China Tells Carriers To Block Access to Personal VPNs By February

China's government has told telecommunications carriers to block individuals' access to virtual private networks by Feb. 1, people familiar with the matter said, thereby shutting a major window to the global internet. From a report: Beijing has ordered state-run telecommunications firms, which include China Mobile, China Unicom and China Telecom, to bar people from using VPNs, services that skirt censorship restrictions by routing web traffic abroad, the people said, asking not to be identified talking about private government directives. The clampdown will shutter one of the main ways in which people both local and foreign still manage to access the global, unfiltered web on a daily basis. China has one of the world's most restrictive internet regimes, tightly policed by a coterie of government regulators intent on suppressing dissent to preserve social stability. In keeping with President Xi Jinping's "cyber sovereignty" campaign, the government now appears to be cracking down on loopholes around the Great Firewall, a system that blocks information sources from Twitter and Facebook to news websites such as the New York Times and others.

Business VPNs

[Midnight+Thunder]

How will business users be impacted, since they will typically need to use a VPN if working remotely?

At the same time I wonder how long it will be before the mouse works out how camouflage the VPN access? It really is a cat and mouse arms race.

Re:Business VPNs

[CastrTroy]

Also, if they block VPNs, then the people will just start tunnelling over SSH. Can they block all VPN an SSH connections? That would basically disable a huge portion of the internet.

Re:Business VPNs

[Rick+Schumann]

They very obviously want to tap in to all business communications as well, so much the easier to steal industrial secrets.

Re:Business VPNs

[squiggleslash]

I think we have the same term being used for two completely different things. It's technically possible ISPs will go overboard and ban both "VPNs - commercial services offering proxies" and "VPNs - connections to business's private networks", but it'd be a little like Congress deciding to take action on "Hackers" by passing a law banning IP spoofing, exploiting stack overflows, and the sale of axes and machetes.

Re:Business VPNs

[s.petry]

China does not allow access to that huge portion of the internet. That is the whole point of their great firewall. Not protecting citizens from bad memes and crude jokes, but protecting themselves from dissenting views being visible to their people.

This is how authoritarian regimes work, and nobody should be surprised. It's a great reminder for the rest of us, for when our whackadoodle politicians start claiming they want control.

Re:Business VPNs

[danlor]

Not only can they... They currently do. You would not believe how much it costs me to work around this, and how little I get in return. It would shock you even more to see how valuable it is.

Re:Business VPNs

[Bob+the+Super+Hamste]

Not protecting citizens from bad memes and crude jokes, but protecting themselves from dissenting views being visible to their people.

Which is why I now like to ask the people working in calls centers in China when they call trying to scam me:
If they are aware of the book sellers in Hong Kong that have turned up in mainland Chines jails
If they know that Tibet was a sovereign nation until it was invaded and now its native population is being replaced.
If they are aware of the Uyghur issues
Asking if they know about the June 4th incident or the student protest of 1989 in Tienanmen Square.
Personally I am hoping to get the Chines government to shut down these scam call centers by bringing up issues it doesn't want discussed as there is a whole list of things one can bring up. Anything else is a side benefit.

Re:Business VPNs

[jbmartin6]

I work for a business with offices in China, and the users there VPN into the local office then use the WAN to the US. They could do the same for Internet by using the US side proxies instead of the China side. AFAIK there aren't any blocks or monitors over that path, it's all encrypted by the business. I have always felt the "great firewall" was more about protectionism for Chinese companies than any expectation of a viable information wall.

Re:Business VPNs

[cciRRus]

We get many such scam calls from China, but all of them are in Mandarin. I'm just wondering they have upgraded themselves to speak to you in English.

Re:Business VPNs

[piojo]

And are you aware that very same book seller (singular) has been freed long ago, went back to HK, and then after engaged in some anti-China publicity, suddenly got a big bunch of money to open a new bookstore in Taiwan?

The Fake News Networks in the US is even more effective as brainwashing people than the Great Firewall of China.

What are you talking about? There were five, and they were imprisoned and forced into false confessions. FYI, I'm in Hong Kong. https://en.wikipedia.org/wiki/...

Re: Business VPNs

[silentcoder]

Most Chinese people never saw the videos we saw of what actually happened in that square. Show one of those to a Chinese person (one who hasn't been out of the country for very long yet)... look at their face.

The reason they don't care is because all they ever *saw* was a bunch of spoiled, rich kits shouting slogans. And then they were told that a few got injured when the police shut down the illegal protest to restore law and order. They never saw those kids being brutally murdered.

