Inside the Great Firewall of China's Tor Blocking

Trailrunner7 writes with an article at Threat Post about China's ability to block Tor. From the article: "The much-discussed Great Firewall of China is meant to prevent Chinese citizens from getting to Web sites and content that the country's government doesn't approve of, and it's been endowed with some near-mythical powers by observers over the years. But it's somewhat rare to get a look at the way that the system actually works in practice. Researchers at Team Cymru got just that recently when they were asked by the folks at the Tor Project to help investigate why a user in China was having his connections to a bridge relay outside of China terminated so quickly. Not only is China able to identify Tor sessions, it can do so in near real-time and then probe the Tor bridge relay and terminate the session within a couple of minutes."

And you say Chinese can't innovate

[DCTech]

Clearly they're one of the best software engineers in the world when they want to, being capable of real-time packet inspection and probing. China has over 1.7 billion people who almost all want to work in IT. They will rule the world.

Re:And you say Chinese can't innovate

Where did they pick up the extra 400 million people from?

Re:And you say Chinese can't innovate

[axx]

Do you really believe that a census on over one billion people, who have (who had?) an incentive to lie about their progeny, is credible?

Hell, I might be wildly off the mark but for all we know there could be two billion people in China, I wouldn't be that surprised.

Hopefully someone more aware of the reality of the situation will chime in.

Re:And you say Chinese can't innovate

[gman003]

Wikipedia cites 1.3 billion

The margin of error in the US census is 0.009%.

Even allowing for China to have a margin of error a hundred times that of America's, you're looking at a maximum inaccuracy of ~12 million people, not 300.

Re:And you say Chinese can't innovate

[Ethanol-fueled]

Haw, I might believe you if you can prove to us that it's solely Chinese technology doing the filtering, and not solutions from Western vendors such as Naurus or Procera.

All of the big links provide only details about the type of filtering and not the hardware used.

Re:And you say Chinese can't innovate

[cp.tar]

Despite the error in your numbers, your post reminded me of Focus in Vernor Vinge’s A Deepness in the Sky.
Spooky.

Re:And you say Chinese can't innovate

[Tracy+Reed]

Or they paid some round-eye to implement this for them. They certainly have the resources.

Re:And you say Chinese can't innovate

[saleenS281]

You're assuming they're building it themselves. Given the recent accusations and lawsuit against Cisco, it's entirely possible that a US or some other country based company is writing the code they're using.

http://www.huffingtonpost.com/2011/05/23/cisco-falun-gong-lawsuit_n_865585.html

Re:And you say Chinese can't innovate

[QQBoss]

It isn't an issue of error bars, it is more an issue of outright fraud in the census.

Illegal aliens (both internal and external... do you know anything about the hukou system?) have an extremely high incentive to remain uncounted, particularly if they have children.

From 2008:

http://www.china-briefing.com/news/2008/09/01/is-china%E2%80%99s-population-really-13-billion.html

Re:And you say Chinese can't innovate

[wisty]

Are they actually capable of real time packet encryption; or do they just run it like a proxy? The lag can be horrific, like there's some server at the border waiting for the whole page to download, before they forward it to you.

Re:And you say Chinese can't innovate

[lsatenstein]

Is it perhapa a combination of quality software engineers and the quantity of software engineers that China can put to the monitoring function? With quantity and quality, one can divide and conquer.

Re:And you say Chinese can't innovate

[swalve]

Where did these 400 million people come from? That would basically be the entire population of the rest of Asia, besides India.

Re:And you say Chinese can't innovate

[tibman]

You mean ssh and ssl type connections?

Re:And you say Chinese can't innovate

[sadboyzz]

The reality of the situation in China is that the government is under _huge_ pressure to drop the draconian population control policy, aka one-child policy. However, there is no sign from the regime that it would even consider budging on this issue. So if anything, they have an incentive to _overstate_ the population, rather than understate it.

The other reality is that hundreds of elementary schools rural areas were closed down over the past few years due to not having enough school kids. Class rooms that once hold 40 children were down to 5, so the local gov simply closed the under attended schools and moved the children into bigger schools in towns, forcing some kids to travel great distances just to get to school everyday. The Hong Kong based Phoenix media ran a documentary on this a couple of years ago, which for some reason, was not aired in mainland China.

Re:And you say Chinese can't innovate

[QQBoss]

How many people are actually in China, I am in no position to guess. But I am in a position to know that census undercounting does occur and why.

As I mentioned, the "uncounteds" are both internal and external illegal aliens. Unlike most of the Western world, where the right of free travel is assumed, within China you are only legally allowed to live/work/"own" property in the place where you have a hukou (this is a gross oversimplification, but it is the beginning of a discussion). Many of the presumed 400M illegals are native Chinese who have chosen to live where they have no permission to live, doing so under the radar to avoid sanctions which in the past could have been quite onerous. They aren't at their home city to be counted (though children usually are, staying with grandparents, since without a local hukou they have no right to go to school where their parents are living) and they avoid being counted in the city where they are living because they could be forced to return to their officially registered home.

About 6 or 7 years ago, the hukou laws were supposedly eliminated, but anyone who says they have been completely abolished is wrong. Decentralized, perhaps, but they still exist and are enforced whenever the right government official gets their panties in a wad. Unless and until the hukou laws are actually abolished, the charade will continue.

Re:And you say Chinese can't innovate

[crutchy]

Where did they pick up the extra 400 million people from?

that might be their daily population growth :)

Re:And you say Chinese can't innovate

[crutchy]

i would be less surprised if western companies were copying the chinese

Re:And you say Chinese can't innovate

[crutchy]

shhh... don't give them more ideas!

