Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×

Tearing Down China's Great Firewall 410

quadsoft writes to tell us The Toronto Star has a look at three University Toronto computer geeks who are working hard to circumvent the internet censorship problems like those found in China. From the article: "But the computer smarts of Ron Deibert, Nart Villeneuve, and Michael Hull, combined with their passion for politics and free expression, have led them to develop a highly anticipated software program that allows Internet users inside China and other countries, such as Iran, Saudi Arabia and Burma, to get around repressive censorship and not get caught."
This discussion has been archived. No new comments can be posted.

Tearing Down China's Great Firewall

Comments Filter:
  • nice (Score:2, Interesting)

    by gcnaddict ( 841664 )
    Ive got relatives in Iran who i wanted to talk to, but instead of the US censoring my emails (which they do, but its easy to get around), Iran censors more of the emails. They also block my site, but I don't know why.

    Anyway, nice find.
    • Re:nice (Score:4, Insightful)

      by DAldredge ( 2353 ) <SlashdotEmail@GMail.Com> on Sunday May 07, 2006 @08:45PM (#15283057) Journal
      Do you have proof the USA censors your emails? If so, please show us the proof.
    • by reporter ( 666905 ) on Sunday May 07, 2006 @09:01PM (#15283099) Homepage
      About 2 months ago, the management of Microsoft and Google testified, under oath in front of a Congressional committee, that they fully supported freedom of speech/press and that they greatly regret being "forced" by Beijing to censor their Internet content. If both companies indeed regret such censorship, then I fully expect them to fund this Canadian effort to bust the Chinese firewall [thestar.com].

      Moreover, I fully expect that the majority of the funding for this Canadian effort will come from Microsoft and Google. I expect that both companies will be (if they are not already) the prime backers of this effort if their management do honestly regret the previous censorship.

      I expect nothing of Yahoo. Reporters without Borders declares, "Now we know Yahoo works regularly and efficiently with the Chinese police [rsf.org]". If Buddhism has any validity, the managers (including the Yahoo chief, Jerry Yang) at Yahoo will be receiving their just karma in the next life.

    • Re:nice (Score:2, Funny)

      by leereyno ( 32197 )
      You don't know why?

      Well maybe it's because Iran is under the control of Islamofascist assclowns who, while they're not busy enriching uranium for nukes aimed at the west, are waiting with baited breath for the "hidden Imam (pronounced assclown)" to initiate armageddon.

      If you have relatives there, encourage them to flee the country because I don't know how much longer it's going to be there. If the US doesn't roll over the place in M1's, the Israeli's are going to nuke it into the stone age. Thousands of y
      • Re:nice (Score:3, Insightful)

        by Psykosys ( 667390 )
        So all it takes to be modded "Funny" is to use the word "assclown" and talk about a country with a population of 70 million getting nuked? And to use the word "Islamofascist" unironically? Sweet.
        • Re:nice (Score:2, Interesting)

          by hazem ( 472289 )
          It's pretty sad. We've gone from a president who said after an attack, "We have nothing to fear but fear itself" to one who wants to nuke another country in a first-strike out of fear that they might attack us. We've become a country of fearful whining crybabies, and it's pretty pathetic.

          And what's even more ironic is that while the parent poster is worried about the "hidden imam" coming back to initiate armageddon, we already have a wonder-boy in the white house trying to do the same thing.
      • Iran (Score:5, Insightful)

        by Darkman, Walkin Dude ( 707389 ) on Sunday May 07, 2006 @11:42PM (#15283490) Homepage

        If the US doesn't roll over the place in M1's, the Israeli's are going to nuke it into the stone age.

        Just a few quick points to clarify some aspects of the Iranian situation for our American cousins. An invasion there would not be another Iraq. Iraq was a burned out shell of its former self, militarily, after years of sanctions and inspections. Iran is a whole other kettle of fish, and certainly no one is going to roll over with any time soon. Some facts, from all over:

        Iran's army includes 350,000 regular soldiers (non-conscript) and 220,000 conscripts, and a 7 million-strong "Basiji" volunteer militia. Iran is sharpening its abilities to wage a guerrilla war. Over the last year, they've developed their tactics of 'asymmetrical' war, which would aim not at resisting a penetration of foreign forces, but to then use them on the ground to all kinds of harmful effect.

        Iran designs and produces its brands of fighter and tank, among other things, some of which it exports to other countries. Initial developments in every field of military technology were carried out with the technical support of Russia, China, and North Korea to lay the foundations for future industries. Iranian reliance on these countries has rapidly decreased over the last decade in most sectors where Iran sought to gain total independence; however, in some sectors such as the Aerospace sector Iran is still greatly reliant on external help.

