This sucks for travelers and ex-pats, but for China's future this is a very, very, very big deal.
I lived in Shanghai last year, and Chinese Internet surveillance is unreal. I could use gmail chat to talk about tiananman square, but as soon as I did all of my Google apps would suddenly be unavailable. I can only assume that when i used certain keywords my every chat was being monitored. A VPN was the only way I could access YouTube, Twitter, Facebook, and even some Google searches.
But reality is 90% of the young population of Shanghai didn't really care what the "great firewall" did, because EVERYONE used a VPN. I saw more people watching YouTube in China than I do in the states, even though Chinese versions of these platforms exist. Some platforms, like RenRen (Facebook-like but more similar to Russia's VKontakte) were popular, but most just used the US-built versions. Now most of them won't be able to.
This absolutely terrifies me. I was literally minutes away from being on a bullet train from Shanghai to Beijing that killed "x" people. Chinese authorities cite incredibly low numbers for a train traveling at 300 km/h. Most non-state observers cited hundreds of deaths. China slowly grew its number from 20-40.
It's illegal for foreigners to talk about the "Three Ts" with Chinese nationals - Tibet, Taiwan, and Tiananman Square. But previously the youth learned through their VPNs letting them access the outside world. With that shut down, the government might as well be burning books.
While knowledge of VPNs is huge, their use is not as large as you posit. I would argue instead that the real reason many young Chinese don't really care what the "great firewall" does is that they're almost exclusively using the domestic Chinese internet. Browsing in simplified Chinese, there's rarely a need to access the outside internet.
Perhaps it's not; I spent most of my time among very internationally-oriented, business-minded English speakers, which is by no means a fair sample, but it's not an insignificant subset, either. I'm most concerned about VPNs as the only possible path to avoid censorship on a large scale.
>I was literally minutes away from being on a bullet train from Shanghai to Beijing that killed "x" people. Chinese authorities cite incredibly low numbers for a train traveling at 300 km/h. Most non-state observers cited hundreds of deaths. China slowly grew its number from 20-40.
I'm unfamiliar with this, is it a reference to bullet trains running over people who somehow got on the tracks?
It is not illegal for foreigners to talk about the three Ts with Chinese nationals, its just not very wise. China technically has the right of free speech in their constitution, so you wouldn't go to jail for this (but you could still get in trouble, lose your job, get deported, etc...)
Cert pinning should prevent some of this, but I suspect a lot of Chinese use web browsers downloaded locally (which could compromise pinning; rather than pinning fake certs, I'd just pull the pinning entirely), or browsers which don't support pinning.
I don't think the GFW routinely MITMs HTTPS, but I would be amazed if they didn't do it on a targeted basis against specific sites and users.
And of course if you're using a phone from a state-controlled carrier or a webcafe from someone who complies with pressure, you can be attacked even easier.
I used to run a relatively successful internet-oriented startup in mainland China. Having spent most of a decade there since 2001, in fact the majority of my adult life, I considered it home. Unfortunately, the government - who initially woeed me to return to China with a reasonably lucrative scholarship - keeps making shitty decisions that just make it less and less attractive to live in. Increasing levels of internet censorship is one of them, making visas ridiculously hard to acquire (the Chinese consulate in a neighbouring country actually just flat out refused to even discuss issuing a tourist visa, earlier this year) is another.
I really hope the next generation of the communist party sort their shit out. Otherwise, China's basically going to continue breeding vast generations of uneducated, inward looking nationalists and stifling anything remotely like innovation that somehow manages to occur between the cracks. Foreign business professionals and overseas Chinese will continue to view time in China as a non-negotiable sentence of rice wine banquets, pollution, a complete vacuum in the upper-eschelons of conversationalism, a constant redoubling of cigarette smoke, spit, and bad Chinglish.
'Dajiudianwang' hotel reservation, ~2007-2009. We reached the same property network size as CTrip and ELong (3300+ individual property contracts across China), but also provided services in (non-broken) English, Japanese Korean, Thai and Vietnamese. We were highly automated, running a call center and paperless, digital fax workflow on a custom diskless Linux and asterisk on an E1 over private fibre.
I gave up on it because, despite basically winning Europe's largest travel-industry VC event in London in 2009, I didn't find a viable source of venture capital to expand our marketing, once the system was proven and almost break-even on self-funded capital. Basically locals wanted to take over, and foreigners didn't trust the Chinese legal system. I write it off as my 'Chinese MBA' now, and happily take a salary and less stress instead.
I'd be interested to pick it up again, if I found the right backers.
PS. Oh! David! Hey .. I think we corresponded once before. :)
Hey -- we chatted a couple of times actually -- I remember you ran into some pretty hardcore this-is-China experiences down south that I'm glad I never went through as well. Happy to hear you're doing well and that things have worked out. Let me know when/if you're coming back and we can meet up for drinks.
p.s. mostly asked the question just because I like to keep track of people who've done various things from here. Funny to think it really is such a small world.
