https://github.com/net4people/bbs/issues/519
> After its founding in 2018, one of Geedge's first clients was the government of Kazakhstan, to whom the company sold its flagship Tiangou Secure Gateway (TSG), which provides functions similar to China's own Great Firewall, monitoring and filtering all web traffic that passes through it, as well as attempts to bypass such censorship.
> The same tool has been rolled out in Ethiopia and Myanmar, where it has been instrumental in enabling that country's military junta to enforce a ban on VPNs. In many cases, Geedge works with other private companies, including internet service providers (ISPs) such as Safaricom in Ethiopia, or Frontiir and Ooredoo in Myanmar, to enact government censorship, the documents show. No ISPs that have partnered with Geedge responded to a request for comment.
> The leaks show employees at the company working to reverse-engineer many popular tools and find means of blocking them. One set of documents lists nine commercial VPNs as "resolved," and provides various means of identifying and filtering traffic to them. Similar capabilities have long been demonstrated by the Great Firewall, with most commercial VPNs inaccessible from within China and many dedicated anti-censorship tools also hard to access.
> At least one Jira support ticket shows evidence of plaintext capture of email
>The strategy is being developed in close cooperation with China after a string of high-level meetings in Beijing and Moscow this year. At their first cybersecurity forum, in April, top Chinese officials and their Russian counterparts gathered in Moscow for the talks. Delegates included Lu Wei, the head of China’s state internet information office, Fang Binxing, the so-called father of the Great Firewall and Igor Shchyogolev, President Vladimir Putin’s assistant on internet issues and former minister of communications.
>“The principal agreement to have a forum was reached by Igor Shchyogolev and Fang Binxing at a meeting in December 2015 in Beijing,” said Denis Davydov, the executive director of the misleadingly named League of Safe Internet, a government-affiliated group that has drafted internet-filtering legislation and recruited teams of volunteers to patrol the web for “harmful content”.
https://www.theguardian.com/world/2016/nov/29/putin-china-in...
they are in a better safe (from the people, heh) than sorry mode.
I would be surprised if western governments didn't do the same, and folks should act accordingly.
https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-... ("Microsoft handed the NSA access to encrypted messages")
> "Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal;"
> "The agency already had pre-encryption stage access to email on Outlook.com, including Hotmail;"
Mass censorship, surviellence, and erosion of privacy are incompatible with human dignity. Purely utilitarian stances advocating online censorship "for the greater good", exploiting the causes of "terrorism" and "child safety" fail to consider anything more than the first order consequences.
Once a government taste the powerful liquor of censorship, there's no way that bottle's ever getting corked again. You bet your ass when anything happens that threatens those in power, that they'll be using that censorship on more than just the evil porn websites and terrorists.
I hope that this GFW leak helps researchers and hobbyists alike find more ways to fight against government erosion of personal dignity.
Seems the youth of Nepal managed to cork the bottle again earlier this month, when after the mass social media ban they burned down the government buildings and chased the parliamentarians out of the country.
if musk "buys" trump's untruth network and merge it with the remains or xitter, and then all the others are blocked to "save the children" nobody will say anything. maybe, just maybe, there will be a stockholders lawsuit on meta for the value dropping to zero. but hardly anything else.
Dream on. Remember Germany ?
A few years later (still before v2ray) they got more aggressive: Unknown protocols were stalled after a few kilobytes. I then learned if I pretend I'm doing something legitimate (!) such as downloading favicon.ico within a proper HTTP channel, they won't touch my "packets" (the favicon content was my packet). I think there was also a Iodine project doing the same with ping packets but it was slower than favicon-as-packets for me. Today I see v2ray has taken it to the maximum extent, suggesting valid web page front for an IP, valid https certificates, etc.
When I started making money I was thinking about renting many IPs and send my traffic as round-robin to them as the detection relied heavily on IP consistency. That is, connections were fingerprinted by IP.
I don't live there anymore and don't get to verify this hypothesis, but given the leaked source codes it's an intersting weekend project.
What else is also interesting, I looked at traffic decoders in the list of leaked source files: TCP, HTTP, QUIC, ... but no mention of UDP, which made no difference in bypassing GFW. I guess the same IP rate limiter was at work with UDP at a lower level.
I've also observed similar behavior with the vpn I'm using as backup where the server I'm using tends to get blocked in around the same timeframe. It's using openvpn/wireguard as the underlying protocol which doesn't try to obfuscate itself so I suspect traffic pattern analysis plays a larger role in what gets blocked than the protocol itself. The exception was my recent trip week-long trip where I was mostly cycling between two servers without noticing either being blocked.