Re:And you say Chinese can't innovate

[rtb61]

Reality is by far the majority of Chinese in China work as near slave labour in factories or as peasants on farms working for a pittance. Don't get confused by numbers and percentages, plus independent thinking, striving for their voice, Chinese tend to be the ones who have already left and live elsewhere in the world. That is aproximately 40 million people http://en.wikipedia.org/wiki/Overseas_Chinese which you blithely reduce nothing.

The numbers of Chinese who have a voice in China and are in a position to control anything only number in the tens of thousands, it is an corporo-Fascist Autocracy after all.

Internet censorship in China is made significantly easier because by far the majority can not afford and must gain access through a limited number of internet cafe's. As time progresses and the majority of people living in China release how backward they are in their rights and how cowardly they have been in failing to fight for them, will of course start to baulk at passing that future on to their children and grandchildren and strive to break the autocracy that controls them.

So in a future China where 1.3 billion want internet access, we will see how effective the government is at censoring them and keeping them cowed.

Re:And you say Chinese can't innovate

[ron_ivi]

Sure, but Cisco probably outsourced the work to China.

Re:And you say Chinese can't innovate

[Troed]

Why do you claim that over population is a huge problem? The rate of human population growth has been declining for decades. It currently seems as we'll never even hit 10 billion before we drop in total numbers.

I recommend Hans Rosling on the subject: http://www.ted.com/talks/hans_rosling_on_global_population_growth.html

Re:And you say Chinese can't innovate

[Max_W]

Since they are isolated from the world the soft will reflect it by being limited and boring.

Re:And you say Chinese can't innovate

I left my job at a major router company around 2004 specifically because Chungwah Telecom was asking for us to implement features to aid spying. Although, interestingly enough, you had to read between the lines to understand that it was for spying... A lot of the techniques that do it are essentially system testing-sounding features like "clone traffic matching this IP to a second address on a different port."

At that time, deep packet inspection was not yet a reality, but any engineer could easily see that, as the data/traffic moves through numerous custom ASICs and FPGAs, and the headers get inspected, why not examine more of the data in the packet? The first stage I saw of it in the public at large was detection of layer 5 and up protocols, e.g. traffic-limiting bittorrent.

Last time I was in Taiwan (which has a grumpy relationship w/ China), one of my younger student friends in a University there demonstrated, as his Master's project, an algorithm to detect images without (fully) decoding them. The secret there was to extract, from JPGs only, the DC blocks representing the average RGB values of each 8x8 block. If you know JPG you'll recognize that. The system then ran conventional "porn detection" algorithms, etc. on the extracted mini-images.

So, yes, I can verify that 1. American companies are writing code to spy on the rest of the world and ourselves. 2. Chinese are asking for it, just like any other feature. 3. The requests for capabilities are often subtle, such that most engineers don't realize what the algorithms are doing and 4. capabilities to do this are steadily growing more powerful.

So, now, what are you going to do about, boys?

Re:And you say Chinese can't innovate

[tlhIngan]

Why do you claim that over population is a huge problem? The rate of human population growth has been declining for decades. It currently seems as we'll never even hit 10 billion before we drop in total numbers.

I recommend Hans Rosling on the subject: http://www.ted.com/talks/hans_rosling_on_global_population_growth.html

Population growth has to slow down, bacause it's been excessively high for the past centure.

Just scant century ago, the population of the world was under 2 billion. Now it's 7. In just 100 years, the human population more than tripled. In contrast, the previous 100 years prior to that, it barely doubled from about 1B to just under 2.

Anyone who sees the population curve over the past few hundred years would see exponential growth, but anyone who knows history that it's unlikely to be sustainable.

The question becomes, though, can the Earth sustain it? Are we using up banked natural resources (like oil) faster than such resources can be renewed? And more importantly - what about the environment - climate change or no, pollution is an issue (unless you believe Beijing's air quality reports).

Re:And you say Chinese can't innovate

[Troed]

Feel free to watch the link I gave you, and understand that we're already on a growth limiting curve. There is no "population explosion". The exponential is declining. You can stop worrying.

(Pollution was an issue centuries ago in London as well, as it is in wood stoves in India today. Technological development does wonders for air quality)

Re:And you say Chinese can't innovate

[Actually,+I+do+RTFA]

So in a future China where 1.3 billion want internet access, we will see how effective the government is at censoring them and keeping them cowed.

Censoring people on the Internet is quite easy. You can simply whitelist five pages (Ilovethepremier.com, ChinaRocks.com, etc.)

But beyond that, technical measures will only take you so far. There's no "reasonable doubt", after all. Chinese official, "We blocked a Tor connection from 123 fake street, go arrest and execute everyone there."

Re:And you say Chinese can't innovate

[Toonol]

Education and wealth. It's worked in every western country, and in advanced eastern countries.

Re:And you say Chinese can't innovate

[Troed]

Because there is a point where you don't have enough food and water to keep people alive.

Maybe. Why do you believe we're anywhere near that point?

That is a horribly misleading statement.

First, saying the growth rate has slowed is not at all the same as saying we have a negative growth rate. Therefore your claim that we're unlikely to hit 10 billion is entirely unfounded.

It's neither misleading nor unfounded. The UN median population projection is for us to never hit 10 billion. You know, based on actual data.

Second, the only reason it's been "declining for decades" is because decades ago we had a massive population boom.

No, please go watch the supplied video which contains, again, actual data.

What's your agenda, and why do you post lies on the intarnetz?

Re:Fear & Lolling

Care to name some? Many free public proxy servers are banned, and the paid ones are expensive enough, such that the masses cannot afford it.