Before travel to China, create a throwaway email account on a service, possibly Yahoo. Don't touch your real email accounts while you're there, if possible. The only time I've ever had an email account hacked is following use in China.
My employer (smartly) prohibits bringing any corporate equipment into China - including cell phones which access company email, and generally suggest not touching the Internet (at least any of your accounts) at all.
Having been there, this is honestly very good advice.
I heard Google does that. I work for Microsoft and am based in China, so obviously this is not an option for me. It turns out not to be a problem in practice, everything is encrypted well enough, the only annoying thing are GFW-instigated DOS attacks on secure connections.
Nice thought, but you may not find it easy to access GMail. Yahoo's "tight" relationship with the government means that its site works most of the time, and has usable performance. In China, all web sites are not created equally. Rather than outright blocking, the general strategy appears to be to kill the performance of sites, raising frustration.
The lulz does not seem like a fair reward when the adversary's not even slightly squeamish about abducting you and your family and selling your organs.
That's a pretty strong statement (not that I disagree with it), just that it's strong enough that I'd love to see a citation for evidence of that history.
Just go google for the news, one of the latest victim is the families of Guangcheng Chen (http://en.wikipedia.org/wiki/Chen_Guangcheng), whose family members gets sued for protecting himself (as "attacking ferociously), etc.
And take a look at the whereabouts of human rights lawyers at the sensitive dates.
This is nothing new. They have added more IPs to the VPN blocklist. I have no idea why this is news. This happens several times per year. This cat and mouse game has been going on for years.
Every time this happens it is just a pain in the ass to find a new VPN that isn't blocked.
If you are technical, it is best to just setup your own VPN on linode or amazon. That way you have less problems with blocked IPs.
This is what they used to do, but they've gotten more sophisticated - I've been running VPNs for China for my family on EC2 for a while. As far as I can tell, they almost never flat out block an IP. Initially they block a DNS hostname from resolving to a specific IP, then they start filtering out various different ports (including the default VPN ones). You can normally change to a random port and get OpenVPN to start working again, but it appears in the last couple weeks they've been able to identify and block OpenVPN activity on random ports. This happens so quickly, now, that it's pretty futile to try to IP hop unless you can come up with a traffic pattern that is less detectable.
Exactly my experience. I've been running a private OpenVPN instance for a couple of years now -- a month ago they started blocking it. Switching ports works for approximately three hours.
Not exactly. They are auto-identifying the IP addresses based on traffic sniffing. So you can do this and work around things, but your new IP will get identified as such and blocked automatically in a few hours.
Oh wow, this is not good. Is it possible to evade this sniffing? I have my own Linode VPS, and have learnt to use Tinc VPN software. I'm learning Mandarin and plan to travel to China in a year or few, so this censorship makes me sad and hits my motivation.
Many of us on the mainland ("us" being the type of people who would read HN) have switched to SSH proxies over port 443. Sshuttle [1] is highly recommended.
I wonder how much longer till Chinese avoidance VPN tech needs to resort to stenography in images to transfer data. Masking data as cat pictures would be slow but not automatically detectable.
China has enough outsourced development teams that blocking SSH would be, I'd think, a measurable drag on that economy. We SSH over 443 as a "just-in-case" since it looks alot like HTTPS.
I have thought about the idea for some time. The marketplace operator could take something like 30% cut. Any private invidual could sell their internet connection to the chinese and earn some bitcoins in the process.
There could be some rules which could stop the chinese goverment from knowing which IP's operate in the market. For example, someone could buy certain VPN/IP address recurringly, and others couldn't purchase that specific IP - that way the goverment would have no way to know how that specific connection is used.
And of course, bitcoin isn't very easy or well established payment method - bring in the resellers/market makers from china. These could (with some easy to use software/API) resell these VPN's to the chinese inviduals.
Bitcoin "solves" the problem of anonymous payments, but with copyright and other liability, never mind asymmetrical connections, would probably make this unappealing to providers.
I'm wondering how this effects corporate outsourcing. The company I work has a Chinese development and as center. This has to be behind the corporate firewall so I'm thinking we will just close that down and move to a country that wants to be part of the future.
I'm in Shanghai where I've lived off and on for 8 years. I've been using an ec2 image with Poptop installed. The problem is the IP addresses of the major vpns become known and blocked.
Any suggestions of software that would deploy images to various cloud services on behalf of users? I don't think China would be able to block all of ec2 and Rackspace, though they do sometimes seem to throttle ec2.
OpenVPN has an AMI that you can install on an EC2 Micro instance which works fine as long as OpenVPN in general works -- which unfortunately is no longer the case as of the past few weeks.
