Slashdot Mirror
China Tells Carriers To Block Access to Personal VPNs By February (bloomberg.com)
China's government has told telecommunications carriers to block individuals' access to virtual private networks by Feb. 1, people familiar with the matter said, thereby shutting a major window to the global internet. From a report: Beijing has ordered state-run telecommunications firms, which include China Mobile, China Unicom and China Telecom, to bar people from using VPNs, services that skirt censorship restrictions by routing web traffic abroad, the people said, asking not to be identified talking about private government directives. The clampdown will shutter one of the main ways in which people both local and foreign still manage to access the global, unfiltered web on a daily basis. China has one of the world's most restrictive internet regimes, tightly policed by a coterie of government regulators intent on suppressing dissent to preserve social stability. In keeping with President Xi Jinping's "cyber sovereignty" campaign, the government now appears to be cracking down on loopholes around the Great Firewall, a system that blocks information sources from Twitter and Facebook to news websites such as the New York Times and others.
How will business users be impacted, since they will typically need to use a VPN if working remotely?
At the same time I wonder how long it will be before the mouse works out how camouflage the VPN access? It really is a cat and mouse arms race.
Jumpstart the tartan drive.
President Xi should study his people's history. Every dynasty eventually loses the 'mandate of heaven'.
The biggest surprise here is that this loophole hadn't been closed down years ago.
"That's the way to do it" - Punch
If half the people of China said something like 'I've had enough of this b.s.!' and started burning down police stations and stuff. A bloody revolution to be sure, but what if China became the new leader of the free world? What if democracy, at least by the standards of the supposedly freest nation currently in the world, was in place in China?
captcha: astatine
Whenever something unpleasant happens to human rights online, a lot of people shout, "Just use a VPN, and all your problems are solved!"
In a small way, they're not wrong. But this misses the big picture: VPNs are few and easy for centralized authorities to block. The ultimate answer cannot be narrow and fragile circumvention measures. It has to be a robust, decentralized, and authoritarian-resistant internet architecture. It needs to be all-or-nothing: either authoritarians block the entire internet, or none of it, because all content is safe from snoops and they cannot tell the things that please them, from the things that displease them.
VPNs are at best a fragile workaround for a systemic problem. And what's happening in China can easily come to the USA and Europe, because terrorists and because the children. The technical community has to take back the internet, before it's too late, or we will have lost the most important revolution in human communication to happen since the printing press to authoritarians.
This is needed to keep us safe and MAGA!
Network engineer here. My theory is that any blocking attempt where the users seek to avoid being blocked is doomed to fail unless literally no traffic of any kind (even DNS etc.) is allowed through. This is because all serious network kit uses ASICs to achieve acceptable performance at the cost of flexibility, but all the endpoints are CPUs that are inherently flexible. If the users have an orchestration system that allows the developers to change the protocols as and when, and they play to the weaknesses of ASICS, the network vendors will never be able to keep up. Anytime you let any traffic through whatsoever between two parties you don't fully control, it's game over for your perimeter. Hurray!
...what are they afraid of them learning on the open internet?
With all the fake news and kitten videos coming out of America these days, you can't blame the Chinese for clamping down to help increase productivity.
So, SSH tunnel next? If they block that, wouldn't it be blocking all SSH access? That would mean severely reduced use of foreign hosted servers.
Also, if they block VPNs, then the people will just start tunnelling over SSH. Can they block all VPN an SSH connections? That would basically disable a huge portion of the internet.
They don't have to. They just put you in jail or worse you if they catch you using a VPN.
...as Vint Cerf intended, the intelligence and computational power is at the network edgw. Fundamentally, the user can spare more processing operations obfuscating their data to sneak it through than the network can spare classifying traffic. The battle can't be won by anyone other than the users, unless the network is disconnected altogether.
Hello there, network engineer. Tell us more about how a DNS VPN can be made impractical by limiting the size of responses to less than 500 bytes and limiting the rate of queries to 1 query per second. Sure it's not blocked entirely but nobody will use it under those conditions.
...what are they afraid of them learning on the open internet?
It's a phobia that is similar to the frothing at the mouth defenders of the US Constitution's second amendment. They feel if they give even an inch that it will become an unstoppable force that ultimately destroys them thus they must not let up in allowing even the most minor of concessions. People can be reasonable but some individuals just aren't.
Anons need not reply. Questions end with a question mark.
"The government now appears to be cracking down on loopholes around the Great Firewall, a system that blocks information sources from Twitter and Facebook to news websites such as the New York Times and others."