        Iran has, at present, developed an uncanny ability to reverse engineer existing foreign hardware, improve it to its own requirements and then manufacture the finished product. They have currently a full spread of main battlefield systems, about 2,000 tanks, 300 combat aircraft, three submarines, hundreds of helicopters and at least a dozen Russian-made Scud missile launchers. Iran also has an undetermined number of Shahab missiles that have a range of more than 1,500 miles. Within minutes of any attack, Iran's air and sea forces could threaten oil shipments in the Persian Gulf as well as the Gulf of Oman. Iran controls the northern coast of the Strait of Hormuz, the narrow waterway through which oil tankers must navigate, and could sink ships, mine sea routes or bomb oil platforms.

        Although the Bush administration charges that Tehran already has been interfering in Iraq, many Iranians brush off the low-level infiltration as minor compared to the damage it could cause by allowing Iraqi militiamen to take heavy weapons into Iran, by backing the most extreme Islamist groups instead of the moderates it now supports, or by dispatching operatives across the long, porous border between the two countries.

        But don't worry, a war would be over by christmas, right? Thats why the American government was openly discussing a nuclear option recently, much to the horror of the rest of the world...

        On a related note, I have a lot of friends inside Iran, both male and female, and I have been continually surprised at how open minded, educated and free-thinking they are, especially the women. I expected a downtrodden mentality at the very least, but these women engage me in intelligent debate, pulling no punches. Their culture is unique, with musical instruments I have never heard of anywhere else, and some wonderful music produced by these instruments. Its important also to remember, these are not arabs, these are Persians, they tend to get upset if you call them arabs. The food is remarkable, and the language is thousands of years old. Putting aside fox propaganda, and actually talking to Iranians, getting to know them, is an eye opening experience. Yes, they have many problems with the religious rulership of the country, but those problems are being resolved over time. As for their nuclear program, they simply see it as a response to American aggression. And they are right.

    • Can you give any evidence or substantiation to the claim that the U.S. Government is censoring your emails to or from Iran?

      I have never heard of the USG actively censoring private email that wasn't to or from a serviceperson or that wasn't directly national security related (e.g., all the email to and from submariners and probably other Navy personnel afloat passes through censors who remove sensitive or geographically revealing information). Even then, they're pretty obvious about it.

      If this is actually happening, yours is the first case I've heard of, and while I don't claim to be all-knowning (or even close to it) I consider myself pretty well-read in terms of current events ... so I think it's fair to say most people would also be surprised.
  • Not get caught? (Score:4, Insightful)

    by Black Parrot ( 19622 ) on Sunday May 07, 2006 @07:45PM (#15282893)
    We've never had an unbreakable DRM. Will we really have an undernet that can't be spied on?
    • Cryptography is useful for keeping everyone but the parties with keys from seeing a message. A good crypto system ensures that if you have the key, you get the complete and accurate message, if you don't, you get garbage that tells you nothing at all about the message.

      Well that means it's excellent for keeping things from being snooped on. SSH is a good example of this. When you connect to an SSH server the computers exchange a private key (encrypted using public key crypto) and then encrypt everything with
      • by kestasjk ( 933987 ) on Sunday May 07, 2006 @08:41PM (#15283046) Homepage
        The reason cryptography may not be the best thing in this situation is that the Chinese Govt. won't care so much what you're doing privately, just that you're doing something privately will be enough to set off alarm bells. Maybe if you're doing something privately with bank.cn that'll be no problem, but large amounts of private data travelling beetween you and some American IP using strange port numbers?
      • True but... (Score:4, Interesting)

        by Ironsides ( 739422 ) on Sunday May 07, 2006 @08:42PM (#15283050) Homepage Journal
        All you say is true, but there is one thing that makes it easier for censoring over just hiding. It should be possible to detect encrypted communication. What I mean by that is an analysis of the traffic itself and the information being transfered over it should allow one to determine if someone is communicating with encryption or mearly through plain text. It shouldn't take much to just block all encrypted traffic, or forward the users IPs to some who will come knocking wondering what you are talking about. One would have to hide it, such as with steganography, in addition to encrypting it. Sure, some of this might put a damper on retail sales over the internet, but I don't think some countries care about that as much.
        • Re:True but... (Score:5, Insightful)