Re:Fear & Lolling

[mveloso]

VPN access exists as long as the Chinese government allows it to exist. If they can probe and whack TOR, that shows they can whack anything - and that they choose not to.

Note that some sites in China do actively block VPN connections.

My college did it easier

[The+MAZZTer]

Tor has to connect to so-called "dictionary servers" periodically to refresh its list of tor nodes to try to use. If you block those servers, tor breaks.

At least, that's how it worked when they finally figured out how to block it after 3 years. Maybe tor has improved since then.

Re:My college did it easier

[The+MAZZTer]

Whoops, looks like they're called "directory servers". Not sure if I remember it wrong or if I really did think they were called "dictionary servers".

Re:My college did it easier

[TSHTF]

Tor has changed since you read last... "Bridges" were added to Tor and are not listed in any central directory.

Tor bridges

Re:My college did it easier

You can use Tor without connecting to directory servers. That's the point of bridge nodes, which this article is about...

Re:My college did it easier

[xiando]

Tor has to connect to so-called "dictionary servers" periodically to refresh its list of tor nodes to try to use. If you block those servers, tor breaks. At least, that's how it worked when they finally figured out how to block it after 3 years. Maybe tor has improved since then.

This was the situation. Countries did download the entire Tor directory and block all the nodes listed in it. This is why bridge relays were invented, and there is no public list off all bridge relays. It works like this: You get a bridge address, you connect to a bridge and the bridge then connects to the Tor network. This changed the arms-race. GFW is now able to detect the Tor bridges and this is a set-back for the Tor-project. They will find a solution which fools the GFW and the Chinese will lose face.

Re:My college did it easier

[Synerg1y]

But... but, if you have an unlisted / unknown proxy server that accepts YOUR connections, wtf is the point of TOR lol? Just start channeling through it over the designated ports. I mean it just uses SOCKS along w the other proxies, tor's gold lies in obfuscating your connection by sending it through relays around the world. Not sure what else is going on that would prevent the above. Either way you set with what tor calls a bridged node :)

Re:My college did it easier

[BitterOak]

Tor has to connect to so-called "dictionary servers" periodically to refresh its list of tor nodes to try to use. If you block those servers, tor breaks.

At least, that's how it worked when they finally figured out how to block it after 3 years. Maybe tor has improved since then.

We have to remember though what Tor was designed to do and what it was not designed to do. Tor was designed to protect the privacy of individuals who don't want their browsing habits revealed. It does this by preventing your IP address from being available to the web server you connect to, and additionally it encrypts traffic so intermediaries, such as your ISP can't snoop on your traffic. It was NOT designed as a means of bypassing firewalls that are actively try to block Tor. That was never its purpose.

Re:My college did it easier

Any SSL connection from China to outside is tracked and they attempt to connect to it in a few minutes after original connection is made. They try to establish a tor handshaking and if it succeeds, the IP is blocked in the great firewall.

Re:My college did it easier

[Fluffeh]

It was NOT designed as a means of bypassing firewalls that are actively try to block Tor. That was never its purpose.

Totally agree that it was not the original purpose, but I would add to your comment and congratulate the folks behind Tor for taking a stand and trying to allow their software to get past the GFW. Sometimes when you realize that your software is being used for something more important (possibly something much more important than not letting your ISP know what you are doing) then it is a great opportunity to change your purpose somewhat. If the purpose itself isn't being changed, then it is still heart warming to see the effort being made anyhow.

Re:My college did it easier

[cool_arrow]

my understanding is that connections to and from entry and exit nodes are unencrypted . only connections between relays are encrypted.

Re:My college did it easier

[icebraining]

Yes, but the entry node runs on your machine.

Re:My college did it easier

[BitterOak]

my understanding is that connections to and from entry and exit nodes are unencrypted . only connections between relays are encrypted.

Out of the exit node: not encrypted, but your IP address is hidden, which is what is important at that end. Traffic to the entry node IS encrypted, otherwise your ISP would be able to snoop your browsing habits!

SSH

[axx]

Does this mean people should start tunnelling their Tor connexions through SSH, at this point?

Bugged planet indeed, I wonder if any of our lovely "free world" companies like Amesys or Siemens are selling the DPI gear, or if China is using a fully homebaked solution.

And if so, does it run (Red Flag) Linux, obviously.

Re:SSH

[xiando]

Bugged planet indeed, I wonder if any of our lovely "free world" companies like Amesys or Siemens are selling the DPI gear, or if China is using a fully homebaked solution.

If you watch the 28c3 Torproject presentation available at http://tinyurl.com/7c893sl then you will learn that western corporations like Intel, Nokia and Cisco are heavily involved in Internet surveillance and censorship around the world.

Re:SSH

[toopok4k3]

I did not look at your link, but are you sure you don't mean Nokia Siemens Networks instead of Nokia? They are not the same thing.

obfuscation?

[wierd_w]

If we learned more about how they detect the tor session, couldn't we obfuscate the data to combat detection?

I mean, encrypted data stands out from normal traffic like a sore thumb, and unless the user is a bank, transacting large amounts of it puts up a red flag. But, what if we obfuscated the data so that it looks like ordinary unencrypted/uncoded data?

Re:obfuscation?

[DCTech]

And Chinese will just block it again. And unlike slower cat-and-mouse game in western countries, Chinese can react quickly without going thru all the hierarchies and courts. At the same time, Tor project needs to keep updating their clients and servers, and it probably doesn't take anything at all for Chinese to block new changes. They have the advantage here.

Re:obfuscation?

