing internally; they only need to be able to see the IP addresses that the program is connecting to.
Much later, I was able to reduce this to practice in an experiment on my own machine, using a Perl script, the built-in Windows "netstat" tool to list connections from locally running programs to outside IP addresses, and the "ipseccmd" tool to add new firewall rules blocking those IP addresses. After the script was left running overnight, it had collected and blocked all the IP addresses that UltraSurf apparently used, and on future runs, UltraSurf would display an error message saying that it couldn't find any IPs to connect to.
(Interestingly, netstat also showed that UltraSurf frequently opened connections to www.google.com over SSL -- that is, accessing URLs that would begin with "https://www.google.com/" -- so that traffic between the program and the Google website would be encrypted, and the contents would be invisible to censors in China. When I saw it was doing that, I added an exception to the script so that the Google IP addresses would not be blocked. Perhaps it was submitting search terms to Google in order to find pages that give the location of the latest UltraSurf connection points, or perhaps it was checking a GMail account created by UltraReach that stores messages containing more IP addresses; I didn't reverse-engineer UltraSurf to find out. But even if this was UltraSurf's clever means of obtaining new IP addresses, the system still runs up against the same problem: Any IPs that can be connected to by the UltraSurf client, can also be ascertained by the attacker who watches UltraSurf to see where it connects to, and then blocks those IPs as well.)
Naturally I had mixed feelings about pointing this out publicly, since I agree with UltraReach's goal of providing unfiltered access to users in China and other censored countries. But this idea is sufficiently obvious, that I don't think anything is lost by demonstrating it. There may be programmers interested in creating even more programs to help users in censored countries, and it would be counterproductive for those programmers to believe that existing programs like UltraSurf "magically" evade the censors by using some complex algorithm to hide the IP addresses that they connect to. In fact, the program doesn't conceal the IP addresses that it connects to (how could it?), and it would be straightforward to design and build a new program that did roughly the same thing. We should give UltraReach credit for the right things: they made a tool that provides unfiltered access to millions of people, they made the tool small and easy to use, and they arranged with their partners to subsidize the unfiltered Internet connections at no expense to those end users (although see some caveats, which have been pointed out the Hal Roberts at the Berkman Center, about the price of this "free" access). But the one thing UltraReach did not do is find a way to get around the problem of an attacker installing the problem to see what IP addresses it connects to. That's not a criticism of UltraReach; this is presumably an impossible problem to solve.
(Side note about counter- and counter-counter-measures: If UltraReach does think that censoring countries might try harder to block UltraSurf at some point in the future, they should start releasing different versions of the product every month that use different sets of IP addresses. Release one version for September 2009 that uses one set of IP addresses, then another version in October 2009 that uses another set, and so on. Then if the censors decide in December 2009 to start seriously trying to block all UltraSurf IP addresses, they'll be able to find and block all the IP addresses used by the Dec09 version, just by installing a copy of the program and observing it. But, users who downloaded previous months' versions of the program will be able to continue using their copies. If the Chinese censors wanted to find and block the IP addresses used by preivous months' copies of UltraSurf, they would have to either (a) figure out how to distinguish UltraSurf traffic from other Internet traffic, not an easy thing since UltraSurf uses encrypted traffic on port 443, the same port used for encrypted Web traffic, or (b) obtain copies of the program that users had downloaded in previous months, which is no longer as trivial as simply observing the current version of the program. The more often UltraReach swaps out a new version of UltraSurf that connects to a new set of IP addresses, the harder it will be for the Chinese censors to find all the sets of IPs used by previously released versions. However, once the Chinese censors start trying seriously to block UltraSurf, even though the trick just described will allow previous downloaders of the program to continue surfing freely, all new users who download the program after that point, can be easily blocked -- because the Chinese censors can just watch how often a new version of UltraSurf is made available for download, and block the IPs used by that copy.)
But I think the fact that the Chinese have not done this reveals something usually overlooked about the nature of the anti-censorship arms race. The situation is frequently cast as a battle between the evil geniuses who run the government filters and the good geniuses who write the software to get around the filters, while the grateful citizens of the censored country are the beneficiaries. But if the government censors haven't even done some simple experiments like this in order to block UltraSurf, they must not think it's a high priority to stop the program from working. This in turn suggests that the number of people using UltraSurf in a country like China, while large in absolute numbers, don't constitute a large enough proportion of the population to worry the government. Presumably either the ideas leaking in through an unfiltered Internet are not reaching a large enough proportion of the population, or the ideas are not expected to take hold in enough people's minds to reach a tipping point that causes a problem for the ruling party.