          by moultano ( 714440 ) on Sunday May 07, 2006 @09:15PM (#15283129)
          Encrypted traffic looks entirely like random bits, which as you say, is quite a bit different from cleartext traffic. However, anything that is highly compressed also statistically looks like random bits. I'd imagine that there are enough movies, music, and zip files passed around that passively listening to a small percentage of your traffic shouldn't be enough to incriminate you.
          • No, encrypted communications do *NOT* look like just random bits. There are a few popular forms of encrypted communications on the Internet, such as SSH and HTTPS. Those have very specific formats indeed, and are easily identifiable to even a remotely intelligent traffic monitor. Encrypted email is even more identifiable: it's still email, it's still port 25 from one Mail Transfer Agent to another. Making the encrypted traffic look like something harmless is a while different layer of complexity, and gets i
      • by The MAZZTer ( 911996 ) <megazzt.gmail@com> on Sunday May 07, 2006 @09:55PM (#15283230) Homepage
        That's not how public/private key cryptography works. If it did, any script kiddie could grab the private key in transmission.

        The reason the private key is called so is becasuse it is never transmitted. It stays on the machine that came up with it.

        Here's how it works, and we can assume both machines do the same thing for each other. One comp comes up with a private key and public key pair, where things encrypted with the public key can only be decrypted with the private key (and not with the public). Then, the machine can send the public key plaintext (or with some other form of encryption, which we can assume can be cracked much easier than the key pair cryptosystem we're using for the bulk of the data). The receiving machine uses the public key to encrypt it's data and sends the encrypted data.

        Now if we assume any transmitted data can be evesdropped upon, the hacker has our public encryption key and the encrypted data... but he doesn't have the private encryption key! The data is useless to him! (Unless the key pair is weak, the data is weak, or the hacker has the hardware to brute force keys, but we'll assume the users are smart enough to avoid the first two and the cryptosystem uses a long enough key to make the last one futile.) The first computer gets the encrypted data and decrypts it with the private key.

        A similar process, reversed, is used in certificates. They are encrypted with a private key, and the public key is made available. Assuming sufficient mechanisms are in place to assure that the public key does in fact belong to the original computer, any message decryptable with the public key shows that the message must have originated from the only legitimate computer with the private key.
        • True, but it *is* how ssh works. Computationally expensive private/public key crypto is used to exchange a *shared* key. Computationally cheap shared-key crypto is used to encrypt all subsequent traffic.
        • by Paul Crowley ( 837 ) on Monday May 08, 2006 @01:41AM (#15283677) Homepage Journal
          I think you're blowing up a terminological inexactitude into more than it is. They used "private key" where they meant "shared symmetric secret key".

          Also you shouldn't refer to signing and verification as "encryption" and "decryption" because they're semantically very different things. Both RSA encryption and RSA verification use the RSA public-key operation, but to be secure they must also use padding and the padding system for an encryption scheme will be different than that for a signature scheme. It's also bad to use the same key as an encryption and as a signing key.

          As a last nitpick, AFAIK there are no PK systems for which brute force is the most effective attack. If such a scheme existed it could use really short keys, like the 128-bit keys used in symmetric cryptosystems. Every PK system I know of uses keys at least twice that length.
        • Private key crypto is so called not because the key is only in the hands of one person, but because the key is only in the hands of trusted parties. Anyone with the key can decrypt the messages (or encrypt them). However it's very much used for 2-party crypto. It's how all your bank details get from the ATM to the bank and back. IBM crypto cards with the keys stored in them.

          As a practical matter, all public key crypto I've ever encountered uses private key crypto too because it's much less computationally i
    • Re:Not get caught? (Score:5, Insightful)

      by Geoffreyerffoeg ( 729040 ) on Sunday May 07, 2006 @08:52PM (#15283075)
      We've never had an unbreakable DRM.

      It is mathematically impossible to have an unbreakable DRM, whereas unbreakable (or at least impractical) encryption is possible. The difference is that DRM requires the computer of the potential snooper to have both the data and the decryption key. Encryption keeps the private key only in trusted hands.

      CSS was first cracked when a program forgot to encrypt and hide its decryption key. From there they could mathematically solve CSS so that you didn't even need a key (and that's where you get the 4-line Perl DeCSS).
    • Comment removed based on user account deletion
  • Admin's priveledge? (Score:3, Interesting)

    by Wholeflaffer ( 64423 ) on Sunday May 07, 2006 @07:46PM (#15282894) Journal
    I understand the human rights aspect of this situation, but isn't it an administrator's ability to control his/her network and user access that is important to preserve? If outsiders can circumvent the Chinese government's firewall setup and other security measures, aren't all the systems on all the networks in the world potentially vulnerable?
    • by Kadin2048 ( 468275 ) <slashdot...kadin@@@xoxy...net> on Sunday May 07, 2006 @08:07PM (#15282951) Homepage Journal
      Yes.