So China is protecting itself against communist, leftist, progressive, NWO fake news? Are they "MACA" (Making China Great Again)?
As for the inevitable snowflake trolls that will moderate this down - Are you familiar with the concept of self-fornication?
"I say we take off, nuke the site from orbit. It's the only way to be sure."
Why wouldn't they? After all, our president is stating that most of the news is fake news.
Yes.... that's exactly what it is like.
People in the United States defending themselves and their rights from encroachment by the state is exactly the same as the Chinese state encroaching on the freedoms of its citizens.
Excellent example of goodthink, citizen! Keep up the good work! In fact, you keep working at this level, you'll be the next Handicapper General.
Welp softether is going to explode in use in China. Its VPN looks exactly like HTTPS and runs on port 80/443. Drop it on a $5 linode or other such VPS. It would be very hard to tell that is not plain HTTPS traffic.
China is playing an open-ended game of Whack-a-Mole with it's citizens, with the global Internet as the venue. It's obvious that Chinese citizens want free and unfettered access to the Internet and all the information on it. The communist Chinese government can keep trying to deny them, but just like with copy protection schemes, DRM, and all other censorship-like things, people will find a way around it.
Memo to Communist Chinese government: You can't stop the signal. You're going to fail; it's inevitable. Why not give up now, and stop oppressing your people? When the revolution comes, are you going to change, or are you going to fight the future, and go the way of Bashar al-Assad and start slaughtering your own people en masse? It's up to you how History will view you, China. Choose wisely.
Just recently it was reported that China will start censoring videos on certain video platforms, taking down content that criticizes the government or depicts LGBT people. http://www.independent.co.uk/n...
People were saying it wasn't a huge deal because citizens "mostly use VPNs anyway" to access foreign videos, but this kinda throws a wrench in that plan.
This looks a lot like what happens in mid-eastern countries like Saudi Arabia, where you can get fined $50K US for using a VPN. It isn't a security issue so much as they do not want people not paying the local voice carriers the $6 US/minute or whatever for voice communications. The owners of the carrier are typically relatives or close business associates of the ruling government.
China of course want to monitor online political activity so they want to make sure that nobody can post online content anonymously. I suspect even with them that is the second reason.
The more will slip though your fingers...
China will eventually faced with the prospect of just disconnecting from the rest of the world or giving up on censorship. Depends on if they want to turn into a huge version of North Korea or not. I'm guessing, not.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
If the Chinese authorities are so worried about losing social stability, maybe they could educate the people in the media studies and critical thinking so that they didn't believe everything that is written? Oh, wait. The authorities want the population to believe anything that they write..
Go to AWS/Azure/cloud provider de jour, grab a Linux desktop, connect via SSH, connect to the desktop and Bob's your uncle. Are they planning on blocking AWS and *all* the cloud providers? If they do they will disable the entire internet - including their own businesses.
This is just stupid and amazingly typical Communist crap. It seems like the Chinese would have learned *something* from the fall of the USSR.
I've never actually met anyone in the US with a firearm who used it to defend themselves or their rights from any kind of encroachment from any state, least of all the US government. I can guarantee that if they tried it would not result in an outcome they'd enjoy.
Any Chinese person I know would scoff at that threat, only Americans are so dedicated to law and order.
Americans aren't the ones with the giant firewall. (Our government is more subtly evil in how it spys on us) You seem to have missed the point. The point isn't that the Chinese government will catch everyone, merely that they will deter VPNs through threats of jail and/or other punishment. I'm sure lots of people will ignore the laws but the stakes just got higher.
Breaking the law is a way of life in many places (and in some places in the US, ask any NYer).
Every citizen breaks the law dozens of times a day. Nevertheless the punishments for some "crimes" are much harsher depending on the locale. China punishes some stuff harshly that wouldn't even be a crime in the US, particularly political dissension.
...what are they afraid of them learning on the open internet?
All kinds of things. But they are actually more afraid, believe it or not, of the power of social media to encourage wild cat demonstrations against the government. The main job of the CCP (Chinese Communist Party) is not really to make China better. They do want to do that, but the main job is to protect the CCP itself at any cost. Did you know that the Chinese constitution (yes, they have one) actually has something in it pledging the military (so called People's Liberation Army) to protect the CCP? Not the country. The CCP. Anyway, things China doesn't want its citizens to know, include...
1) The truth about the government surpression of the 1989 Tiananmen Square protests. By the way, these are known in China as "the student protests of 1989" or "the student protests of June 1989". If you use the term "Tiananmen Square protests" to people raised in China, they may not know what you are referring to.