It's not that the Chinese censors don't care about controlling the Internet and the effect that it has on their citizens' thinking. The Chinese have reported fielded a droid army of about 50,000 cubicle drones to help fight Internet propaganda battles, such as drowning out anti-government posts on public forums. Why would they spend such enormous efforts to generate forum posts, but not make the effort to find and block all UltraSurf IP addresses? Because the battlefront is about defaults. If the user tries to access a site and it's blocked, then only a tiny proportion will make a significant effort to circumvent the block. (The exception would be when an extremely popular site like YouTube is blocked; operators of Web proxy sites report that during these periods, they get so much traffic from Chinese users trying to view YouTube videos, that the servers often crash.) Similarly, if users see that 90% of the posts on a given forum are on one side of the issue, then they're more likely to think that's the majority viewpoint (whether they agree with it or not). Hence the usefulness of the army of 50,000 to invade forum threads. Defaults matter; would Internet Explorer have ever displaced Netscape's browser (kids, ask your parents) if it hadn't been the default browser in all versions of Windows?
So the moral for any would-be designers of new anti-Internet-censorship tools, is not to worry too much about whether there's a theoretical way (or even a practical way) that the censors could shut the tool down. UltraSurf became enormously popular without solving that problem, and perhaps another tool could as well.
It can also automatically sign you up for a government trojan horse upgrade or a special observation list. If you have nothing to hide, why use it? Anything that does not look like random noise or latest pop mp3s via p2p, will land you on said lists in countries with no human rights, so why bother?
How do you solve the problem where the jackbooted thugs come to your door because they now know you are using this software? Seems the only real advantage Chinese citizens have over the censors is the ratio of censors to users is very low.
Large print giveth, and the small print taketh away
Stopping the geeks with the ability to use a proxy was never the point. I cant get my grandparents to hold the mouse the right way around, no way would they be able to understand something like Ultrasurf. If it works on 90% of the people, it's working very well.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
The author does not seem to account for onion routing - which is what TOR essentially is.
There is no way to lookup all of the nodes in a TOR network using the methods described - since they are using tunnels to reach secondary (and further) nodes, this only accounts for the first node you lookup.
You can block the server that provides the first node, yes.
The one you know about. How many are there that you don't know about ?
How about the one that's not behind your great firewall, but in some kinds bedroom ?
Looks to me like you would most likely block stuff thats on your network anyway.
Partion the IP addresses, and then finger print the PC and use these based on the hash value
The obvious solution is to block the IPs to keep it from working. But then another one will pop up and you'll have to block that, lather, rinse, repeat.
No, I'm sure places like China already know about it. Instead of preventing the access, it's probably easier to monitor who's using them when they connect to those addresses. People work around blocks easily enough. But if you let a circumvention tool work, especially one that results in easily tracable activity, why block it? Monitor, find the user, and do some "re-education".
Blocking is an arms race. People will make better blocks and others make better workarounds and it escalates rapidly. But if you keep the current workaround keep working, more people will be using it, making it easy to monitor and track. And evolution won't happen as fast. It'll evolve so the monitoring programs will have to be adjusted, but when it works, the movement to evolve is far lower than if it was blocked and now you have a bunch of people trying to find a way to evade it.
If you really want to block out all the bad web sites, just install Norton Antivirus. It pretty much bricks the system. It also has the effect of blocking all the good sites too, but you can't have everything.
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
It would not be hard for a government censor operating the filter in a country like China to do the same thing. But this does not mean that UltraSurf's network is likely to collapse any day now; on the contrary, it means that it and similar programs are likely to flourish for years to come, since the censors obviously have other priorities.
Other priorities? That's a new assumption, not stated before the final assessment was made. It seems like all the Chinese Gov't needs to do is give one person the task of keeping the Great Firewall up to date for UltraSurf's range of IPs, so to any user in China: "UltraSurf's network is likely to collapse any day now"
I get the feeling that the Chinese govt's attitude towards censorship has been changing. In a way you could say they are becoming more skilled with it and choosing to be a lot more subtle here and there. This is actually probably a lot more dangerous. Instead of hiding the truth they are using the censorship along with propaganda to make the people accept the truth and support it.
Probably in the future they'll model their whole system on the way the Western world uses the media to alter public perception. Of course they won't be stupid and hand over the reigns to people like Rupert Murdoch. They'll keep that power for themselves.
Chinese internet filtering is justified publicly by stating that it is done to help Chinese people avoid inadvertent violations of the law, and that is how it is seen by most Chinese. The real purpose of the censorship there is to facilitate prosecution of dissidents by making it impossible to violate laws against anti-government speech and unlawful assembly inadvertently.
90% of the time, it works every time.
The purpose of the Great Firewall is to simply keep people from accidentally surfing to the "wrong" sites. If you are pure in heart, you wouldn't want to go places where Big Brother says you oughtn't to go.