I saw a lot of speculation years ago that the GFW used to flag connections for human review. 3 days sounds like support ticket turnaround.
Could you elaborate on that more? I'd love to dig into an implementation that does this, in case you still have the tools/scripts/programs available.
I'm asking because for the last couple years I've been on and off working on my warps [1] soft router prototype which aims to hide in plain sight using exfil network protocols.
(Think of it like DNS/HTTP smuggling but with the idea to use similar techniques in other network protocols, too)
Later I made a more elaborate version where it implemented its own HTTP and SOCKS4/5 proxy servers; I think you won't like it :D I wrote it in Java using Netty more than a decade ago, and published to Github when I relocated. Using Java I could run it directly as an android app or on a PC more easily.
This is the project: https://github.com/hkoosha/massrelay
Using Netty's vocabulary: If you add one extra HTTP handler to the pipeline, you get what I initially implemented in various forms:
- An HTTP handler that reads a header, say `Cache-Control: max-age=N` where N is the rotN to rotate bytes. - Next handler that starts rotating traffic bytes with the given `N`
For favicon-as-packet, my implementation was again with massrelay project but I forgot all the details. It shouldn't be hard: Netty keeps track of the connection state (packet number, etc...) and the handlers wrap/unwrap the traffic within favicon as transferred within HTTP channel.
Netty is a beautiful framework. I see you made your warps project in go, so the concepts might make more time to implement if you want to translate directly to a go project; Or you can just forget about massrelay and implement within your go project from scratch the way it makes sense, since the idea is pretty itself simple.
(That being said, I think GWF has advanced a lot, that's why something proper like v2ray works better now).
http://www.jofla.net/C++__/OWRTRelay/
Its a very minimal C program which was originally targeted for OpenWRT. But being C it should run easily most places. One would run on a router on a final remote server and another on a travel router which you would tether to.
YourPC <---> Your Travel Router <----internet----> Stationary Router <---> Final Server
Setting up the ports accordingly you had something which basically 'patched' the bytestream in the middle without it even knowning or needing to be changed on either end. It could relay any TCP connection.
There were many dialects which I eventually came up with (especially per packet length obfs) which could be added to the old C program.
Happy Hunting.
If enough people apply some ethical line, it creates a genuine headwind for evildoers.
As fucked up as it is, the virtue of individualism is often studied as a capitalist/western phenomenon that causes crime and internal conflict. Many of the people building this likely genuinely believe that they are working for the greater good and repressing a harmful social underclass.
It's not hard to identify those channels and block them. A connection used to interact with websites has completely different traffic patterns compared to a user sending all of their traffic over one specific connection.
Add to that the fact that large video streaming services such as YouTube, where you may see large quantities of data being exchanged over persistent connections, are already blocked in China, and your VPN becomes quite obvious without seeing even a byte of plaintext.
Of course for common protocols like QUIC they have their own custom solution (linked in a sibling comment), but the point is that even with encrypted SNI you will need dedicated anti-GFW protocols to stand a chance against censorship. No protocol that works well for most consumers is going to protect against the analysis a dedicated firewall with decent funding can come up with.
AFAIK, the only thing that stops an MITM attack (where they respond as if they’re the remote server and then relay to the real remote server) are certificates.
If an authority requires you trust their root certificate so they can spy on you, QUIC will not make any difference.
You might think IP checks are safe because everything's on Cloudflare and they can't block Cloudflare, but you'd be wrong. Even Spain blocks Cloudflare (yes, entirely) during football games.
My second thought is how badly Chinese communism must be doing that they need such a massive effort in order to prevent their citizens from accessing information and voicing dissent. We are lucky to be living in such a free society. Internet seems to be losing the battle against government interference and censorship and that is more of a bad thing then a good thing.
While I personally wouldn't want to live in a country which does this, the flip side of unrestricted virality in countries that culturally might not be prepared for it are events like https://en.wikipedia.org/wiki/Indian_WhatsApp_lynchings
Given that the US controls much of what happens on the Internet, another issue for many countries (not China so much) is that without controls they become extremely vulnerable to US influence campaigns and "colour revolutions".
I predict that all countries will end up with something like the GFW eventually because there's basically no other way for governments to achieve "Internet sovereignty" (enforce laws regarding users and publishers on the web). The US might be last to do this because it is in the doubly privileged position of a) being able to exert significant pressure on other countries and b) being able to apply regulation to major US-based Internet companies using their own legal system.
