Behind the Great Firewall: What It's Really Like To Log On From China

alphadogg (971356) writes China makes headlines every other week for its censorship of the Internet, but few people outside the country know what it's like to live with those access controls, or how to get around them. This IDG News Service writer has lived in China for close to six years and censorship has been a near constant, lurking in the background ready to "harmonize" the Web and throw a wrench in his online viewing. It's been especially evident this month. Google's services, which don't follow the strict censorship rules, are currently blocked. How long that will last is unknown, but it coincides with the 25th anniversary of the Tiananmen Square protests earlier this month — an event the Chinese government wants no one to remember.

You Can Help

[rotorbudd]

Just run a Tor obfuscated bridge.

Re:You Can Help

[rotorbudd]

The bridge isn't running in China, the user connects to it from China.
Here's a little info https://www.torproject.org/doc...

Re:You Can Help

[Nimey]

Yes, and here's how to do it:
https://www.torproject.org/pro...

I've been running an obfuscated bridge for about a year now. Setting up was pretty easy and it's been pain-free since then, especially since bandwidth usage limits can be set.

For the uninitiated, a bridge is basically an unpublished entry point into the Tor system; unpublished means you have to send an email to or visit a certain server to be given the address of just one rather than being in the directory for all to see at once, meaning that it's harder for a censor to block. An obfuscated bridge also runs the obfs proxy, which attempts to hide Tor traffic from monitors like the Great Firewall.

Re:You Can Help

[murdocj]

You don't get it, do you. If you were in China, this discussion wouldn't be happening, and simply for posting here you could be in jail.

Re:You Can Help

[Fuzi719]

Last year the GFW began blocking OpenVPN connections. Many VPN providers were blocked, their DNS entries erased from the standard DNS servers that the Chinese ISPs use. The way around that now is to hardcode a DNS server like OpenDNS or Google DNS and to use PPTP or L2TP VPN connections. I can attest that those still work, I was back in China over the Chinese New Year holidays. I was able to use VPN on my laptop connected to a Shanghai ISP as well as on my Android phone using China Mobile HSPA+ data.

It's a little like Fight Club...

[Zanadou]

As soon as you talk about how to get around the Great Firewall of China...

...that method suddenly stops working.

(Somewhere in Beijing, a Zman adds "*.astrill.com" to the blocklist.)

Re:It's a little like Fight Club...

Nonsense.

Here is how you get around the "Great Firewall of China":

ssh -D1234 some.server.outside.china.which.you.rented.com

There, you're done. Yes, that really works, and if you're a tourist, the chances of really getting into trouble over that are, well, not huge. Some system will notice, somewhere - but you'll be gone after two to four weeks, anyways. It's not hard to get around the firewall - it is hard to get around it for a long time without showing up on the radar.

The real, main reason why the Great Firewall works is that it has the threat of legal consequences backing it up, that there is the real (or, something that is nearly as good, imagined to be real) chance that somebody will start asking you questions about what you are doing, if you are tunneling out or such. The other reason why the firewall works is that an average user will not bother - effectively, you block some website in the major ISPs DNS servers and have google remove it, it is out of sight, out of mind for the _vast_ majority of the population.

so it's like a work or school network

So it's like a work or school network that covers an entire country. "Few people outside the country know what it's like to live with those access controls, or how to get around them," is total crap. Many, many people know exactly what it's like. Plenty of people outside China have been fired, expelled, or jailed for getting around access controls. Kids today are spoiled brats who grow up with home Internet and no restrictions as long as mommy pays the Internet bill. They have no comprehension of what it was like to have school or work be the only Internet access available.

Much adu about nothing

[ebonum]

I live in China. Everyone I know hops the GFW with ease. It is a non-issue on laptops and cell phones.
These guys have a storefront in Shanghai:
http://vpninja.net/
You go to the store, you pay in Chinese currency and they give you a log in. It is fast and reliable.
Lots of people I know use Astrill. (astrill.com)
Of course anyone who is actually worried about security will set up their own server abroad and use putty or OpenVPN to access YouTube.

Re:Much adu about nothing

[whoever57]

Of course anyone who is actually worried about security will set up their own server abroad and use putty or OpenVPN to access YouTube.

The last time I was there, OpenVPN connections were being blocked, while openvpn had worked perfectly 6 months earlier. In fact, on that trip, all attempts to run openvpn over UDP appeared to be blocked (I even tried port 53). I found that ssh (tcp/22) was not being blocked and used that. Later I found suggestions that playing with the MTU of the openvpn traffic would avoid the blocking.

Another time, dropbox packages for Linux were being blocked, but not the dropbox service.

Summary, GFW blocking is inconsistent and changes day by day.

There is no Great Firewall:

[Hartree]

"And we'll block any web site that says there is!"

I'm in reading this from China right now.

[Bleek+II]

I'm a chemistry teacher at a private school in Kunming, China. I use a VPN to get around. First of all half the battle is the terrible infrastructure here. I use a VPN to access everything I need to but I am constantly in a battle to stay connected with my 1Mb/s 500ping connection. If you don't have a VPN you are pretty crippled for most common sites like Google and social media. BTW Slashdot works fine without a VPN.

Re:I'd like a VPN in to China...

[Zanadou]

Not exactly what you're asking for, but similar:

http://www.blockedinchina.net/

http://www.greatfirewallofchina.org/

http://www.websitepulse.com/help/testtools.china-test.html

http://viewdns.info/chinesefirewall

Agreed

I've spent some time in various parts of China. I simply set up 2 AWS micro instances running SQUID listening only on localhost and then ssh tunneled my laptop into them (I set up several ports for sshd to listen on just in case they blocked one or more). Had no problems. This has been known to work for quite some time reliably. Now and then you'd get a slowdown or your connections would drop, but overall it worked fine. Fire up your SSH client, use the -L option to tunnel a local port over to squid (and the -p option if you need to use an alternate ssh port) and you are all set. I upsed 2 machines just in case they got wise to the first one I'd have a fallback, but they didn't bother it.