If you're not pure in heart, then you get to go visit room 101. You'll get to go there when you manage to get your hands on the firewall evasion software written by Emmanuel Goldstein (and here I'm specifically referring to the character in the book, not Eric Corley).
Have every copy include a few dozen or hundred random addresses out of the larger pool. Add and "retire" addresses to the pool daily, so it won't be possible to see "retired" addresses by repeatedly downloading the program.
"Retired" doesn't mean no longer in use, just no longer included with new downloads.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
And how we burned in the camps later, thinking: What would things have been like if every Security operative, when he went out at night to make an arrest, had been uncertain whether he would return alive and had to say goodbye to his family? Or if, during periods of mass arrests, as for example in Leningrad, when they arrested a quarter of the entire city, people had not simply sat there in their lairs, paling in terror at every bang of the downstairs door and at every step on the staircase, but had understood they had nothing left to lose and had boldly set up in the downstairs hall an ambush of half a dozen people with axes, hammers, pokers, or whatever else was at hand. The Organs would very quickly have suffered a shortage of officers and transport and, notwithstanding all of Stalin’s thirst; the cursed machine would have ground to a halt!
–Alexander Solzhenitsyn
Make it target-dependant which IP addresses you send to whom. I've thought about this for copy-protection (but haven't told anybody). You can give every downloader his/her own copy of your executable with a fresh MD5. Make the executable contents (the IP address list) IP address dependant. Better yet, get 128 of them and give out a set of 64, based on the IP address and some awkward hash of the IP address. That way, every user has half of the targets (making the chance of finding a working host really big) but no country can get the full list (since they lack a few bits in the IP address range they use).
An idea?
Of course, you can keep swapping the IP addresses monthly/weekly or so to add to this.
Never assume your adversary is incompetent. If they can easily find and block all IP addresses used by this program, then why would they choose not to? I can think of one possibility, and it doesn't bode well for people who are using this program under the belief that it will protect their anonymity. We all know that monitoring *all* Internet traffic into and out of a country (especially one as populous as China) is a futile task. But suppose you could identify which fraction of those connections are specifically trying to evade government controls? Wouldn't it make sense to focus your attention on those connections? And instead of blocking them out right, why not trace them back to their source? Even if you can't decrypt the traffic, you can at least identify those "subversives" that could be in need of "reeducation". And remember that just because you choose to block those connections *right now* doesn't mean you can't start blocking them at some point in the future.
"Presumably either the ideas leaking in through an unfiltered Internet are not reaching a large enough proportion of the population, or the ideas are not expected to take hold in enough people's minds to reach a tipping point that causes a problem for the ruling party."
Comrade Minister of People's Internet Service Provider: "Comrade Minister of Enforcement of Proper Thinking, I am pleased to announce that Great Firewall 3.0 is now in place and operational. "
Comrade Minister of Enforcement of Proper Thinking: Comrade Minister of People's Internet Service Provider, this is a glorious accomplishment. We can now prevent all manner of dangerous information from reaching the people and disrupting our peace and prosperity. But..., you have blocked my access to RedTube. I can no longer perform my research into the disgusting sex practices of the Western Imperialist dogs.
Comrade Minister of People's Internet Service Provider: "Dude, have you never heard of UltraSurf?"
Every cruel dictator faces the same problem: He leads a country full of good men who want to do good things. It is slightly more difficult to oppose him than it is to follow orders but most of the people don't want to be cruel and do bad things to give someone else more power. There are always power hungry sociopaths that enjoy the chance to be violent but those people are a tiny minority and a small enough minority can never oppress a large one for long periods of time. So, good people need to make bad things or at least be able to watch them happen and not do anything to stop them.
Propaganda comes to play here. Perhaps the oppressed groups are lesser humans who shouldn't be given the same rights as you have. Perhaps there is a religion saying that the other group is evil and needs to be stopped. The excuse doesn't really matter, there just needs to be one. Then good people can convince themselves "Perhaps this isn't bad and just needs to happen...". And they will do everything they can to make themselves believe that claim because that helps them sleep at night and go on with their daily lives. The government can say "Those demonstrators we killed were violent anarchists" and they don't need to provide evidence, quite the opposite. People who read that from the news *want* to believe that the government tells the truth because otherwise their conscience would be too painful.
Then there comes the free press. Just like there are people who enjoy violence, there are people who just can't close their eyes. Those people will do the best they can to spread the information about what is happening. They will do their best to force the large, good population to see what is happening. To prevent them from looking away.
Censorship comes to play here. It isn't to prevent the people from seeking out information. It is to prevent people from being forced to see what is happening. To let them read the newspapers and live a normal life without seeing the truth.