China relies heavily on export, so they can't just block everything. There are tons of proxy services to bypass GFW in China, and most of them have government background.
Look, the reality is that kids will be kids ...
Remember the pre-internet days when the porn mags were on the top-shelf at the newsagent ?
I'm sure many of that generation will tell you stories of copies of Playboy being passed around in the school playground.
Or back in the VHS or DVD days .... someone in the playground would be passing around some porn.
Or, a UK-centric example would be the famous Page 3 of The Sun newspaper.... "giggle giggle...boobies...giggle"
Moving swiftly forward to the modern day. You can legislate about it all you like, but kids know their way around tech and will soon discover what you can do with a VPN or any of the other many workarounds.
I think the reality is more that the government is trying to legislate for things that could be resolved by good old-fashioned parenting and teaching.
Educating your child properly is better than doing the helicopter-parenting routine and trying to smother little Billy in cotton wool.
20 years ago was 2005. We were "here".
Well, OpenAI and other companies training AI models have shown that the architecture of the model matters less than the quality of data fed into it. Same applies for humans.
I understand that the Great Firewall is mostly about censoring dissent, but it's also to keep Chinese citizens away from junk food media sources. The type of videos you see on Douyin vs Tiktok is a great example of the difference.
Yes, the videos on Douyin are politically censored, but they're also a lot less brainrot than Tiktok videos. The Tiktok algo is optimized for ad impressions and profit, whereas the Douyin algo is more tuned to some nebulous concept of Confucian social harmony, for better or worse.
A more nuanced take is that I don't think it's useful to measure Chinese govt behavior just mapped to "amount of suppressing political dissent". I actually think the level of censorship is above the level required for that. It's more useful to recognize that "suppressing political dissent" is actually a subset of Confucian "promote social harmony"- which is not strongly valued in the USA but is at least important enough to be paid lip service in China- and I suspect a big chunk of educated members of government may truly believe in that ideal. It explains behaviors like "why the Douyin algo is so different from Tiktok" and other overreaches of the Chinese govt, because it's not solely about suppressing dissent.
Right now on the HN homepage, there's a link "The case against social media is stronger than you think", which argues that social media drives political dysfunction in the US and some other countries:
https://news.ycombinator.com/item?id=45234323
Even if you disagree with that link, and believe social media is a positive force, do we really need to subject all countries to unregulated social media? Seems like putting all of our eggs into one basket, as a species. Why?
Just about every company already uses some form of this on their network, especially those in highly regulated sectors like banking and other finance-related industries.
More usefully and perhaps "on the other side", I have a proxy on my network to block and modify requests for ads and other content I want to "censor".
now this is what Pink Floyd meant by "comfortably numb". mass cognitive dissonance and denial
Various western networking companies already sell such products to authoritarian regimes, such as Nokia[1], Blue Coat Systems[2] and Siemens[3]. China, for reasons that are well documented elsewhere, has always wanted to build it with "their tech", the only thing that's new to me is their export of such tech to Chinese-allied nations.
> My second thought is how badly Chinese communism must be doing that they need such a massive effort in order to prevent their citizens from accessing information and voicing dissent.
This is a very controversial opinion, but the overton window has shifted in this respect and many people often like censorship/DPI when done for "altruistic reasons", and it was sad to see Europeans (presumably) asking for blocking of social media sites since Nepal[4] had done the same, disregarding the second-order effects it would have.
Of course, we live in interesting times, with a major western world power embracing economic policies that prioritize government ownership of industries[5], which is typically closer to communism than anything we've seen in the past :)
[1] https://www.wired.com/2011/08/nokia-siemens-spy-systems
[2] https://www.bis.doc.gov/index.php/about-bis/102-about-bis/ne...
[3] https://www.spiegel.de/international/business/ard-reports-si...
[4] https://news.ycombinator.com/item?id=45137363
[5] https://www.intc.com/news-events/press-releases/detail/1748/...
Moreover a large part of our government is willing to implement something as egregious as ChatControl. So they are not above animing extremely invasive spying tech at their own citizens.
1+1=2. All prerequisites have been met for a European “firewall”. Hate the word btw, a firewall is supposed to be a defense tool. But these censoring tools are an attack on our agency. Every time I try to access something I am not allowed to access by my overlords I hear in my head "You are not allowed to see this information citizen."
I don't quite understand why the first impulse is that it covers up government incompetence. There are other incentives for mass social control of discourse and information.
China have visa-free visit policy for many countries, you could actually go there to see how "bad" it is
https://www.china-briefing.com/news/china-visa-free-travel-p...