      If you allow a user to make a connection -- particularly an encrypted connection -- to an untrusted computer outside the network (or at least out of your controlled zone), they can basically get to whatever content they want, that's available to them from that outside connection.

      As the administrator, all you can do is play an endless game of cat and mouse, trying to close these connections down; in the end you'll always be one step behind though, unless you have a very selective whitelist of allowed connections, and block everything else.
      • by Original Replica ( 908688 ) on Sunday May 07, 2006 @08:40PM (#15283041) Journal
        "unless you have a very selective whitelist of allowed connections, and block everything else."
        So how do we keep China from increasing it's isolation to a whitelist only firewall when this or similar software comes out? Economically, having a China Whitelisted website outside the PRC might become enough of a business asset that companies would conform to them instead of China conforming to the west. That's already happened.
      • whats worse is you simply can't know whats flowing over those sftp links. Is it porn or is it work he did last night and forgot to put on his flash stick?

        The lowest levels of employees can often be cut off from the outside world entirely but once you get beyond that to people who actually have to solve problems and create things or are expected to work from home and therefore need outside communication for work (e.g. to obtain datasheets, request samples, look for other people who have hit similar problems
        • Yup. That's why you need to hire people you can trust.

          My personal feeling, given the work that I do, is that if I can't trust someone to not look at porn from his desk, I certainly can't trust them to make a presentation to a client or handle sensitive information which they could probably sell to a competitor for a not insignificant amount of cash (and, later, lots and lots of court-imposed fines for damages--but I don't expect someone who lacks the foresight to realize that pornography is going to get them fired to realize that leaking trade secrets will land them in court).

          I would much rather figure out that I hired/was-assigned the wrong person because I walked up behind him one day and found him looking at porn, than after he did something really publicly embarrassing. Someone who doesn't implicitly get that it's not okay to look at porn while on company time, is not somebody I want to work with; full stop. It shows a lack of separation of one's personal life and business life, or at the minimum a great lack of understanding of the business world, which it is not an employer's job to rectify.

          There seem to be a lot of companies that spend an awful lot of resources, from what I've read here on Slashdot, trying to control what their employees do online. It seems to me that those same resources would be better spent figuring out why they're hiring such dolts, and attracting and retaining quality people who don't need baby-sitting. Perhaps that's more expensive, but it makes for a much more pleasant workplace.
          • Would you come to the same realisation if you found someone reading slashdot at work?
            And more importantly did you post this while at work?

            Web browsing at work can at times be a grey area. There are resources I find useful directly related to my work, and some other resources that I may seem to waste time on, but help to improve my skill set / domain knowledge.

            • No, I didn't post that at work. ;)

              Where I work, a certain amount of personal browsing is accepted, and a fair number of people even use AIM to talk to their families at home from the office as well, and that's never been a problem that I've heard of. (As far as I know, there aren't any other Slashdotters in my midst; fantasy sports leagues seem to be more my coworkers' fare.) If you do good work, it's been my experience that people don't really care what you do to produce it, or really even how much time yo
      • Hmmmm... After closing down a few tunnels, the firewall administrator alerts the security police who go and pay a little visit to the suspect. The police don't bother to encrypt their bullets...
  • Tearing Down? (Score:5, Insightful)

    by lakeland ( 218447 ) <lakeland@acm.org> on Sunday May 07, 2006 @07:46PM (#15282895) Homepage
    Tearing down a firewall is getting rid of it, and letting people access the internet freely. Circumventing a firewall is sneaking past it and hoping you don't get noticed.

    To use a Berlin Wall analogy, what TFA is proposing is sneaking across to the West during the 80s and hoping to not be shot in the process. That contrasts quite strongly to tearing down the wall, which would be granting unrestricted access without fear of recrimination, as happened in Berlin in '89.
    • Re: Tearing Down? (Score:4, Insightful)

      by RelaxedTension ( 914174 ) on Sunday May 07, 2006 @08:29PM (#15283022)
      One of the goals here, though, is to eventually make the wall ineffective. That equates with punching so many holes through or digging so many holes under the wall that it eventually makes no sense to maintain the wall.