Having a near-inexhaustable list of IPs for Ultrasurf would make tracking and filtering them all virtually impossible. That, combined with IPsec (required by IPv6) could either punch vast holes in the Great Firewall of China, or force them to step up their game considerably.
If it does prove to be a factor in fighting Chinese censorship, is interesting that the massive growth of the internet in Asia has been one of the driving factors behind the need for IPv6 migration.
I prefer rogues to imbeciles because they sometimes take a rest.
The problem isn't only IP count but the fact that all the traffic ends up over a handful of trunk lines between any given set of countries. I once calculated that a single 64-bit subnet of IPv6 addresses would give you enough IPs to cover roughly every square centimeter of the Earth with IPv6 addressable devices, including uninhabited areas and oceans. We could allocate such a IPv6 subnet to use by a new short-link mesh topology network, set up completely between immediate neighbors and outside the control of any government. Longish range directed links could be set up along any border between a free/democratic nation and an authoritarian/censored nation. Any great-firewall would have to be augmented with a great-Faraday-wall as well. IPv6-to-IPv4 could be used at any sufficiently close neighbor node as an "escape route" both to balance connection loads and avoid censor tracking, in a manner similar but superior to I2P. The key is getting mesh topology routing technology cheap and in the hands of common people.
No joke.
http://www.wilderssecurity.com/showpost.php?p=1514487&postcount=106
Spread the word.
No, you know in theory which one you think you would choose, but until it actually happened, all you can do is guess about what you would do. In life or death situations, your rationale may change.
That's the point of coming to a decision beforehand under conditions where your judgement is not impaired, and then sticking to it. Game theory provides a rational framework for evaluating the interactions of two parties, and under many circumstances an advantage can be gained by pre-committing to a non-optimal course of action as your chosen response to a given set of circumstances... because the knowledge that your decision has already been made influences the decision of your counterpart.
As an individual in a life or death situation, attacking jackbooted thugs who are coming to arrest you a'la Solzhenitzyn is not a good idea-- under most circumstances, cooperating would give a better chance of survival, so the rational choice is to not resist violently.
However, this entire equation changes if you have made it known that you have strongly pre-committed yourself to a course of action regardless of the outcome. In this case, your opponent can no longer assume that you will follow the rational course of non-violence, and the decision to send out the jackbooted thugs becomes more expensive given the likelihood of resistance at all costs... and it becomes much more likely that you will never find yourself in that situation.
That's why I make no secret that I have set limits beyond which the utter destruction of those attacking me would become my only goal. May God have mercy upon anything that triggers that, for they will receive no mercy from me.
"We have to go forth and crush every world view that doesn't believe in tolerance and free speech." - David Brin
My usual favorite, FreeGate, stopped working around August of this year. There are sporadic times where the client software will find 1 server with >1000ms pings, which makes it effectively useless.
I tried every other free proxy client out there to no avail and gave up soon after. Apparently they're all blocked now.
I've got nothing now. No more youtube, no more boobs in gis along with 90% of other perfectly legitimate pictures (not to say that boobs are never legitimate), certain word searches in google will give me a reset connection error right after giving me a millisecond flash of the rendered page.
What really bugs me is sometimes when I'm googling I'll be hit by that connection reset error (like if my finger slips and out comes "constitstution" or something), and on top of that my connection to all google servers is cut for a few minutes (I guess timeout as punishment?).
I rarely curse back in the US, but I let the "fuck you"s fly freely here, and quite often.
(ctrl+a ctrl+c just in case something happens to this message...)
your thin skin doesn't make me a troll
Well, that is the procedure of censorship, but not the purpose of it. The end goal, as always, is to facilitate the expansion of government in terms of both power and revenue.
It seems trivial enough to detect all the IP's ultrasurf is connecting to when it's running in your computer.
For smaller sites, it's too expensive to block 1000+ IP's. For each user trying to connect to the site, his IP has to be matched against a table of size > 1000.
It's feasible for larger sites if their life depends on it, for example, Wikipedia. They block all the public listed TOR nodes.
For all ISP's in the nation to block some outgoing websites, it's a big task. It's not like running a clever little program in your PC.
Consider this: if you make it just harder than trivial to circumvent the block, then you get three categories of people.
1) The ones who don't circumvent the block. These are sheep. You can ignore them.
2) The ones who circumvent the block. These are opposition ringleaders. Watch them carefully.
3) The ones who circumvent it but only after a known associate already circumvents it. These are motivated followers. Subvert and enlist them.
As Yogi Berra said, "You can observe a lot just by watching". In this case, UltraSurf provides a way for the Great Wall operators to _automatically_ find your enemies of the state- and prime followers.