Sunday, May 18, 2014

How One Might Climb Over the Great Firewall

One minor irritation on my recent trip to China was discovering that Facebook and Google+, where I normally waste time arguing with people, were both blocked, as was blogspot and hence my own blog—the reason this post is only going up now, from Hong Kong. I gather that locals have ways of evading the restrictions but do not know the details. Which lets me try to figure out how I would do it.

The obvious solution is a proxy server. You connect to it from inside China, it connects you to any other site you like, blocked or not. The obvious problem is that whoever is doing the blocking notices and blocks the proxy server. To which one less obvious and so more interesting solution is …  .

Start with ten thousand proxy servers—or at least ten thousand URL’s, possibly all connected to the same hardware. You email each of your customers a URL to use. 

Unfortunately, some of your customers are spies, employees of whatever state organization does the blocking. They report the URL’s they get to their employer, who blocks them.

At which point you observe which URL's are blocked and note which of your customers got those URL's, hence which of your customers you suspect of being spies. Since customers who got the blocked URL’s now cannot access your server, you send them new URL’s—a different new URL for each of them. You observe which of those get blocked. You now have a pretty good guess which of your customers are spies.

So you have one set of URL’s for the spies, another for everyone else. Whenever a URL gets blocked, you send the customers who had that one a new URL—and add those customers to your list of possible spies. You continue with a policy of sending real customers URL’s that don’t go to confirmed spies and updating your list of confirmed spies on the basis of which URL’s get blocked.

So far as I can tell it should work. I have no idea whether or not I have just reinvented something close to what already exists.

19 comments:

Anonymous said...

Tor does something similar: https://www.torproject.org/

Martin Wolf said...

You'll need ten thousand IP addresses, not just ten thousand URL's. And they can't all belong to the same address block, otherwise pretty soon they'll figure out what you're doing and block the whole range. (Or monitor who is accessing other addresses in the same range, and do nasty things to those people.)

Ten thousand unique, nonsequential IP addresses are not going to be too easy or cheap to obtain..

Christopher Chang said...

There is a continuous cat-and-mouse game; the good VPN providers need to change server addresses fairly often, etc. My with-VPN connection quality was poor enough to be a primary factor in my decision to relocate to Hong Kong.

Anonymous said...

Yes, natives and long-term expat workers know a way around that is Usually ignored by officials, but which tends to disappear whenever there's a government shake-up.

There are a number of laws in China—traffic laws spring to mind—that seem to be "Very Polite Suggestions."

--Charles

Jack said...

Thankfully, something like this already exists: https://www.torproject.org/

AndyHat said...

Note that corporate VPNs are usually ok (possibly requiring a few hoops to get official approval) so Western expats and business travelers typically have a way around the Great Firewall already.

And as far as I've been able to tell, most Chinese don't really care that much. They have weibo and wechat and qq, which are better than facebook or twitter anyways.

Perry E. Metzger said...

"I have no idea whether or not I have just reinvented something close to what already exists" -- you are indeed reinventing schemes that already exist. Many people have mentioned Tor, but there are a variety of schemes people have built for proxies and VPNs to help people in restrictive countries, and indeed, there are whole academic conferences devoted to countering the countermeasures the Chinese authorities have taken.

Miko said...

To clarify what others have mentioned, the way TOR does this is: https://www.torproject.org/docs/bridges.html.en

For most users, TOR is is focused on providing anonymity, not on providing access.

For those who have trouble accessing the network, they maintain a list of "bridge" nodes which is not provided in full and offer various means to get a few options from the list. You can theoretically request more and more bridges from their server by solving a CAPTCHA each time, but getting the entire list that way is time consuming (cf. the coupon collector's problem) and not necessarily worth it for the repressive regime (which is more interested in blocking access to the quiet masses than in blocking access to those who are already against their system). A bigger threat is the regime using traffic analysis to guess which traffic is going through the proxy based on its content and trying to block that instead of trying to block addresses.

Unknown said...

I have heard this general technique variously described as a "Barium Meal". Presumably in reference to providing a luminous substance (reactionary information) to pre-determined areas.

Once it lights up - and where it lights up - directs you to the identity of the spies.

Shaddox said...

This technique is called honeypotting. It's quite common in computer security, especially for detecting websites that drive spam email (this special case is called a spamtrap).

There is also a valuable application for Bitcoin. It's important to ensure that the computer you store your Bitcoin wallet on does not contain malware. Software like BitcoinVigil will place a small amount of bitcoins on your system as bait, and will notify you if those bitcoins get transferred.

Anonymous said...

David, I found a video of your talk in China:

https://www.youtube.com/watch?v=ZDBJanyABIA

James D. Miller said...

The Great Firewall of China might just be a trivial inconvenience but this is enough to stop most people.

http://lesswrong.com/lw/f1/beware_trivial_inconveniences/

Tibor said...

James: That is very interesting. It reminds me of a plug-in one can install to a web browser (firefox at least, but I bet there are programs like these that work with most other browsers too). You give it a list of websites and for each a time interval, say 30 seconds. Then every time you open that website, the programs makes you wait (with an active window, so you cannot "cheat" by opening a different browser window or a tab) those 30 seconds before it shows the site's content. It works great to reduce your usage of "junk" websites like facebook while you can always still use them if you really want to.

Basically, it increases the related transaction costs of surfing those sites. Which, by the way, is a great way for your "responsible, focusing on long-term goals" self to control your "here and now I wanna be happy" self. Sort of a self-paternalism :D

But the great firewall does a similar thing, however the control is no longer in the hand of the user. And of course then there is that "limited casual observation of 'wrong' information" aspect to it...as is mentioned in the article.

Anonymous said...

u need to have different IPs for all of that. not so cheap.

David Friedman said...

Actually, that video is of my talk in Seoul, South Korea.

RandomWords said...

That's a great talk! I just have one minor quibble: The military unit you are talking about are the "Sacred Band", the "Immortals" were a Persian elite unit.

Douglas B. Levene said...

I work in Shenzhen, China and like all the expat professors at my school rely on a VPN to jump the Great Chinese Firewall. My students use them too, sometimes; at any event, they seem to have no problems getting access to the outside world. 205

Marco said...

You general intuitions are correct one gets around the firewall either by going through an intermediary server either in the form of a vpn or an ssh tunnel. There is no good solution though as the connections are somewhat unreliable. One may or may not be able to connect at any particular time of the day and once connected its hard to guess exactly how long the connection will last until it is broken. Also in the past couple of months I have noticed that vpn connections are being throttled fairly aggressively for random periods during the day, and at those times web pages can take minutes to load.

In my experience your speculation that locals have ways of getting around the restrictions is too optimistic. A small minority of people who work for foreign companies will have access to corporate vpns, which they will use for personal browsing. I have also heard that in some local companies/departments there is special, unfettered access to the outside --- but that is second hand info and unconfirmed. The average person, easily > 95% of the population, is well contained within the firewall.

I think the long term solution is just continued integration with the rest of the world. The government could block all ssh and vpn connections within the country now but doing that would create hardships for companies that are using those tools, legitimately, to manage computers and internal communications. So more computerization of the economy, more international business relations -- these sorts
activities will make it increasingly difficult to restrict communications without creating a anti-business environment.

Unknown said...

I still rely on the Index of Economic Freedom (http://www.heritage.org/index/ranking). It ranks China as Mostly Unfree. However, that Index does have some questionable rankings. China ranks below Nicaragua and Pakistan, but I would rather invest in China than those two countries.