2) Anything at all about Falun Gong. Different sources disagree on exactly why the PRC (People's Republic of China) has a problem with it, but it may mostly be because it showed years ago a very strong ability to have large numbers of protesters show up and the CCP fears being overthrown in a spontaneous revolution.
3) Information about corruption by government officials and their family members as it threatens the stability of the CCP.
4) Any meaningful contact and knowledge of Taiwan beyond the superficial because greater knowledge of Taiwan's democratic processes are a threat to the CCP's very existence.
That's not a complete list but it'll do for here. You can see a general thread of paranoia in everything that the CCP might be overthrown quickly by a spontaneous protest that spins out of control faster than the PLA can stop it (and some members might join in anyway). It's not really aimed at secret keeping so much as making sure people can't organize to overthrow the government.
Don't give Theresa May and Amber Rudd ideas.
The majority of the people here are now using VPNs with pre-shared key and AEAD ciphers(e.g. ChaCha20 & Poly1305). Combine with header obfuscating it is nearly impossible for carriers to block those VPNs even with deep packet inspection.
Sounds like Japan.
Zone Transfer.
This is how one DNS server shares its list of DNS entries with another. The transfer could also include a bunch of TXT records with cleverly included "certificates" as part of its payload.
I am thinking all that Facebook has to do to make WhatsApp global would be to sponsor one of the root servers that can use UDP 53 with cleverly encoded TXT records for the transaction. It would also work for DNS delegation where direct connections are not possible.
The Roman Rule: The one who says it cannot be done shall not interrupt the one who is doing it.
Not a network engineer here. The point is to deny the Chinese citizens access to foreign VPN providers. You do that by just blocking all traffic to the IP addresses those VPN services use. There is no reason why you would allow any traffic whatsoever to those IP addresses.
I am sure they can spare a couple of people to maintain the block lists.
Zone transfer uses TCP, and TCP 53 can be blocked entirely since normal queries don't need it. When your TXT queries are limited to 500 byte packets, accounting for overhead you have about 300 bytes left for payload. Rate limiting to one query per second limits your throughput to 2400 bits per second. Have fun with that.
"orchestration system"? What on earth are you talking about, that won't solve anything.
Real System Engineer here, this has already been happening for years. China can and does block VPN users, it's just they don't have a complete crackdown on it yet. We _do_ have employees in China who are kept behind internal walled gardens due to that.
In case anyone else has been asleep the last 10 years, VPNs are very easily detectable, as is SSH. The problem is with the initial exchange, it's all in clear. Try it, mitm an ssh between two hosts, you'll see a banner like
Edit: Appears Slashdot eats this with packet headers.. trimmed.
Followed by at least three other packets while the negotiation happens. There are in total at least a dozen strings one could trigger on. It's all by design too.. And yes, HTTP has the same problems.
This idea that VPNs are somehow an answer to censorship is ridiculous. The very organization whom were supposed to prevent these kinds of BASIC attacks, shrugged it off either because they were paid to undermine it, or incompetent.
Capatcha: privacy.
limiting the rate of queries to 1 query per second.
Great, now every web page takes several minutes to load by the time you look up all the caching servers, ad networks, and social network scripts.
This is what evil commie dictatorships do
Correct; SSH is easy to detect. I've got a scrambler that's not quite so easy to detect that takes $20 a month to keep open on one of quite a few VPS hosts so I can move it around all I want.
Yes it looks like line noise. Yes you can detect line noise. No you don't want to do that. I'm willing to look like the middle of a resumed SSL session.
So relax the rate limit for queries that can be answered from cache. The addresses of web sites and ad servers and social networks are already cached. Ephemeral data packets for a DNS VPN are deliberately not cached. In fact you could break most DNS VPN by refusing to relay an answer to a query when the answer from the remote DNS server contains a TTL of zero.
As a frequent traveller in China :
1) Incorrect for the people I deal with
2) As above
3) To some extent, but it is still discussed
4) Taiwan is a funny thing, but I discussed it many times, and the locals seems well informed. ( I am often in Xiamen, very close to Taiwan - in viewing distance...)
BTW: All major hotels in China has their own VPNs, so I can access EVERYTHING when on the hotel network. Be it in Shenzhen, Qingdao, Xiamen or Ningbo....
I will wait to see this go away.....Wont happen....
You don't have to block 100% of the traffic. Just 5-10% (with logging) can be a sufficient deterrent. About the only way around it is a peer-to-peer network on both sides of the firewall where the amount of external data transfer is limited, but they don't necessarily need to allow local VPN traffic either.