[mSparks43]

I mean, encrypted data stands out from normal traffic like a sore thumb.

Actually, I think this is something of a myth.
"normal traffic" these days is mostly compressed.
Since the goal of both encryption and compression is to achieve a byte stream that is otherwise indistinguishable from random noise, I don't think one set of random noise stands out much more than another set of random noise.

Only thing that really separates traffic these days is imperfections in these algs and the negotiation protocols.
____
My suggestion for their problems would be to negotiate an otherwise compressed stream that is widely used (e.g. gzip) then tunnel the encrypted data through this stream, ideally encrypting post compression.

Re:obfuscation?

[timmy.cl]

And most of the traffic (HTTP) has cleartext headers preceding the actual data, which size can be matched to Content-length, and can be easily decompressed to verify. I'm not saying they should verify all of it, but they can always take some samples of suspicious connections (e.g. those with unreasonably high traffic where there doesn't seem to be a reason for it). In the end, it's all about finding suspicious traffic (or users?) and inspecting them more closely.

Re:Tor is designed to be easily censored

[nurb432]

FreeNet would have been a better choice i think. harder to track down who is running it. Tho not impossible.

Thank you Chinese government

[circletimessquare]

for helping us build more robust Tor protocols

Oh, you thought you were going to actually kill the average Chinese citizen's desire for free access to information? You didn't understand that a stronger Tor protocol or something even better than Tor is the actual result of your escalation of the arms race?

You're pretty ignorant about basic human nature, aren't you, you authoritarian assholes.

Oh, and btw you grumpy old shitbags:

http://www.nytimes.com/2012/01/04/world/asia/chinas-president-pushes-back-against-western-culture.html

The reason you are lamenting the influence of Western culture on China, and not basking in pride at the influence of Chinese culture on the West, is because YOU CENSOR EVERYTHING IN YOUR CULTURE. So Chinese Culture is hobbled and decimated. Because you think you can control, nevermind why you think you should control, Chinese thought. Instead of a great big strong tree, you have a demented little broken bush. Because of YOUR efforts at preventing Chinese culture from growing, by censoring everything, you morons

You ignorant controlling douchebags. Your average Chinese citizen understands this, why don't you you stupid old and decrepit paranoid control freaks?

Re:Thank you Chinese government

And how you do really feel?

Re:Thank you Chinese government

[circletimessquare]

Question: what is the greatest ally in the growth of Western Cultural influence in China?

Answer: The Chinese Central Government, for working so hard to make sure that Chinese Culture can't grow.

They think that controlling culture, and growing it, are compatible concepts. Culture grows when it freely crosspollinates with other world cultures. Japanese culture has freely been assimilating culture from around the world and we still recognize a distinctly Japanese culture. The game of controlling culture and "protecting" culture from "illegitimate" influences is the game of the insecure little person who believes Chinese culture is inferior. The person proud of being Chinese is freely dabbling in world culture, infusing their own thoughts, and defining Chinese culture as strong and new. Culture needs to crosspollinate to survive and grow. Sit on it, control it, keep it in a box, and your culture dies.

Look at what these ignorant insecure douchebags are doing:

http://www.nytimes.com/2012/01/01/world/asia/censors-pull-reins-as-china-tv-chasing-profit-gets-racy.html?pagewanted=all

I know: I can hear the typical snobby Western voice now: "I wish my government would censor the Kardashians and Jersey Shore."

And for thinking that way, you have merely identified yourself as knowing nothing about how culture actually works, and have allied yourself with authoritarianism. congratulations, you're ignorant and you're an asshole. i'd much rather have people watching jersey shore than some government entity telling them what to see and watch. and there is nothing wrong with the pursuit of empty guilty pleasures, that's a PERFECTLY VALID SEGMENT OF CULTURE. think of it as creative ferment from which greater cultural products spring forth. without the base of empty silly nonsense, the "higher" cultural products have nothing to grow out of.

Re:Thank you Chinese government

[f3rret]

I don't think the Chinese can hear you homie.
Maybe you should try doing it in all caps, that's louder.

Re:Thank you Chinese government

[circletimessquare]

Freedom of speech is a human concept, not a western concept. Or I suppose your condescending patronizing opinion is that nonwesterners like being slaves?

Re:Thank you Chinese government

[circletimessquare]

i never understood this point of view. that because we have domestic problems we cannot criticize others. on that basis, no matter how much worse a country is, we can never criticize them

"there is a problem somewhere in my country. therefore i will refrain from critical thinking on international issues"

i just don't understand

is it because you think it is hypocrisy? you do realize the nature of american censorship is far different from that of chinese censorship? the inability to express your politicla opinion: is that the same thing in your mind as media cartels making a desperate bid to remain relevant in the internet age?

"some congresscritters have whored themselves out to support SOPA. this is exactly the same as china not allowing any political dissent."

really? do you lack all critical thinking skills or do you just avoid the skillset?

Re:Thank you Chinese government

[crutchy]

freedom of speech is a human right

i agree, but...

the problem in "free" countries like america is that some people just don't know when to shut the fuck up

Re:Thank you Chinese government

I, for one, love the Chinese People and their beloved Party and all their initiatives and hope that they succeed in protecting their wonderful ancient culture from Western hegemony.

Re:Thank you Chinese government

[elewton]

It's not actually a real problem.

I've developed a method for reducing unpleasant stimulus by avoiding it, rather than interfering in the communication of others. I'm hoping to make millions by patent trolling.

Re:Thank you Chinese government

[Tokolosh]

You make the case that western culture will prevail over Chinese culture because it is free. The implication is that competition in the marketplace of ideas makes things better.