Re: Business VPNs

[nukenerd]

"Tianmen Square" was a big deal in Western media

In the UK the media focussed on an incident in which a demonstrator stood in the road in the path of a tank and the tank stopped. We were shown that clip over and over and over again.

I never did figure out the point that the media and UK politicians were trying to make. What crossed my mind was that if you did that in Whitehall you would be promptly run over by a car. But that would be OK as you would have been run over democratically.

Re:Business VPNs

[Aaden42]

Both SSH and all standard VPN traffic is distinguishable from unencrypted HTTP, SSL/TLS, and other traffic types. You need firewall gear that examines things like packet size & frequency, but the detection is reliable and fairly quick. It's not a complete block the way you can block an IP address or port from starting a connection in the first place. Within a few seconds of opening the connection, the traffic type is detected and the connection reset.

Add a little analytics to determine source or destination addresses that trigger lots of these detections, then outright block those, perhaps for a period of time, perhaps followed up by LEO action. Net effect should be a pretty consistent and effective block of out-bound tunneled traffic.

A dedicated & well funded attacker with privileged network position can in fact MitM and block any and all tunneled traffic with a high degree of success. China fits all the requirements to accomplish this.

On the road to revolution

President Xi should study his people's history. Every dynasty eventually loses the 'mandate of heaven'.

Re:On the road to revolution

[Rick+Schumann]

President Xi should study his people's history. Every dynasty eventually loses the 'mandate of heaven'.

Exactly my point.

Re:On the road to revolution

[93+Escort+Wagon]

But Broken Sword may convince Nameless that President Xi should not die...

Re:On the road to revolution

[erapert]

And if you consider the USA where the previous time was ~1860 we're only about fifty years away from it ourselves...

Re:On the road to revolution

[nukenerd]

President Xi should study his people's history. Every dynasty eventually loses the 'mandate of heaven'.

Happens in all civilisations. So what do you expect Xi to do - say "OMG, I never knew that!", and top himself?

Biggest Surprise

[Oswald+McWeany]

The biggest surprise here is that this loophole hadn't been closed down years ago.

Re:Biggest Surprise

[HornWumpus]

Chinese leadership is getting desperate, losing contact with what is and isn't technically possible.

They will be playing 'whack a mole' until they 'declare victory' and give up.

Re:Biggest Surprise

[geekmux]

The biggest surprise here is that this loophole hadn't been closed down years ago.

Since the concept of connecting to a private network and alt-routing around infrastructure has existed since the days of dial-up concentrators, I'd say this delay is more political than anything.

Re:Biggest Surprise

[wvmarle]

China has been going after and is already blocking lots of VPN services. But of course all the time new such servers will pop up, new domain name, new IP address, and the mainlanders have their connection back.

How will they ever be able to block all VPN connections? They could of course start by blocking some common ip ports, but there's nothing stopping people from using a different port, e.g. port 80, and we're back to situation we have now, where they have to go hunt down server after server.

Re:Biggest Surprise

[loonycyborg]

They can do deep packet inspection and detect protocols, but it can be stopped by tunneling via some other protocol that can't be disabled, such as ssh or https. They can go for vpn services, but it's relatively easy to make new one after previous were shut down.

Re: Biggest Surprise

You obviously don't know how harmful communism is.

Re:Biggest Surprise

[wvmarle]

I thought VPN is encrypted pretty much by default already, making it hard to detect.

OK, maybe I used a wrong example with port 80 (http - unencrypted - can be inspected indeed), make that 443 (https). The outside observer can only see which IP it goes to, with no way to figure out what the content of the transmission is. With the world moving to https everywhere it's going to be hard to block that port. It'd also be an issue for all the local services that rely on encryption to remain safe.

Re:Biggest Surprise

[Strider-]

You don't need to know the content, you just do traffic analysis. A "Normal" https connection has a certain traffic distribution/fingerprint. An SSL connection is setup between the client and server, the http request is made, the content/object delivered, and the connection torn down.

SSL VPNs, even if operating over proper https and port 443, behave very differently. The connection is held open for long periods of time, and there is much more back and forth between the client and the server, as all further browsing connections are multiplexed through the tunnel. You don't need to decode the traffic or protocol to figure this out.

Anyhow, the point is that if you have DPI capabilities, it's pretty trivial to detect most standard SSL VPNs. Is it possible to develop a VPN protocol that would defeat this? Sure, and that's part of the game.