Now, a friend of mine that used this technique set up a machine in his basement, and some nice chinese hackers broke into it and rummaged around. So you may find that you COULD get some attention this way, and you probably want to be not-too-foolish about how you utilize your nice little door to the world. In my case I just used it to browse my favorite sites, do some email, and a few things like that.

Its also worth noting that the GFW doesn't seem to do much with non-http protocols. It is known to block most VPN software, but Skype for instance works fine (though again, I wouldn't count on it being safe from prying eyes, and skype is known to leak certain types of information).

Honestly, I think Chinese internet sensorship is intended more to control the information flow INSIDE China and stop people from getting together and DOING anything political. They rarely bother about what people SAY, as long as it isn't "lets get together and club some Communists over the head tomorrow". The other danger is if you talk about specific people, like local officials. Anything that sounds like an actionable complaint is probably unwise. Idle talk OTOH? I don't think they care that much. They might delete it, but basically only a small fraction of Chinese people are stupid enough to bother saying anything like that, or have the time and energy for agitation vs finding gainful employment and some sort of living situation.

Noscript helped a lot

[Giant+Electronic+Bra]

A LOT! I don't want your average bozo website running any script on my machine anyway...

Re:How to beat censorship in china.

[Giant+Electronic+Bra]

Yeah, good luck, your lifespan is measured in days. If you are careful and lucky you can complain about SOME things, and people do let their opinions be known about GENERAL things "its very polluted here, this should be fixed!" or "food is too expensive!" etc. The government is pretty sensitive about public opinion up to a certain point. It is just always hard to tell if they will react to your complaints by fixing the problem, or killing you.

Re:meanwhile, the west buys the same mechanisms...

[Giant+Electronic+Bra]

Well, the women are awesome. The rest of it? Sure, the government is pro-business and pro-capitalism, except its THEIR business and capitalism. In China the govt officials are the ones with the money, and LOTS of it. Corruption is astronomical. Unless you're in cahoots with some guys with a lot of 'face' you aren't going anywhere, and you can bet they get the fillet mignon cut of whatever you build. It makes the tax rates in the US quite equitable. There's LOTS of red tape too, though of course again how much that matters depends on whom you are connected to. The middle class in China is microscopic. If you were in downtown of a tier 1 city then you might get the impression, surrounded in your nice westerner bubble, that there were lots of well-off people around, but if you actually went out and met the regular Chinese people and talked to the people serving you food and selling you things and made friends with them you'd find out that life for the average chinese is pretty rough. Now go out to the countryside, or even tier 3 cities (prefect level towns for instance) of which there are 1000's and you find there's only a very small veneer of 'middle class' people.

As for the economy being 'robust', the banks all collapsed in the late 90's, ALL of them are insolvent. Most of the major businesses, same thing (the state owned ones). There's a whole zombie financial and economic sector that is just propped up with tax money or patronage in some form or other. There are a lot of businesses, yes, and a huge export sector, lots of growth, etc. There is also 300 million underemployed people, etc. The realestate bubble in China is 10x the size of the US one, and its teetering right now. Frankly I'm out, and I'm getting my g/f out too before something busts loose and it goes down like the US did in '07. Even the big financial analysts are looking pretty scared now. Housing is slowing and China is going to have a big bump.

What's this internet thing you speak of?

[evilviper]

few people outside the country know what it's like to live with those access controls

It seems a strange sentiment to express, on a technical site.

I've never been to China, and yet I know EXACTLY what their internet access is like. Anyone here can find out for themselves in 10 minutes flat, by hopping on a proxy located in China, and surfing around.

The only extra bit of knowledge that I gained through my extensive time dealing with it, is how incredibly random, frequently changing, and therefore frustrating and utterly-pointless the IP bans are. Send enough traffic over an IPSec tunnel in a short enough period of time, and expect it to be suddenly blocked one day, only to work again in just a few days.

Re:What's this internet thing you speak of?

[kamapuaa]

Send enough traffic over an IPSec tunnel in a short enough period of time, and expect it to be suddenly blocked one day, only to work again in just a few days.

This. It's totally arbitrary. Also it's a two-tier system, where many things are easily proxied around, while some sites (pornography, Falun Gong, Tian'anmen) can't be.

I think mostly the point is to inconvenience and be protectionist rather than block. Sure you can get on twitter if you really want, but your average Joe in China doesn't want to bother figuring out proxies just to get some stupid cat picture, so they turn to Weibo or some wannabe-twitter site like that instead.

The Grass-Mud Horse Lexicon

[PapayaSF]

Another way the Chinese evade censorship is to use oblique terms and references, many of which are quite funny. The Grass-Mud Horse Lexicon is a compilation of them. (In Mandarin, "grass-mud horse" sounds very close to "fuck your mother" and is a way of evading and poking fun at censorship of vulgar content.)

Re:The Grass-Mud Horse Lexicon

[Rick+in+China]

Tried tested and failed. China constantly cracks down on new 'evasive' methods of communicating. This year they used tons of other phrases, and were promptly blocked, like "this day" or "may 35th" or "that day" or "spring to summer" or other various 'elusive' terms...blocked. In addition they tried to hide messages in porn. This is all part of the tit-for-tat that, well, often just ends in more and more blockage and nothing more.