So, taking my cue from your tagline, the Chinese government should just vigorously enforce US copyright law (which they do not currently), and the western threat will subside. Lets call it Sino-Offence Preventing America.

Wake up people! Lack of copyright in China is not stifling US innovation and creativity!

Re:Thank you Chinese government

[Toonol]

You're uneducated. The philosophical fundamentals of free speech were being discussed 2,500 years ago by the Greeks (along with its corollary, free inquiry and scientific thought).

Re:Thank you Chinese government

[circletimessquare]

you're an idiot or a clever troll

did newton invent gravity?

Re:Thank you Chinese government

[crutchy]

Americans put the right to sue above all except their rather creepy gun fetish "right to bear arms", so while you may be free to say what you want, you could either be sued or shot as a result.

Re:Thank you Chinese government

[Alex+Belits]

Nope. France, 18th century.

You are confusing it with democracy, a completely different concept.

Re:Thank you Chinese government

[TangoMargarine]

IIRC in Athens they let any random citizen stand up in the forum and speak their mind.

Re:Thank you Chinese government

[Alex+Belits]

That's not freedom of speech, there is no dissemination or publishing.

Re:Thank you Chinese government

[TangoMargarine]

Unless you can cite something that specifically says that they outlawed making pamphlets or whatever about what went down at the forum, I'm going to go ahead and assume they had that option. I mean come on, this is THE ancient republic we're talking about here.

Re:Thank you Chinese government

[Alex+Belits]

I am pretty sure, the concepts of a "pamphlet" or "journalism" were not invented yet, and wouldn't for literally millennia after that.

Greece, and later Rome, relied on speeches, debates and art performances made in person. Only few people, usually ones constantly in contact with power structure, were sufficiently skilled in then-accepted forms of public speech and debates, and fewer could afford any sustained effort of in-person organization of opposition to the prevailing power structures and position. Most debates were in a form of blatant psychological manipulation/demagoguery that was far beyond the skills of a common person, and usually achieved anything but promotion of the good of the public.

The idea of "free speech" was meaningless in such environment because there was no effective way of preventing orators from speaking to begin with -- demagogues virtually owned the government and in their turn were owned by wealthy elite. If anything, there was not enough of those people to fulfill the demand for them.

Needless to say, all such systems, without an exception, eventually were replaced with monarchies -- either foreign conquerors exploiting their weaknesses, or through locally developed coups. Monarchies set in their place, relied on strict and unchangeable hierarchy of aristocracy, and did not tolerate any challenge, by words or action. Please note that it was still long before the invention of mass distribution of written word, printing press and journalism -- the only way to create an effective opposition was to assemble a group of aristocrats and kill the current ruler. Public speech had very little to do with it,

Moderm idea of "free speech" owes its existence to the situation created much, much later around 18th century in Europe. Power structures, still in the framework of monarchy, were ready to be influenced by a small number of educated people. "Masses" consisted of a huge, huge numbers of illiterate peasants scattered over vast stretches of land. The only way to speak to those masses beyond a small group, is to be a church official in control of priests, the only kind of people capable of delivering propaganda in any effective manner. For everyone else, talking to masses would be a ridiculous waste of time, and likely a danger of being proclaimed a blasphemer by the above mentioned priests. Masses were not the target.

On the other hand, aristocracy was literate, at some extent educated, and directly a part of the political system. Any better-educated person who somehow gained access to those people's ears, can influence their decision. Book publishing exists, and since 15th century it is possible for a reasonably wealthy person who really, really wants to say something, to write a book once, and get it picked up by each and every aristocrat in the area that shares the writer's language. Of those, most convincing authors will shape the thought of aristocrats at least at comparable extent as the church (that has separate and privileged access to all of them).

Here is the problem -- there are too few authors, and opinion expresses by one may disproportionally affect decisions made absolutely everywhere, just because every aristocrat has the same books and usually is receptive to the same kinds of expression as everyone else on his level of hierarchy. Authors don't compete for attention as much with each other as with readers' boredom and church or upper layers of government who by then developed a habit of banning books that pissed someone off. Lucky writers won't create fads that last for a year -- there are no fads, commonly accepted ideas and tastes shift at the scale of decades, not months. Influences are lasting. And the key word is luck -- there is no quality control, just ideas expressed in a way that is more attractive or less attractive to the aristocrats who in their turn have very little diversity among their peers and will be receptive to the same things.

In this environment, there is one great solution to increase the quality of decision-m

Re:Thank you Chinese government

[Alex+Belits]

And here is the problem, wealthy people and organizations are already in the constant state of being sued, and it does not hurt them a single bit. Even if it was possible to sue a newspaper for deception of the public, and win such a lawsuit, it would not cause sufficiently public-visible correction, and can not discourage future deception.

Without "freedom of speech" proclaimed in such absolute manner, it would be possible to have a recourse for extreme and willful acts of betrayal of the public -- such as forced cease of operations and dissolution of the publishing company, criminal charges for individuals involved, etc. There are many situations -- war propaganda on false premises, misrepresentation of laws being placed on a public referendum, false announcement of voting times and locations, inciting violence and discrimination toward groups of people, unmarked advertisement for known-dangerous products, etc. when consequences are so extreme, they warrant response of this extent. But noooooo, Americans believe that just because it may provide yet another way of targeting innocent people (to join thousands of already existing ways to do it more effectively), the right to lie to the public must be preserved.