Re: Biggest Surprise

[SmaryJerry]

It doesn't matter if it is technically possible. The way Chinese government works is they make massive amounts of things illegal but only enforce the law when they want to shut up a dissident. The pro democracy journalist will end up with 10 crimes and 10 years behind bars while a regular joe never gets prosecuted.

Re:Biggest Surprise

[aaarrrgggh]

ssh can easily be blocked to the "outside." Pretty much any way you try to tunnel can be detected with traffic analysis, and it is a pain in the ass when you simply can't work. I had issues in Hong Kong a few years back when a VVIP was visiting and I was caught off guard.

Re: Biggest Surprise

[peragrin]

Communism isn't harmful. Singlular control of all resources is harmful. Restriction of ideas and speech is harmful.

Also nationalizing companies is also harmful. The same way monopolies are harmful. But limiting choices you let scum rise to the top and pollute the structure.

So governments can tax corporate profits but shouldn't get direct benefits other than taxation. That way other companies can come and go and losing one company won't break the country. See Venezuela and all other dictatorships were nationalized companies collapsed and took the country down too.

Re:Biggest Surprise

[Cajun+Hell]

I thought VPN is encrypted pretty much by default already, making it hard to detect.

You meant: making it easier to detect, right?

For all the plaintext connections, you can examine them and rule them out. (Countermeasure: hide your steganographic VPN here, so it gets ruled out. Downside: low bandwidth.)

Then all the remaining connections, you can't look at the contents but you can see if they happen to just keep talking to this one possible-VPN-endpoint all the time. Ah, this guy seems sshed to his linode all the time, constantly trafficking? That's probably a VPN. At this point you can bring in the $5 wrench to confirm/disprove the hypothesis.

Re: Biggest Surprise

[dddux]

What communism? Where? You mean China?! LOL That's not communism at all. There's no true communism anywhere on this planet and there never has been. Only capitalism and totalitarianism in modern times. Do you also still think Russia is a communist country? To much Fox news and bad movies, dude.

Re:Biggest Surprise

ssh can easily be blocked to the "outside." Pretty much any way you try to tunnel can be detected with traffic analysis

Indeed. Although I don't know any examples of countries that have done this, it would be fairly easy to set up a nation-wide ssh permit system. By default, the ssh protocol could be blocked by the national firewall. But if some business executives needed to ssh to a server outside the country, then the business could apply for a special permit to allow ssh traffic to that one specific server.

Of course, a national firewall won't stop satellite internet connections, such as Inmarsat. And it's unlikely that a country would try to jam Inmarsat satellites, since they are widely used by airlines and cargo ships.

Re:Biggest Surprise

[wvmarle]

Yes I know I used the wrong example with unencrypted port 80. More and more web traffic moves to encrypted traffic fast.

Re: Biggest Surprise

[aaarrrgggh]

When Zhang visited last year VPN connections were blocked around the convention center and at least parts of Wan Chai. Typically Cisco VPNs were unprotected, but that week at least even Cisco's IPSEC was blocked. I thought L2TP was often blocked in HK, but hadn't tried in years. I experienced this both on hotel wifi and cellular.

It might have had something to do with the snipers on the roof of the Hyatt that we could wave at.

Re: Biggest Surprise

[silentcoder]

Wow, you sure are opinionated for a topic you know fuckall about.
Marx believed communism wouldn't be viable unless it was part of a democracy. It was later communists who came up with the "state" owning things "on behalf of" the workers - and while they were the ones who took over the Soviet Union and then spread their version world-wide they weren't even the majority until some 20 years AFTER the Russian revolution. The majority of communists were democrats or anarchists - whose version had no state at all, merely the ownership of the means of production vested in the actual workers in the form of coops.
Such anarcho-communists ran Andalusia in Spain for 20 years (and it was a successful, industrial city. George Orwell fought on their side in the Spanish civil war and described them as the closest thing to a perfect society he had ever witnessed - and a society where there was no hunger, poverty or suffering). Nor an overbearing state - in fact, no state whatsoever.

Communism, capitalism and socialism are all, really, collective nouns for dozens of different philosophies (each) which contradict each other on many key points. In each situation - only having one thing actually in common.
In capitalism the means of production are owned by investors ("capitalists"), and in communism it is owned by the workers. This is the only part that applies to all versions of either. Socialism was originally a synonym for what came to be called communism, then Marx defined it as the end-state communism is supposed to one day achieve, currently it's best thought of as "capitalism but with a rock-solid social safety net", another word for "welfare state" as that's how it's mostly used these days.