      It's all about the people being able to call bullshit on their government when necessary, and to find out what the facts are, not the lies the government wants you to believe are facts.
      • Re: Tearing Down? (Score:5, Insightful)

        by servognome ( 738846 ) on Sunday May 07, 2006 @09:47PM (#15283202)
        One of the goals here, though, is to eventually make the wall ineffective. That equates with punching so many holes through or digging so many holes under the wall that it eventually makes no sense to maintain the wall.
         
        It doesn't matter how many holes you punch, repressive governments use fear to keep the majority in line. Governments can never directly control 100% of the population. By making an example out of a minority of people, the majority will fall into line like sheep. Then the key is isolating those who do not fall in line through public stigma (control of education, patriotism, etc). Look at how many people far for accepting repressive laws in the name of fighting terrorism and ensuring global freedom.

        It's all about the people being able to call bullshit on their government when necessary, and to find out what the facts are, not the lies the government wants you to believe are facts.
         
        It's hard enough to do that in "open" western democracies.
        • by davidsyes ( 765062 ) on Monday May 08, 2006 @09:43AM (#15285136) Homepage Journal
          At what point could China consider this an act of war?

          Suppose China uses its wide snooping infrastructure to log who's circumventing, who's funding them, and (aside from the citizens of China who want knowledge for information and not for overthrow purposes) who's benefitting from this (namely, the US government), then suddenly and capriciously says: "You, you, and you... you're the assholes behind this; effective IMMEDIATELY, your permit to conduct business here is revoked. You have one WEEK to pack up and get OUT. Not just you, but the FIRST FIVE levels of any subsidiaries and first THREE extensions of business partners. If you can't get your hardware out, then auction it off. Oh, and leave the buildings intact. You can't leave until we've inspected them for bombs, sabotage, or similar Saddam-shoots-the-horse-rather-than-returning-it-a live tactic..."

          Personally, I am disappointed that coarse, harsh, and such penetrative domestic means are used against the population. But, you've GOT to see it China's way: They've been FUCKED WITH by the west (US and Europeans) as far back as 580 years: Opium, colonialization, subjugation, exploitation and more. I dare say that had not Commodore Peary showed up with some politicians' writ: "You will do business with us OR ELSE", Japan might not have had yet another reason to sprawl all over and do what it did to much of Asia. (However, how many people know that Korea actually invaded Japan, not once, but at least TWICE, in 1281 and 1284? Memories of a nation can span hundreds of years, and paranoid countries can be wary and vengeful, even if it takes 641 years to effect vengeance...).

          But, I also feel that forcibly punching through and digging under a countries virtual customs borders to be tantamount to waging a stateless if not de facto war against various organs of a government.

          Now, don't get me wrong: I do realize that China has a effective (how effective I don't know...) apparatus which is aiming computer resources at various governments around the world. It in itself is not a nice act, but unless and until anyone PROVES that China is actively knocking off US power grids or using proxies to do so, then PLEASE don't pull punches and equate military-military/government-to-government probes and studies to commercial/private venture proxy wars in the name of "democracy". (OTOH, how many have heard that the US CIA pressure on Vietnam to root out Communists was so intense that the VN actually rounded up and murdered some 1,800 innocent (and maybe a few dozen bona fide anti-US types) people PER MONTH for a few years? Talk about BAD KARMA. Obviouisly, that pressure is immensely worse than funding a business-to-government action like rending firewalls, but it's an historical wound many prefer to leave salved over...)

          Whatever you think of China, Communism, oppression, and other things, look at your own back yards, too. Virtually EVERY country has bones in the closet and enough bad karma to warrant an occasional kick in the gut, smack in the face, or public humiliation, and the US is CERTAINLY not immune, not matter HOW MUCH "contribution" it makes internationally. NO country makes contributions without first scheming and then codifying a "hook-in-your-ass-to-control-you" tactic. IOW, NOTHING IS DONE FOR FREE.

          I DON'T like censorship (unless it is to prevent a DIRE, GENUINE release of REAL/EXISTING national secrets, not some trumped up bullshit charges or to prevent embarassment...) or oppression (unless it's being carried out by publicly-routed corrupt politicians or power mongers), but I don't condone rambunctious or strategized abuse of the values of a country. The Chinese deal with their cultural, their local issues their OWN way. It may take another 25 years, but at SOME point, China's government of today will be somewhat if not a great degree different from what it is today. The US and its friends just need to quit being control freaks and have to accept that it IS NOT RIGHT for a junior land of some 325M to dictate or monk
      • Thank you. And kudos to these guys for helping information to flow freely, even through a serious firewall. Good luck!
    • For sale: geniune piece of the great firewall of China.