Re:Thank you Chinese government

[crutchy]

actually i think that a lot of those scenarios you mention would be in violation of other statutes, so while you may be free to say things, the consequences of what you say may result in criminal charges (such as "unmarked advertisement for known-dangerous products" most likely being in violation of OH&S laws). some people are stupid enough to think that "free speech" is the be all and end all, but they don't realize that its still possible for your mouth to write cheques that your body can't cash.

Re:Thank you Chinese government

[Alex+Belits]

actually i think that a lot of those scenarios you mention would be in violation of other statutes, so while you may be free to say things, the consequences of what you say may result in criminal charges (such as "unmarked advertisement for known-dangerous products" most likely being in violation of OH&S laws).

No, it only would cover people who produced the product and ordered the advertisement. As far as I know, those who marketed and advertised it, no matter how complicit, are safe. It's also possible that allowing distribution of a dangerous product serves the interests of society (ex: alcohol, tobacco), but advertisement and promotion of its use causes nothing but harm and there is no excuse for allowing it other than "right to profit" or similar nonsense. In US all (ineffective) restrictions on alcohol advertisement come from alcohol producers themselves, tobacco restrictions only happened after massive embarrassment, and no one was ever punished for advertising those products before such advertisement was explicitly banned. The last part is very important -- one would expect that in a sane legal system, knowingly causing death and diseases by conspiring to deceive hundreds of millions of people would cause some penalty all by itself.

some people are stupid enough to think that "free speech" is the be all and end all, but they don't realize that its still possible for your mouth to write cheques that your body can't cash.

In some situations -- when particular person suffered immediate damage, and it happens to fall under very narrowly defined libel/fraud/..., and the person was willing to gamble on a civil lawsuit against people and organizations hundreds of thousands to tens of millions times richer than he is -- existing law "works". However interests of the public, ones that are supposed to be protected by criminal law, still can not trump the sanctity of "free speech".

Re:Thank you Chinese government

[circletimessquare]

hey, genius:

cavemen said pretty much whatever they wanted. the idea that there is a government that can control your type of speech is the modern invention in question here

freedom of speech is the baseline of simple existence

seriously, you're a complete and utter moron, or one very hard working troll

Re:Thank you Chinese government

[Alex+Belits]

cavemen said pretty much whatever they wanted.

In public? At whatever time when "cavemen" (that's a pretty broad definition of a period in human history) had the concept of public speech to begin with?

"Free speech" as it is proclaimed, applies to, and only to public speech. It was either extremely difficult or heavily regulated for various reasons everywhere, over the whole history of mankind, with exceptions I have described.

Please note that even Wikileaks people claim that they engage in protected free speech because they speak to the public. If they distributed the same information privately, their actions would be clearly espionage.

Re:Thank you Chinese government

[circletimessquare]

dear hard working troll:

your words do not pass the laugh test. try harder next time

sincerely,
rational thought

Re:Thank you Chinese government

[crutchy]

As far as I know, those who marketed and advertised it, no matter how complicit, are safe. It's also possible that allowing distribution of a dangerous product serves the interests of society (ex: alcohol, tobacco)

you're getting a bit pedantic here. advertising agencies merely speak on behalf of their clients - they are an instrument - like a megaphone (which is why the client would be in trouble, not the advertiser). although if the client is a big fish with a lot to lose you can bet the advertiser would have to defend themselves in court, and if they didn't have their ducks in a row they would go down too.

I was also referring to things that would violate OH&S legislation by not advertising them as being dangerous (more things like if you supply drum full of chemicals to some factory, and a worker gets injured because they weren't aware it was full of dangerous chemicals - because the dangerous chemical wasn't marked - then the supplier of that drum would face criminal prosecution for violation of OH&S requirements.

in a sane legal system, knowingly causing death and diseases by conspiring to deceive hundreds of millions of people would cause some penalty all by itself

in Australia, James Hardie http://en.wikipedia.org/wiki/James_Hardie#History_2 is still paying victims of diseases resulting from exposure to asbestos in products it manufactured years ago. You can be sure that if a legal loophole is discovered that requires compensation for smoking related illnesses, there will be a class action like the world has never seen. I wouldn't write off the possibility. Legal systems are slow to evolve and process things. While it may seem that cigarette and alcohol companies are off the hook, it may be another 20 to 50 years, but the legal system may eventually catch up with them. Many smoking related illnesses aren't understood well enough for use in prosecution of cigarette companies, whereas in the James Hardie case the evidence was a little more clear. Cigarettes and alcohol also provide governments with a handy revenue stream from taxes (which is possibly criminal in itself because governments may be profiting from the deaths of smoking victims).

interests of the public, ones that are supposed to be protected by criminal law, still can not trump the sanctity of "free speech"

i understand all those words, but i don't really understand what you're saying there (sorry). i assume by public interests protected by criminal law refers to things like murder, rape, fraud, drink driving, etc. I don't see how these can be trumped by free speech. If a guy commits rape (for example), a well paid lawyer might save him, but free speech won't do much for him at all. You may be free to say "not guilty" in court, but it doesn't mean you're not going to spend a long time locked away behind bars.

Your freedom to speak could land you in perjury (if you are found to have lied in court), it could have you charged with sexual discrimination (if you speak inappropriately to a female coworker), if you verbally abuse a police officer, cause a domestic disturbance (yelling and carrying on at home so loud that it disturbs the neighbors), screaming "bomb" on an airplane when there isn't one, name-calling to a young African-American man with a 9 mm pistol in Harlem, New York at midnight, etc. That's what I meant about "you're mouth writing checks that your body can't cash".

Not that much new here...

[A+beautiful+mind]

Tor exit node based blocking has been used on various IRC servers to combat abuse for years and years now, The chinese might be doing something more fancy, but that only shows that they didn't go for the fairly easy and quick solution.