So yes, communism is actually quite rife in the US - and government has nothing to do with it. America's largest carpet factory, and largest robotics factory, and LA's largest bakery are all worker-owned coops. A worker-owned coop is the very definition of communism - and everyone of those workers will tell you they are MORE free than they would be in any other company since, in this company, they get an equal share of the profits (it doesn't go to outside investors - it all goes to the people who actually did the productive work that produced the profits), and they all get a vote in management decisions. Does the company need a new slogan ? Should we open a new location in Albuquerque or would it be better to reinvest that capital locally in more staff and higher wages for us all ?
Instead of hoping and praying that a bunch of wall street stockholders who have no actual understanding of what they do will direct the CEO to make the best decision (and thus secure their livelihoods) - they can vote on that decision themselves, relying on their actual experience in the business and the wisdom of crowds to guide them. Because it's their business -they own it. And while, of course, every decision has risks - they never have to feel that they are being punished because of somebody else's idiocy in making a terrible business decision. They made that decision, they were part of it - and the decisions that determine whether they can feed their families tomorrow, are decisions they are themselves responsible for.
That's more freedom than most anybody else in the world gets. And it's communist to the very heart and soul of it, in fact, I would say it's much MORE communist than what the Soviet Union did - since those workers never truly owned the means of production - the state did, and without democracy, that state couldn't EVEN legitimately claim to be representing the workers.

By the way - more than 80% of companies in Argentina are worker-owned coops now, representing well over 90% of all employment (the remainder being almost exclusively civil service jobs). This came about after a complete economic collapse led to absolute capital flight and every shop, factory and office in the country was shut as the owners fled with their hoards. The workers just showed up and took over the abandoned businesses and ran those bus

Re: Biggest Surprise

[HornWumpus]

Wall of text and all you've shown is you are a halfwit.

Re: Biggest Surprise

[silentcoder]

When somebody cites a whole bunch of facts, all of them easily verified, and the only response you can offer is an insult - you've lost the argument.

Re: Biggest Surprise

[EmptyHead]

Worker owned != communism. There are some similarities to communes and co-ops but communism is a horrifying scaled-up version that makes in mandatory and only rewards a government class. It always fails, sometimes it takes longer. China is doing better than most by having a weird hybrid thing going where some of their entrepreneurs are being rewarded for doing more than the minimum to get the basic rations. Your love of communism should earn you a stay in one of these worker's paradises.

this shows the problem with workarounds

Whenever something unpleasant happens to human rights online, a lot of people shout, "Just use a VPN, and all your problems are solved!"

In a small way, they're not wrong. But this misses the big picture: VPNs are few and easy for centralized authorities to block. The ultimate answer cannot be narrow and fragile circumvention measures. It has to be a robust, decentralized, and authoritarian-resistant internet architecture. It needs to be all-or-nothing: either authoritarians block the entire internet, or none of it, because all content is safe from snoops and they cannot tell the things that please them, from the things that displease them.

VPNs are at best a fragile workaround for a systemic problem. And what's happening in China can easily come to the USA and Europe, because terrorists and because the children. The technical community has to take back the internet, before it's too late, or we will have lost the most important revolution in human communication to happen since the printing press to authoritarians.

Re:this shows the problem with workarounds

[HornWumpus]

You don't know how VPNs work? Unless China bans all encrypted connections to the outside world, this will do exactly fuckall.

I'm pretty confident that China has long since set it up so 'everybody's a criminal', same as the 'western world', so that's not in play.

Re:this shows the problem with workarounds

You don't know how VPNs work? Unless China bans all encrypted connections to the outside world

No. They only have to ban connections to the VPN services, which are relatively few and well known IP ranges. It's just like some US companies or web forums will ban those ranges for incoming connections. If they can do it, China can also do it.

Re:this shows the problem with workarounds

[HornWumpus]

How many Chinese people in the west with broadband connections? They will provide routing for relatives if they have to. You'll see them tunneling through gaming servers (which will piss the gamers off).

There are already a _buttload_ of VPN services. IP banning will be a never ending, rarely working game of 'whack-a-mole'. With lots of potential for fucking with China by baiting them into banning important hosts.

Re:this shows the problem with workarounds

[HornWumpus]

I wish the Chinese government luck (not really), they're going to need it.