      Includes GENUINE certificate of authenticity.



      You heard it here first.

  • Geek Show? (Score:3, Interesting)

    by foundme ( 897346 ) on Sunday May 07, 2006 @07:50PM (#15282912) Homepage
    The article seems to talk more about the developers, geeks and whatnot than how the actual program works. From what I have gathered, it uses third-party computer to do the work yours can't.

    However if China's Great Firewall is so great, how do third-parties come to your rescue if the work they helped you to do still cannot get through?

    For example, this search-by-email [imoou.com] site seems to bypass google.cn censorship, but what if .cn govt blocks all transmissions between this site/domain?
    • by Sycraft-fu ( 314770 ) on Sunday May 07, 2006 @08:17PM (#15282981)
      The thing is China has taken a reactive approach with it, not a proactive one. That means that they allow access to the net, unless it's something they've decided isn't ok, rather than blocking everything and only permitting what they explicitly approve of. It's easy to see why they did it that way, but it's a weakness. It means that stuff like this will work, espically since the foriegn hosts can shift around.

      I'm actually supprised how lax their firewall is in general. For example they allow encrypted traffic out of the country. When my mom went over to China to teach English, she warned everyone not to say anything untoward about the government there. While they'd probably not hassle a foriegner who was there on their invataion for that, you never know. I figured she'd be getting a Chinese e-mail box and thus the worry. Nope, she just used her US one via webmail, which was 256-bit AES encrypted. There is no way they were spying on that, and yet they did nothing to filter it from anywhere.

      The reason is, of course, it had never made theri "bad site" list. Why would it? It's a webmail page for a US ISP. I'm sure almost noone visits it. However, she could have been funneling all manner of things through that, had she wanted to, and they never would have been the wiser.

      So unless China shuts down crypto out of the country, which they won't do because it would cripple business, they'll be hard pressed to stop those determined to circumvent their firewall.
  • by Agelmar ( 205181 ) * on Sunday May 07, 2006 @07:51PM (#15282915)
    From TFA:
    The program effectively turns anyone's personal computer into a proxy server. Once the software is installed on a computer in, say, Canada, that person creates a contact list of trusted friends or family members in censored countries and sends his or her IP address to them. No advertising needed.
    How is sending your IP address to a contact list not advertising? I am advertising to a (supposedly trusted) list of people, and I have to be sure that I am not also advertising to the Chinese authorities that I am operating a server, else when they see my cousin connect to it they know to go arrest him. I.e. it's now my responsibility to make sure that everyone on my list is clean. Plus, this means that I now have to leave my computer on essentially 24/7. (I am usually not awake the same hours Chinese people are.) Great. There goes my power bill. Also from TFA:
    But Psiphon doesn't stop there. Unlike most Internet traffic, Psiphon data is encrypted and shoots around the world on a network reserved for secure financial transactions, so a censor cannot see what the person is accessing. And a censor wouldn't be able to tell a Psiphon request from a MasterCard purchase.
    Exactly what separate network is this that is somehow being joined to the Internet, and why would the providers of this network agree to a huge increase of traffic on said network? For that matter, why would my ISP not start packet shaping the hell out of anything going out to this supposedly separate network? My ISP certainly has good reason to packet shape this traffic, especially since they're already screwing with my VoIP traffic...
    • Exactly what separate network is this that is somehow being joined to the Internet...

      I'm pretty sure by the context that they mean ssl.
    • How is sending your IP address to a contact list not advertising?

      It's to a selected group; not available to anyone (eg police) who's interested. Which is still advertising, but the writer was trying to simplify.

      exactly what separate network is this

      HTTPS.

      See Psiphon: Analysis and Estimation [third-bit.com].

      • It's to a selected group; not available to anyone (eg police) who's interested.