Re:Not that much new here...

[xiando]

Tor exit node based blocking has been used on various IRC servers to combat abuse for years and years now, The chinese might be doing something more fancy, but that only shows that they didn't go for the fairly easy and quick solution.

The Torproject responded with bridges when countries started to block entire countries like those IRC servers do. The entire list of Bridges is not public. What GFW now does to detect and block those bridges is something new and it is something entirely different. The "download the entire list of Tor servers and block them" method was used and stopped being efficient thanks to Tor bridges.

Re:Not that much new here...

They're not blocking exit nodes -- they're blocking your first hop(s) into the tor network

Re:Not that much new here...

[dissy]

I've used the previous method on my own IRC network, not to block Tor outright, but to prevent people from clicking 'refresh' to get a new IP and avoid channel bans or client side /ignores placed on them after spamming, harassing others, and generally trying to go where their behavior makes them unwanted.

With a daemon linked to tor, my server can send some info to the tor network to ask if this is a tor connection. It needs my servers IP and port, as well as the users IP and source port.
Upon a successful reply, services changes that users vhost to @tor
It's fully up to each channels ops how to handle it, if at all.

Some channels do +b *!*@tor while others have the same ban but add exceptions for registered nicks using +e nick!*@tor while yet other channels are nothing BUT tor users.

I've never seen someone refresh their Tor IP and reconnect from a node that wasn't also detected by this method.
I haven't heard of tor bridges until just today, however their use doesn't seem to aid with harassment or spamming from what I can tell.

We also do bayesian filtering where if the IP is on 4 or more of the 8 DNS blacklists checked, they get a temporary 10 minute gline with a URL showing which blacklists failed, and links to each for figuring out exactly why one is listed, and after cleaning up any infections they can request a delisting.
As that process usually takes more than 10 minutes, this filtering method only stops bots and other automations, while a human can easily fix the problem and not be denied their chatting.

It's pretty hard these days to find a decent balance between allowing privacy while at the same time preventing obvious abuses like spamming, harassment, and bots trying to DCC trojans to not-so-net-savvy newbies.

I had absolutely no issues with Tor when their goal was only to provide privacy and anonymity. But if their new goals are to provide an easy and one-click way to avoid bans set on a particular user with bad behavior through their service, then it will only serve to harm their reputation (for good reason this time)

Re:Not that much new here...

[fotoguzzi]

Hmmm, parent post gets a +2 and a rant that seems to do nothing more than to call people mean doo-doo heads and link to the New York Times gets a +5.

Re:Not that much new here...

[dissy]

Welcome to Slashdot ;}

It's OK though, in 4-5 days after this article falls off the front pages and no real moderators are watching the comments any longer, the trolls will come back and finish modding me down to -1. It's already begun.

Trolls live for making a presence where they know they aren't wanted.

There's a group of them that do this to me every few weeks.
They always wait until the thread is almost a week old but just before it gets locked for archival. Then no one is around to fix the down mods.
It's pretty flattering actually :D

But I wish Slashdot would consider upping the +5 cap a couple points to help counter that.

Re:Fear & Lolling

I won't name any, advertisement for it are common if you surf popular websites from Panda Land. But I can tell you that yes, it's not for free, but no, it's not expensive, affordable for a Chinese city dweller level of income (8 USD for 6 months, about 50 RMB, which is the price of cinema ticket without the popcorn bucket).

Re:Tor is designed to be easily censored

[xiando]

Freenet and I2P both serve their purpose. None of them serve the same purpose as Tor. Tor lets you connect to the normal Internet so you can view your normal web comics, visit CIA information gathering honey-pots like Facebook and so forth. Freenet and I2P are designed for hidden internal traffic in those networks. Sure, you can share a file on Freenet, but you can not visit your favorite news website. Different tools for different jobs.

Lose face

For those unfamiliar with the concept "face", it's the social equivalent of getting modded -1

Vent much?

[s.petry]

I get it, we all do (or at least I hope). But do you really think that the Chinese government reads /.? We can hope, but sheesh if world leaders can't get them to open up why would they listen to someone vent on /. and say "Eureka! He's on to something!"

Tor, China and the USA

[xiando]

I tell you, free speech and freedom in general in America is doomed. The NDAA2012 combined with SOPA is just another brick in the wall on the path towards a completely tyrannical fascist government. Some Americans argue that the USA is there already. Today we are talking about Tor being blocked by the Great Firewall of China. How long will it take before we are talking about the Great Firewall of the USA blocking websites, software like Tor, I2P, Freenet and so on? Beware that western corporations like Intel, Cisco, Nokia and Siemens are the ones who are delivering the technology used by countries like China. The US and the west already has this technology. I do not see it as a question of if but when these technologies will be used in the US and other "free" western countries. The Tor project should be supported. Why people in other countries need it today may be why you need it tomorrow.

Re:Tor, China and the USA

you're a fucking moron. the united states of america is nothing close to communist. did you just type a bunch of shit and hope you look brilliant by chance? ...further evidence that most americans dont realize how good they have it, and that most stupid americans continue to misuse labeled like "communist" and "fascist"

these words have meaning beyond shock value when tossed around carelessly in conversation. words MEAN something. use the right words, or keep your stupid fucking ideas confined to your fat little american head.

Re:Tor, China and the USA

you have to understand though that tor in itself is not a longterm solution. Should the majority of users be in countries that have taken the path of USA or China, there would be no point left in using tor, which works on its user nodes.