Re:this shows the problem with workarounds

[HornWumpus]

You know how your advertising list updates. User reports.

You know what China won't be getting? User reports.

Re:this shows the problem with workarounds

[Strider-]

You don't know how VPNs work? Unless China bans all encrypted connections to the outside world, this will do exactly fuckall.

Assuming you have DPI capabilities, which I presume the Chinese government has, it's pretty trivial to block the normal VPN mechanisms without affecting other encrypted traffic. VPN (and SSL VPN) connections behave very differently from your typical connection to an https website. You basically just do traffic analysis and look for, say, SSL connections that have been open for more than 15 minutes, those where there has been more client sourced traffic than your typical http get, or whatever other thing that makes it behave differently than your standard web connection.

Re:this shows the problem with workarounds

[Strider-]

This is already "handled" by international obligation. If you look at the coverage maps for Iridium, Inmarsat, etc... there is a nice big hole over China. Same thing with the internet service offered by the likes of Lufthansa and so forth on airliners. Once over Chinese territory, the services cease to function. One of the basics of international law is that sovereign nations have the right to control what RF spectrum is used within their territories, and China simply refuses to issue licenses, thus the operators prohibit the use within the territorial claims of China.

Re:this shows the problem with workarounds

[guises]

Netflix is employing this approach right now quite effectively, most VPN services have given up on supporting Netflix for this reason.

The fact that some Chinese families have relatives abroad and will jump through a lot of hoops to get around this is irrelevant. It doesn't have to work perfectly to be effective.

Impossible due to widespread use of ASICs in netwo

Network engineer here. My theory is that any blocking attempt where the users seek to avoid being blocked is doomed to fail unless literally no traffic of any kind (even DNS etc.) is allowed through. This is because all serious network kit uses ASICs to achieve acceptable performance at the cost of flexibility, but all the endpoints are CPUs that are inherently flexible. If the users have an orchestration system that allows the developers to change the protocols as and when, and they play to the weaknesses of ASICS, the network vendors will never be able to keep up. Anytime you let any traffic through whatsoever between two parties you don't fully control, it's game over for your perimeter. Hurray!

Re:Just imagine

[HornWumpus]

Wait till their real estate bubble pops. It's going to be ugly as fuck.

china simply cant trust its own citizens online...

[Idisagree]

...what are they afraid of them learning on the open internet?

Jail if they catch you

[sjbe]

Also, if they block VPNs, then the people will just start tunnelling over SSH. Can they block all VPN an SSH connections? That would basically disable a huge portion of the internet.

They don't have to. They just put you in jail or worse you if they catch you using a VPN.

Re:Jail if they catch you

[Austerity+Empowers]

Any Chinese person I know would scoff at that threat, only Americans are so dedicated to law and order. Breaking the law is a way of life in many places (and in some places in the US, ask any NYer).

Yes, it's still illegal and if they decide to come after you, you are totally in trouble, and this is a horrible oppressive regime we really ought to hate and stop doing business with. But the reason the regime stays in power, and the reason it has managed to become successful in spite of itself, is because it is impotent and corrupt in all the right places. If their government were to ever fix that, and effectively police itself, I imagine the people would revolt in mere days and they wouldn't need the "free" world to tell them anything.

Re:Jail if they catch you

[StikyPad]

The only way they could identify offenders would be through targeted or incidental collection -- spyware on an endpoint, or a laptop search at customs. In either of those cases, though, the VPN use itself would likely be the least of the offenses they would be concerned about, and they wouldn't expose their capabilities simply to prosecute VPN usage, but rather the underlying information that was transmitted or received. It's really a law without teeth.

Re:Jail if they catch you

[arth1]

The only way they could identify offenders would be through targeted or incidental collection -- spyware on an endpoint, or a laptop search at customs.

No, traffic pattern analysis is good enough to identify most VPN traffic. You don't have to identify what's in the traffic, just that it's overwhelmingly likely to be VPN traffic, and then you can go after the endpoints.

Re:Jail if they catch you

[jbmartin6]

I'm told they will not come after you as long as you are quiet about it. If you VPN to Facebook and start vociferously criticizing the Chinese government, look out. But they don't care about cat pictures.

Re:Jail if they catch you

[Aaden42]

^^ This. VPN detection is a checkbox on most modern firewall kit these days. SSH too.

Re:Jail if they catch you

[Aaden42]

You don't have to jail everyone. Just jail enough to terrify everyone else into compliance.