        If the police suspect anybody in your circle of friends, couldn't they do any of the following to break into the circle of trust and monitor your activities:
        (1) Sneak into your associates' houses and install hidden monitoring software directly into their HTTPS stacks on their computers.
        (2) Coerce your associates into providing them with access to their activities
        (3) Use social engineering to convince you to let them into your cir
        • If the police suspect anybody in your circle of friends, couldn't they do any of the following

          Yes, of course. The idea is to allow people to access blocked websites relatively easily despite blocks; not to allow people who are already under suspicion to operate with impunity. Any targetted surveillance, eg just seizing their PC, installing keyloggers, etc, is going to get them. Just having this software installed is going to get you in trouble if you weren't already. Also it doesn't protect your email, u

    • by TubeSteak ( 669689 ) on Sunday May 07, 2006 @08:07PM (#15282952) Journal
      Like you, I thought they were either talking out their ass, or the reporter misunderstood. A quick Google search remedied that confusion.
      An elegant wrinkle is that the data will enter users' machines through computer port 443. Relied on for the secure transfer of data, this port is the one through which reams of financial data stream constantly around the world.

      "Unless a country wanted to cut off all connections for any financial transactions they wouldn't be able to cut off these transmissions," said Professor Ronald Deibert, the director of Citizen Lab.
      So it runs over SSL. The author kinda mentions that earlier on.
      They talk about "routers" and "nodes" and "secure socket layers" like they were saying, "Hello," or "How are you?"
      Maybe TFA's author is too much of an idiot to understand WTF they were talking about, so they dumbed it down for him.
      • by louarnkoz ( 805588 ) on Sunday May 07, 2006 @09:09PM (#15283119)
        Thanks for pointing out that Psiphon proposes to use SSL. It looks very natural, encrypt the traffic so the firewall will not see it. But it is actually a very bad idea.

        First, the very fact of using encryption makes you stand out in the crowd. Do that a bit too often, and someone could very well come knock on your door.

        Second, SSL can be defeated. I am pretty sure that all PC in China have a Chinese Government Certification Authority listed in their SSL root file. That is enough for mounting a man-in-the-middle attack against SSL. Now you have dissidents who believe they are safe because of SSL, but in fact the firewall is reading their exchanges. Knock, knock?

        The article actually points to a much better solution: just use port 80, but rewrite the page to avoid the keywords that the firewall is looking for. For example, "New York Times" could be rewritten to "New Grok Dime", or whatever. That way, the traffic remains stealthy.

        • You're exactly correct about SSL.

          If the Chinese govt. wants to shut this down, they simply require financial institutions to "register" their subdomains at both ends (a whitelist, in effect), or, even more simply, require financial traffic to be port-shifted.

          But you overestimate the effectiveness of trying to circumvent keyword restrictions. Keywords are the least effective of the three primary methods the Great Firewall uses.

          Method 1: keywords.
          Method 2: whole-site blacklists (wikipedia, bbc, etc. etc.)
          Met
        • by jrockway ( 229604 ) * <jon-nospam@jrock.us> on Monday May 08, 2006 @12:21AM (#15283556) Homepage Journal
          > I am pretty sure that all PC in China have a Chinese Government Certification Authority listed in their SSL root file. That is enough for mounting a man-in-the-middle attack against SSL. Now you have dissidents who believe they are safe because of SSL, but in fact the firewall is reading their exchanges. Knock, knock?

          No, no, no. This would let the Chinese government impersonate a server that has an SSL certificate that's signed by the Chinese government's CA. For example, the Chinese government could set up a phishing site for the bank of China without anyone noticing :)

          I doubt the subserves have their secret SSL proxies registered with the government, so this point is irrelevant to them. They are probably using a trust model like SSH (refuse to connect if the host key has changed), or PGP (web-of-trust).

          > Second, SSL can be defeated.

          Sure, after nearly all the open problems in mathematics are solved. If you know of someone who's done this, there's several million dollars (and immortality) waiting for them.

          If you want to "defeat SSL", it's probably easier to just use a rubber hose to beat to death anyone who uses it.
          • by timotten ( 5411 ) on Monday May 08, 2006 @01:23AM (#15283643) Homepage
            No, no, no. This would let the Chinese government impersonate a server that has an SSL certificate that's signed by the Chinese government's CA.

            I suspect that you and the parent are making different assumptions about how the client end is implemented.

            In a simple implementation, you might login onto your computer in China and open the Goodole Autoproxy Program. GAP updates, say, your Firefox preferences and configures Firefox to route all requests through the HTTPS-based proxy, goolole.canada.org. When you try to open a web page, Firefox tries to connect to the proxy with HTTP/SSL. The Great Firewall intercepts the request and relays it to cryptodemon.china.bad. cryptodemon automatically generates a phony certificate and signs it using the Chinese government CA. The phony certificate is returned to Firefox, which tries to validate it. Firefox finds that the Chinese government CA is in its database of trusted CA's, so the certificate is accepted.