Chain has also just started a program that makes it very hard for foreigners to renew their residence permits too. They are starting to use a point system that is all but impossible for most of the foreigners to be eligible. The Resident permits for all non-Han worked have been one year permits; so there is a near exodus of foreign workers going on right now.
You should be able to stealth your VPN behind a legit appearing website.
Same IP, same port
Shut up APK.
We all know it is you Mr. Kowalsky.
This is your brain on drugs.
Take your own advice asshole & stfu. I have nothing against homosexuals. It's THEIR business what they do that way (I am not one of them though, so you know).
* HOWEVER - Do I think what they do is unnatural? Yes, I do. Screwing another man up the ass is not how it works for reproduction, the REAL "bottom-line" (PUN INTENDED) on what sex is truly about.
APK
P.S.=> Unbelievable - see subject... apk
It's not the internet in particular... it's any outside influence.
China has a loooong history of xenophobia and a "we're the best" attitude for centuries. With an interesting history, culture, natural resources, inventions, and centuries of amazing dynasties it is understandable China would be happy with itself. But when visited by the rest of the world (around 1500ac), China was abused and their culture dismissed. So they doubled down on their xenophobia- certain they were right and outsiders were wrong.
It continues to this day. Literally cannot shake this cultural phenomenon. I know of many Chinese living in one country, working, owning property, and even having citizenship in this other country- yet is reminded very often that they will marry another Chinese, and do so in China. Then they can return to host country. But not to marry a local. Unless they want to be 'counted out'.
I'm still waiting for the stats that show how many people were saved by possessing one. And for the videos of the people with bullets bouncing off their guns while the guns protect the people.
As the IT manager at a company that has a sister company in China this sucks. As it is they block DropBox, OneDrive, Google, etc. which makes transferring large files a pain in the ass. They are also trying to force everyone to use WeChat which I don't trust at all, so I'm expecting Skype to have even more issues then it does now when using it in China. They really make life hell for IT who have to deal with them and this will be the icing on the cake. I don't understand how they intend to do business globally if they keep making it so difficult to deal with all the restrictions.
So relax the rate limit for queries that can be answered from cache.
Whose cache? Does China already block the use of 3rd-party DNS servers?
MAKE A CHINA AGAIN
The ban likely won't affect hotels. Those who stay in hotels are either foreigners, or rich enough to be content with the CCP's rule.
Most likely, the ban would affect the more rural areas, where there are still many poor and ignorant, who may easily be swayed by what they see after getting on the net. Riots and disturbances sparked by social media is what the firewall is aimed at preventing.
It's a phobia that is similar to the frothing at the mouth defenders of the US Constitution's second amendment.
If you don't like the constitution, change it. But it sets a dangerous precedent to want the government to selectively ignore parts of the constitution that you disagree with.
Only foreigners or CCP lackeys stay in hotels? Are you an idiot? China builds a new hotel every few days. Regular people can easily afford a hotel stay.
Yes. A government wanting to control its citizens is totally the same as another country's citizens not wanting to be controlled by their government. Wait... Huh? No. They're not at all the same.
If VPNs are banned then only criminals will have VPNs! ÂVive le revolution!
So China hasn't dominated almost every singe market? You'd better tell Donald it was all a misunderstanding and there's no need to contain China after all.
2400 baud? You mean the BBS or internet Dialup circa late 80's? Oh yeah, NOBODY used that... lol
communism is a horrifying scaled-up version that makes in mandatory and only rewards a government class
Wrong, 'Communism' (as used by Marx) is by definition a social-economic arrangement in which the State no longer exists. That's largely what distinguishes it from 'Socialism' (in its particular Marxian meaning): which is the proletariat, as the "universal class" under Capitalism, seizing the Capitalist state apparatus and establishing a dictatorship with the aim ultimately of undermining the state's very existence thus leading to Communism.
The poster above was wrong when they wrote: "Marx believed communism wouldn't be viable unless it was part of a democracy. It was later communists who came up with the "state" owning things "on behalf of" the workers ..." --Marx definitely described the state-based Socialist stage of development (he went so far as to endorse the term Dictatorship of the Proletariat, as a necessary precursor to Communism. [Note that the states established by the Communist Revolutionaries were called "Socialist" Republics, not Communist Republics ... you now know why].
The theory of the state simply "melting away" to bring about Communism is whacky enough without all this ignorance being thrown into the ring. People should read Marx first and then pontificate or critique it.