Now I'm really confused...

[Bodhammer]

"The government now appears to be cracking down on loopholes around the Great Firewall, a system that blocks information sources from Twitter and Facebook to news websites such as the New York Times and others."


So China is protecting itself against communist, leftist, progressive, NWO fake news? Are they "MACA" (Making China Great Again)?

As for the inevitable snowflake trolls that will moderate this down - Are you familiar with the concept of self-fornication?

Re:Now I'm really confused...

[gnick]

Waiting for the "WAR" headline as I check the news each morning

If the U.S. declares war, it'll be announced first on Twitter.

Whack-a-Mole, Communist China edition

[Rick+Schumann]

China is playing an open-ended game of Whack-a-Mole with it's citizens, with the global Internet as the venue. It's obvious that Chinese citizens want free and unfettered access to the Internet and all the information on it. The communist Chinese government can keep trying to deny them, but just like with copy protection schemes, DRM, and all other censorship-like things, people will find a way around it.

Memo to Communist Chinese government: You can't stop the signal. You're going to fail; it's inevitable. Why not give up now, and stop oppressing your people? When the revolution comes, are you going to change, or are you going to fight the future, and go the way of Bashar al-Assad and start slaughtering your own people en masse? It's up to you how History will view you, China. Choose wisely.

Re:Whack-a-Mole, Communist China edition

The Signal doesn't exist on its own, it's produced by people. Kill enough people, and eventually the Chilling Effect will Stop The Signal, long before you run out of people.

Re:Whack-a-Mole, Communist China edition

[Rick+Schumann]

Yeah, because Bashar al-Assad has such a bright, wonderful reputation with the rest of the world right now, or did you not understand what I said above? You don't win Hearts and Minds by slaughtering your citizens, and so far as I'm concerned any regime that rules through fear, intimidation, and violence is going to eventually be overthrown, and when it happens there'll likely be all sorts of support, clandestine if not outright, from all quarters.

Re: Whack-a-Mole, Communist China edition

[Rick+Schumann]

You can't even spell the guys name right, why should anyone listen to you?
I'm sure Russias legions of state-sponsored hackers would be very interested in your opinion that they can 'easily become a thousand rotting or burned corpse in a ditch', so interested in fact that they'd turn your life into a 'rotting, burned corpse in a (virtual) ditch', draining your accounts, ruining your credit, pissing off everyone you know to the point where they won't even talk to you, planting child porn on your computer and/or phone then calling in an anonymous tip about you being a pedophile, then just for the lolz, hacking your car so you crash into a large stationary object at high speed.

Re:Whack-a-Mole, Communist China edition

[painandgreed]

China is playing an open-ended game of Whack-a-Mole with it's citizens, with the global Internet as the venue. It's obvious that Chinese citizens want free and unfettered access to the Internet and all the information on it. The communist Chinese government can keep trying to deny them, but just like with copy protection schemes, DRM, and all other censorship-like things, people will find a way around it. Memo to Communist Chinese government: You can't stop the signal. You're going to fail; it's inevitable. Why not give up now, and stop oppressing your people? When the revolution comes, are you going to change, or are you going to fight the future, and go the way of Bashar al-Assad and start slaughtering your own people en masse? It's up to you how History will view you, China. Choose wisely.

Sounds like the free internet is China's "War on Drugs".

China Cracking Down

[Scorpinox]

Just recently it was reported that China will start censoring videos on certain video platforms, taking down content that criticizes the government or depicts LGBT people. http://www.independent.co.uk/n...

People were saying it wasn't a huge deal because citizens "mostly use VPNs anyway" to access foreign videos, but this kinda throws a wrench in that plan.

Controlling the market

[AlanObject]

This looks a lot like what happens in mid-eastern countries like Saudi Arabia, where you can get fined $50K US for using a VPN. It isn't a security issue so much as they do not want people not paying the local voice carriers the $6 US/minute or whatever for voice communications. The owners of the carrier are typically relatives or close business associates of the ruling government.

China of course want to monitor online political activity so they want to make sure that nobody can post online content anonymously. I suspect even with them that is the second reason.

The more you keep tightening your grip

[bobbied]

The more will slip though your fingers...

China will eventually faced with the prospect of just disconnecting from the rest of the world or giving up on censorship. Depends on if they want to turn into a huge version of North Korea or not. I'm guessing, not.