The thing about the great firewall... It only affects expats or visitors to China.
Any Chinese person who wants to read the NYTimes can get access to it. Anyone who wants to read about the "Three T's" can find away (good luck finding anyone). Chinese people who want to spend all day on the Facebook or the Twitter, will.
But the rest of the Chinese internet, the 99% of them, being disconnected from the rest of the world's internet, doesn't matter that much. They have neither the desire nor the interest to look at blocked pages. They're happy with the Chinese-language internet they have.
Personally, I'm starting to believe the Great Firewall is mostly there to annoy expats like me.
Our startup uses a pair of Sonicwall TZ215s to establish a site-to-site tunnel between our China branch office and our U.S. HQ.
It has been quite difficult to get the tunnel stable enough to survive for more than a few hours. We had to use lower security settings and more uncommon modes to fix our constant disconnections. SSL-VPN has always worked well, but that is only an option for our remote workers; site-to-site does not offer that option. Dell support engineers have generally been clueless on the matter.
Does anyone know of any work related to automatically making arbitrary "look" like, say, an HTTP session? I'm thinking of something that would automatically encode a VPN session as a valid, renderable HTML document (and not via the trivial way of just gzipping it and making it look like an HTTP compressed document, as I'm sure that would still be easy to block.) It seems like this should be possible, albeit with tons of performance decrease, but I can't find anything.
Perhaps how Google accomplishes getting through common firewalls with their news headlines; using an encrypted javascript tunnel. It isn't blocked by a majority of residential/enterprise firewalls, and using a similar technique one should be able to use HTTPS with an encrypted javascript tunnel to access out rather securely.
Perhaps there is something like this already in existence, and any resources/opinions would be great!
Such a technique is called steganography. It's possible but would require lots of bandwidth depending on how secure you need it to be. For example you can hide data in a photo by slightly changing the shades of red in it without changing the appearance of the photo noticeably.
I'm aware of steganography, but this would be slightly different than any published steg technique that I am aware of, as it would not be hiding in a preexisting carrier signal, it would be creating its own.
There are a lot of government supported efforts to research (especially finding and cracking) steganography. You can even look up articles in Chinese on the topic
How is Cisco IPSec affected by this blockage? Any business or foreign mission conducting transactions in China should be very wary if they start targeting IPSec in any way.
I'm using IPSec now without any problems. OpenVPN is blocked.
China has the power to be more selective about what it blocks. For example, Wikipedia is not blocked here (yet). But trying to access an article within Wikipedia on Tiananmen results in a dropped connection. Why China completely blocks entire blocks of ip addresses (like YouTube, Blogger, Wordpress) is not clear to me. There are a number of easy heuristics you could use to block most of what you don't want.
It is ironic to me that a government that preaches a belief in rationality (eg I received a text message last week urging citizens to believe in science and not the end of the world reports) would use censorship instead of rational debate/discussion to counter viewpoints it doesn't agree with.
Are just the standard ports blocked? Or are they doing some type of traffic analysis to differentiate openvpn traffic over any port, be it tcp or udp (as openvpn can of course be configured for any port over tcp or udp)?
Somewhere around a thousand a day (which is extremely low), with spikes way beyond that. I assume that they have difficulty finding relays, as the Firewall would be very updatable. For comparison, the daily connections for Australia and the US are over 4000 and 70000 respectively. You'd assume that the only ones being able to use the onion router at the moment are those that could find bridge relays with the obfuscation proxy enabled.
The TOR project has lots of neat graphs, broken down on a country basis:
I lived in Shanghai last year, and Chinese Internet surveillance is unreal. I could use gmail chat to talk about tiananman square, but as soon as I did all of my Google apps would suddenly be unavailable. I can only assume that when i used certain keywords my every chat was being monitored. A VPN was the only way I could access YouTube, Twitter, Facebook, and even some Google searches.
But reality is 90% of the young population of Shanghai didn't really care what the "great firewall" did, because EVERYONE used a VPN. I saw more people watching YouTube in China than I do in the states, even though Chinese versions of these platforms exist. Some platforms, like RenRen (Facebook-like but more similar to Russia's VKontakte) were popular, but most just used the US-built versions. Now most of them won't be able to.
This absolutely terrifies me. I was literally minutes away from being on a bullet train from Shanghai to Beijing that killed "x" people. Chinese authorities cite incredibly low numbers for a train traveling at 300 km/h. Most non-state observers cited hundreds of deaths. China slowly grew its number from 20-40.
It's illegal for foreigners to talk about the "Three Ts" with Chinese nationals - Tibet, Taiwan, and Tiananman Square. But previously the youth learned through their VPNs letting them access the outside world. With that shut down, the government might as well be burning books.