Re:Tor, China and the USA

You're right--the US is nothing close to communist. The US is however VERY close to or has already acheived fascism, which is properly defined by the inventor of the word as the merger of corporate and state interestes. We absolutely have that. Right now the only thing we're missing is the traditional single dictator, but I'm not all that certain that it's required in version 2.0.

It is kind of amusing to see people equate "socialism" with "communism" or use either of those terms in conjunction with fascism though--and it's even more amusing to watch people blame government for "stealing" things when, at best, it's been the enabler of the theft by large multinational bankers and corporations. It's everyone's vaunted "private industry" and "free enterprise" that are the thieves. They rig the game, or they outright steal, and they use part of their takings to enable a media campaign to get everyone to hate the one force that could possibly stop all that--proper (in the interests of the people) government regulation.

Were it not so tragic, it would be even more amusing to watch people complain about "big government" willingly step into the TSA's porno scanners, support indefinite detention of whoever doesn't look like them, and generally engage in their fawning behavior over the ever-militarized police forces who truly occupy our cities and our streets. It is "law enforcement", which is almost never used against the rich and corporate, that is the greatest threat to freedom, liberty, and especially life these days, and yet that's the one part of government these morons never seem to question. "Law enforcement" has tried and will continue to try to bring this and many other evils to the US, and that sort of thing must be stopped at all costs.

Re:Tor, China and the USA

[Toonol]

things like the death penalty, an appallingly bad judicial system, a broken political system in Washington, Guantanamo bay, etc.,

Those may all be bad (and they may not), but they have nothing in particular to do with fascism.

Re:Tor is designed to be easily censored

[nurb432]

Ultimately, FreeNet is more about publishing 'sites' than sharing files ( tho i agree it can do both ), and if we waned to help out our oppressed brothers, we would mirror 'outside' sites on FreeNet. Even setup auto run scripts to do it.

And while its not been done yet, i don't see a technical obstacle why a "gateway" couldn't be created that sucks in outside data and inserts it into FreeNet, on demand. I also don't see it compromising security, except for the guy(s) running the gateway, in a presumed free country. Once its inserted, its just as secure as any other traffic.

direct that somewhere else

[s.petry]

I have no idea why you are on a tangent accusing someone else of wanting censorship. The point was that your rant (now two of them) is being directed at technical people in the US, not the Chinese Government.

How about writing mean letters to the Chinese Government, or getting involved in Politics instead of ranting here on /.?

Trust me, personally I'm not for anything that China does. With out of control IP laws, rampant corruption, and pay-for-politics in the US we have a shitload to worry about at home. With things like SB1867 being passed on 1/31/11 by our President, and now the big push for SOPA we are on our way to becoming a whole like like them.

Oh.. one more thing.. The US Government will not censor anything like you mentioned. What better way of distracting people from the fucked up shit they are doing than to spoon feed people stuff like that?

ssh tunnel on nonstandard port

[gatkinso]

This seems a bit obvious... does anybody know how much luck folks have had with this method?

Re:ssh tunnel on nonstandard port

[peterindistantland]

This definitely work. I have no problem using SSH even on the standard port in China. Since ssh is encrypted, deep packet inspection is useless, unless they ban SSH altogether, which they don't.

Re:ssh tunnel on nonstandard port

[lakeland]

It works, though it stands out like a sore-thumb.

Re:ssh tunnel on nonstandard port

[gatkinso]

I guess any traffic they can't inspect would be suspect.

this could be bad?

So if they can inspect in real time, is it possible that them letting the connection go for a few minutes means they are collecting the tor bridges data, and other data like exit points before they terminate?

Re:Fear & Lolling

[PiSkyHi]

Conversely, if you can access global information from within China and its still just a blacklist of IPs, then a VPN can always get through.

no, not porn

[circletimessquare]

the grass mud horse ;-)

http://en.wikipedia.org/wiki/Grass_Mud_Horse

Re:Wireless?

[Bert64]

The countries bordering china are generally not good choices for where you'd route your connectivity... Some of them even use china for connectivity themselves. And the border region with some countries is either very sparsely populated, or filled with mountains that would block your wifi signal.

spam/trespass steganography

[drwho]

It used to be that firewalls and filters would search out malicious connections attempting spam or attacks and drop them. But in Soviet China, it's the opposite. So disguise any connections to Falun Gong website as spam or worse, and they GFW will be sure to let it through.

Re:Fear & Lolling

[icebraining]

Using a VPN service advertised on popular websites seems akin to buying drugs from a guy who advertises at the local police station.

Re:Tor is designed to be easily censored

[icebraining]

Those "sites" are still just static files; you're not establishing a connection to the original server to view them, just accessing what was pushed into other peers.

You could push data from the web into FN, obviously, but you can't simply proxy it.

Why

[ThatsNotPudding]

Why does all this remind me of the province of Quebec? Hmm.

It had to happen eventually

[ALeader71]

As with any war, maneuvers lead to counter maneuvers. Escalation leads to further escalation. The only way to end a war is either by choice (as we did in Vietnam and now in Afghanistan), out maneuvering your enemy (siege of Stalingrad, battle of the Bulge), or if the enemy destroys its own credibility with the people (Iraq insurgency movement).

So good going China, you've managed to shut down TOR. I'm sure you have shared your successes with other "Great Firewall" regimes and those who desire "Great Firewall" status. But those who created TOR gained legitimacy, so they will be back with better weapons and in greater numbers.

Face: So what happens when...

[zooblethorpe]

For those unfamiliar with the concept "face", it's the social equivalent of getting modded -1

So what happens when you lose Facebook? It's been so long since I logged in, I've forgotten how. Does that mean I get modded -1000000000?