Deterence

[sjbe]

Any Chinese person I know would scoff at that threat, only Americans are so dedicated to law and order.

Americans aren't the ones with the giant firewall. (Our government is more subtly evil in how it spys on us) You seem to have missed the point. The point isn't that the Chinese government will catch everyone, merely that they will deter VPNs through threats of jail and/or other punishment. I'm sure lots of people will ignore the laws but the stakes just got higher.

Breaking the law is a way of life in many places (and in some places in the US, ask any NYer).

Every citizen breaks the law dozens of times a day. Nevertheless the punishments for some "crimes" are much harsher depending on the locale. China punishes some stuff harshly that wouldn't even be a crime in the US, particularly political dissension.

Re:china simply cant trust its own citizens online

[Zontar_Thing_From_Ve]

...what are they afraid of them learning on the open internet?

All kinds of things. But they are actually more afraid, believe it or not, of the power of social media to encourage wild cat demonstrations against the government. The main job of the CCP (Chinese Communist Party) is not really to make China better. They do want to do that, but the main job is to protect the CCP itself at any cost. Did you know that the Chinese constitution (yes, they have one) actually has something in it pledging the military (so called People's Liberation Army) to protect the CCP? Not the country. The CCP. Anyway, things China doesn't want its citizens to know, include...

1) The truth about the government surpression of the 1989 Tiananmen Square protests. By the way, these are known in China as "the student protests of 1989" or "the student protests of June 1989". If you use the term "Tiananmen Square protests" to people raised in China, they may not know what you are referring to.
2) Anything at all about Falun Gong. Different sources disagree on exactly why the PRC (People's Republic of China) has a problem with it, but it may mostly be because it showed years ago a very strong ability to have large numbers of protesters show up and the CCP fears being overthrown in a spontaneous revolution.
3) Information about corruption by government officials and their family members as it threatens the stability of the CCP.
4) Any meaningful contact and knowledge of Taiwan beyond the superficial because greater knowledge of Taiwan's democratic processes are a threat to the CCP's very existence.

That's not a complete list but it'll do for here. You can see a general thread of paranoia in everything that the CCP might be overthrown quickly by a spontaneous protest that spins out of control faster than the PLA can stop it (and some members might join in anyway). It's not really aimed at secret keeping so much as making sure people can't organize to overthrow the government.

Shush, the UK Government might be listening...

[BellyJelly]

Don't give Theresa May and Amber Rudd ideas.

Re:Impossible due to widespread use of ASICs in ne

[apenzott]

Two words:

Zone Transfer.

This is how one DNS server shares its list of DNS entries with another. The transfer could also include a bunch of TXT records with cleverly included "certificates" as part of its payload.

I am thinking all that Facebook has to do to make WhatsApp global would be to sponsor one of the root servers that can use UDP 53 with cleverly encoded TXT records for the transaction. It would also work for DNS delegation where direct connections are not possible.

Re:Impossible due to widespread use of ASICs in ne

"orchestration system"? What on earth are you talking about, that won't solve anything.

Real System Engineer here, this has already been happening for years. China can and does block VPN users, it's just they don't have a complete crackdown on it yet. We _do_ have employees in China who are kept behind internal walled gardens due to that.

In case anyone else has been asleep the last 10 years, VPNs are very easily detectable, as is SSH. The problem is with the initial exchange, it's all in clear. Try it, mitm an ssh between two hosts, you'll see a banner like

.Xx.....MM....~diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1....ssh-rsa,ssh-dss....aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se....aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se....hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96....hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96....none,zlib@openssh.com....none,zlib@openssh.com.......................

Edit: Appears Slashdot eats this with packet headers.. trimmed.

Followed by at least three other packets while the negotiation happens. There are in total at least a dozen strings one could trigger on. It's all by design too.. And yes, HTTP has the same problems.

This idea that VPNs are somehow an answer to censorship is ridiculous. The very organization whom were supposed to prevent these kinds of BASIC attacks, shrugged it off either because they were paid to undermine it, or incompetent.

Capatcha: privacy.

Re:Impossible due to widespread use of ASICs in ne

[omnichad]

limiting the rate of queries to 1 query per second.

Great, now every web page takes several minutes to load by the time you look up all the caching servers, ad networks, and social network scripts.

Re:china simply cant trust its own citizens online

As a frequent traveller in China :

1) Incorrect for the people I deal with
2) As above
3) To some extent, but it is still discussed
4) Taiwan is a funny thing, but I discussed it many times, and the locals seems well informed. ( I am often in Xiamen, very close to Taiwan - in viewing distance...)

