One minor irritation on my recent trip to China was
discovering that Facebook and Google+, where I normally waste time arguing with
people, were both blocked, as was blogspot and hence my own blog—the reason this
post is only going up now, from Hong Kong. I gather that locals have ways of evading
the restrictions but do not know the details. Which lets me try to figure out how I would do it.
The obvious solution is a proxy server. You connect to it
from inside China, it connects you to any other site you like, blocked or not.
The obvious problem is that whoever is doing the blocking notices and blocks
the proxy server. To which one less obvious and so more interesting solution is
… .
Start with ten thousand proxy servers—or at least ten
thousand URL’s, possibly all connected to the same hardware. You
email each of your customers a URL to use.
Unfortunately, some of your customers are
spies, employees of whatever state organization does the blocking. They report
the URL’s they get to their employer, who blocks them.
At which point you observe which URL's are blocked and note
which of your customers got those URL's, hence which of your customers you suspect
of being spies. Since customers who got the blocked URL’s now
cannot access your server, you send them new URL’s—a different new URL for each
of them. You observe which of those get blocked. You now have a pretty good guess which of your
customers are spies.
So you have one set of URL’s for the spies, another for
everyone else. Whenever a URL gets blocked, you send the customers who had that
one a new URL—and add those customers to your list of possible spies. You
continue with a policy of sending real customers URL’s that don’t go to
confirmed spies and updating your list of confirmed spies on the basis of
which URL’s get blocked.
So far as I can tell it should work. I have no idea whether
or not I have just reinvented something close to what already exists.
19 comments:
Tor does something similar: https://www.torproject.org/
You'll need ten thousand IP addresses, not just ten thousand URL's. And they can't all belong to the same address block, otherwise pretty soon they'll figure out what you're doing and block the whole range. (Or monitor who is accessing other addresses in the same range, and do nasty things to those people.)
Ten thousand unique, nonsequential IP addresses are not going to be too easy or cheap to obtain..
There is a continuous cat-and-mouse game; the good VPN providers need to change server addresses fairly often, etc. My with-VPN connection quality was poor enough to be a primary factor in my decision to relocate to Hong Kong.
Yes, natives and long-term expat workers know a way around that is Usually ignored by officials, but which tends to disappear whenever there's a government shake-up.
There are a number of laws in China—traffic laws spring to mind—that seem to be "Very Polite Suggestions."
--Charles
Thankfully, something like this already exists: https://www.torproject.org/
Note that corporate VPNs are usually ok (possibly requiring a few hoops to get official approval) so Western expats and business travelers typically have a way around the Great Firewall already.
And as far as I've been able to tell, most Chinese don't really care that much. They have weibo and wechat and qq, which are better than facebook or twitter anyways.
"I have no idea whether or not I have just reinvented something close to what already exists" -- you are indeed reinventing schemes that already exist. Many people have mentioned Tor, but there are a variety of schemes people have built for proxies and VPNs to help people in restrictive countries, and indeed, there are whole academic conferences devoted to countering the countermeasures the Chinese authorities have taken.
To clarify what others have mentioned, the way TOR does this is: https://www.torproject.org/docs/bridges.html.en
For most users, TOR is is focused on providing anonymity, not on providing access.
For those who have trouble accessing the network, they maintain a list of "bridge" nodes which is not provided in full and offer various means to get a few options from the list. You can theoretically request more and more bridges from their server by solving a CAPTCHA each time, but getting the entire list that way is time consuming (cf. the coupon collector's problem) and not necessarily worth it for the repressive regime (which is more interested in blocking access to the quiet masses than in blocking access to those who are already against their system). A bigger threat is the regime using traffic analysis to guess which traffic is going through the proxy based on its content and trying to block that instead of trying to block addresses.
I have heard this general technique variously described as a "Barium Meal". Presumably in reference to providing a luminous substance (reactionary information) to pre-determined areas.
Once it lights up - and where it lights up - directs you to the identity of the spies.
This technique is called honeypotting. It's quite common in computer security, especially for detecting websites that drive spam email (this special case is called a spamtrap).
There is also a valuable application for Bitcoin. It's important to ensure that the computer you store your Bitcoin wallet on does not contain malware. Software like BitcoinVigil will place a small amount of bitcoins on your system as bait, and will notify you if those bitcoins get transferred.
David, I found a video of your talk in China:
https://www.youtube.com/watch?v=ZDBJanyABIA
The Great Firewall of China might just be a trivial inconvenience but this is enough to stop most people.
http://lesswrong.com/lw/f1/beware_trivial_inconveniences/
James: That is very interesting. It reminds me of a plug-in one can install to a web browser (firefox at least, but I bet there are programs like these that work with most other browsers too). You give it a list of websites and for each a time interval, say 30 seconds. Then every time you open that website, the programs makes you wait (with an active window, so you cannot "cheat" by opening a different browser window or a tab) those 30 seconds before it shows the site's content. It works great to reduce your usage of "junk" websites like facebook while you can always still use them if you really want to.
Basically, it increases the related transaction costs of surfing those sites. Which, by the way, is a great way for your "responsible, focusing on long-term goals" self to control your "here and now I wanna be happy" self. Sort of a self-paternalism :D
But the great firewall does a similar thing, however the control is no longer in the hand of the user. And of course then there is that "limited casual observation of 'wrong' information" aspect to it...as is mentioned in the article.
u need to have different IPs for all of that. not so cheap.
Actually, that video is of my talk in Seoul, South Korea.
That's a great talk! I just have one minor quibble: The military unit you are talking about are the "Sacred Band", the "Immortals" were a Persian elite unit.
I work in Shenzhen, China and like all the expat professors at my school rely on a VPN to jump the Great Chinese Firewall. My students use them too, sometimes; at any event, they seem to have no problems getting access to the outside world. 205
You general intuitions are correct one gets around the firewall either by going through an intermediary server either in the form of a vpn or an ssh tunnel. There is no good solution though as the connections are somewhat unreliable. One may or may not be able to connect at any particular time of the day and once connected its hard to guess exactly how long the connection will last until it is broken. Also in the past couple of months I have noticed that vpn connections are being throttled fairly aggressively for random periods during the day, and at those times web pages can take minutes to load.
In my experience your speculation that locals have ways of getting around the restrictions is too optimistic. A small minority of people who work for foreign companies will have access to corporate vpns, which they will use for personal browsing. I have also heard that in some local companies/departments there is special, unfettered access to the outside --- but that is second hand info and unconfirmed. The average person, easily > 95% of the population, is well contained within the firewall.
I think the long term solution is just continued integration with the rest of the world. The government could block all ssh and vpn connections within the country now but doing that would create hardships for companies that are using those tools, legitimately, to manage computers and internal communications. So more computerization of the economy, more international business relations -- these sorts
activities will make it increasingly difficult to restrict communications without creating a anti-business environment.
I still rely on the Index of Economic Freedom (http://www.heritage.org/index/ranking). It ranks China as Mostly Unfree. However, that Index does have some questionable rankings. China ranks below Nicaragua and Pakistan, but I would rather invest in China than those two countries.
Post a Comment