BTW: All major hotels in China has their own VPNs, so I can access EVERYTHING when on the hotel network. Be it in Shenzhen, Qingdao, Xiamen or Ningbo....

  I will wait to see this go away.....Wont happen....

Re:Impossible due to widespread use of ASICs in ne

[aaarrrgggh]

You don't have to block 100% of the traffic. Just 5-10% (with logging) can be a sufficient deterrent. About the only way around it is a peer-to-peer network on both sides of the firewall where the amount of external data transfer is limited, but they don't necessarily need to allow local VPN traffic either.

Expelling large numbers of foreign workers too

[Hasaf]

Chain has also just started a program that makes it very hard for foreigners to renew their residence permits too. They are starting to use a point system that is all but impossible for most of the foreigners to be eligible. The Resident permits for all non-Han worked have been one year permits; so there is a near exodus of foreign workers going on right now.

Run your VPN on same port as web server

[naughtynaughty]

You should be able to stealth your VPN behind a legit appearing website.

Same IP, same port

Re:Run your VPN on same port as web server

[Strider-]

Same IP, same port, different traffic pattern. The folks who build these system aren't stupid. Now if rather than a VPN you're running an https proxy, that's a little harder to detect, but even then, if all the traffic from one host is going to another host, and not touching anything else, it's not hard to develop a high degree of confidence that you're looking at a VPN or proxy service.

Re:Just imagine

[Cajun+Hell]

[Just imagine] If half the people of China said something like 'I've had enough of this b.s.!' and started burning down police stations and stuff. A bloody revolution to be sure, but what if China became the new leader of the free world? What if democracy, at least by the standards of the supposedly freest nation currently in the world, was in place in China?

And if you feared that happening, what would you do about it? Today's idea: install Great Firewall to control most peoples' media, and by extension, their thoughts.

This sucks

[RiddleofSteel]

As the IT manager at a company that has a sister company in China this sucks. As it is they block DropBox, OneDrive, Google, etc. which makes transferring large files a pain in the ass. They are also trying to force everyone to use WeChat which I don't trust at all, so I'm expecting Skype to have even more issues then it does now when using it in China. They really make life hell for IT who have to deal with them and this will be the icing on the cake. I don't understand how they intend to do business globally if they keep making it so difficult to deal with all the restrictions.

Re:Impossible due to widespread use of ASICs in ne

[omnichad]

So relax the rate limit for queries that can be answered from cache.

Whose cache? Does China already block the use of 3rd-party DNS servers?

Re:Softether

[ZeroNullVoid]

While I love SoftEther and the VPNGate project... if all traffic from x-node is going to the same route, it likely is a VPN.  The next phase of VPNGate is to make bouncing nodes and fake traffic with a huge number of servers or cloud providers.  Have real, popular, sites hosted on the same https paths, etc.  Have those sites implement a push notification system on them, so there is always a constant need for open sockets, etc.  I'm just throwing out ideas, but SoftEther, alone in it's current state would not be enough.

Re:Impossible due to widespread use of ASICs in ne

[WeezulDK]

2400 baud? You mean the BBS or internet Dialup circa late 80's? Oh yeah, NOBODY used that... lol

Re:Just imagine

[HornWumpus]

You should buy condos in China. It's a good investment!

Re:Just imagine

[HornWumpus]

So do it. Talk is cheap.

The Chinese are babes in the capitalist woods. They still think keeping their currency low for all these years was a good move. I predict a Chinese revolution inside 10 years, after their savings evaporate. It's going to be _ugly_. Central committee members children will be hanging from lampposts.

Re:Just imagine

[HornWumpus]

Everybody in China want's land (or real estate anyhow). It's cultural.

Unfortunately for China, they are parking their money in a huge bubble. Their big cities are massively overbuilt to shit construction standards.

The truism in real estate is the real value of property is the loan that rent would cover. In China that's about 10% of the current market price. Chinese people often keep investment properties empty as the rent doesn't cover the added cost vs just leaving it.

China has a government set currency peg. It's not priced on any market. They don't need to buy their currency to keep it up. They just set the peg. They are currency manipulators.

As to educating yourself I suggest Googling 'China Currency manipulation'. In recent years China has made efforts to keep it's citizens from getting out of the yaun. But Bitcoin. IT IS GOING TO BE UGLY.