            However, the article doesn't provide any details about Psiphon's implementation, and it's not rational to say that their system is or isn't well-designed.
    • "Unlike most Internet traffic, Psiphon data is encrypted and shoots around the world on a network reserved for secure financial transactions, so a censor cannot see what the person is accessing."

      Exactly what separate network is this that is somehow being joined to the Internet?


      Reporter: "So why can't the government spy on this?"
      Geek: "We're using 128 bit SSL encryption, which is completely unbreakable."
      Reporter: "What's that?"
      Geek: "It's the same stuff that bank networks use to secure their data, and the ki
  • shhh... (Score:3, Funny)

    by WiFireWire ( 772717 ) on Sunday May 07, 2006 @07:52PM (#15282918) Journal
    now that this has been slashdotted its only a matter of time before Chinese officials find a way to circumvent the circumvention (is that even a word?...)

    good going tho, im all abouts free speechez n stuff...
  • by dbarclay10 ( 70443 ) on Sunday May 07, 2006 @07:58PM (#15282936)
    One link: http://tor.eff.org/

    I found http://www.third-bit.com/2004-fall/psiphon_ae.html and it doesn't describe something that's even as good as a plain old Squid proxy. Tor appears to be far, far, far safer.

    (I live in Toronto. I want to go find these guys and slap them.)
    • Yes it does beg the question.
      I use ssh port forwarded to squid at home.
      It must have to do with switching hosts at regular intervals to confuse the opposition.
      I wonder if their stuff is open sourced? That way we could all chip in.

      Cheers,
      -D
  • by BertieBaggio ( 944287 ) * <bob&manics,eu> on Sunday May 07, 2006 @08:06PM (#15282950) Homepage

    Let me start by saying I applaud these guys' motivation. Circumventing censorship is certainly a worthy goal in the name of individual freedom. However, this is just another step toward that goal, though TFA gives these hackers status approaching messianic. The paragraph I found most interesting:

    Psiphon takes the concept of a third-party computer doing the work yours can't because of censorship, and protects it by relying on trusted friends and close family, to create a program the creators say is nearly fail-safe.

    (emphasis mine)

    First of all, to claim a new tool for defeating censorship is "nearly fail-safe" does not give the Chinese and other goverments enough credit. China hass a government heavily invested (financially and emotionally in terms of propaganda) in controlling information sources available to its people. I'm sure they will try very hard to make sure this tool is rendered ineffective. Here's hoping they don't achive this; but you can be sure they will try hard.

    Secondly, the technical side is somewhat dubious. It relies on "close friends and family" in friendly countries such as Canada -- but what if all your friends and family are living in China? And even if you make a secure, encrypted connection, how long before the censor get suspicious? Say encryption is declared illegal, and all external access has to go through certain proxies. Where does that leave Psiphon ?

    These are just my two cents on the issue. I'd like it to work, but it may just cause the net to tighten (no pun intended).

  • But the computer smarts of Ron Deibert, Nart Villeneuve, and Michael Hull, combined with their passion for politics and free expression, have led them to develop a highly anticipated software program that allows Internet users inside China and other countries, such as Iran, Saudi Arabia and Burma, to get around repressive censorship and not get caught

    Those comp sci students better know what they are doing. If someone gets caught using their software to circumvent government censorship, people could die. P

    • >IF there are stupid laws in china, then it is up to the chinese to have a revolt or
      >change of government.

      Right, so who is forcing the chinese to use this software?
      • by Baseball_Fan ( 959550 ) on Sunday May 07, 2006 @09:20PM (#15283140)
        Right, so who is forcing the chinese to use this software?

        Imagine this. You have some 19 or 20 year old college student in China who wants democoracy. He is not a computer whiz, but he finds software written by 3 programmers from the USA. These programmers say their software will circumvent government censorship.

        What choices does the 19 year old Chinese college student have? Say he uses the software expecting to hide his identity, and the government discovers who he is. Does that make the software programers wrong for releasing the software? In the USA, if someone purchases software that doesn't live up to the hype, they can return it. In China, that guy is dead or in jail.

        Now if no such software existed, the guy in China couldn't get into trouble. It would require more thought, and better orginization than just installing some software.

        I'm just saying if someone is going to throw out a tool for people to use, which a government says is illegal, those people making the tool should be damn sure the tool works.

        This goes to a deeper discussion of how much right does one culture have a right to change a different culture. Maybe in China most people really want communism. But 10% want democoracy. Should the USA help those 10% to overthrow the system of government in China, and to destabilize their economy?

        I'm not a historian, but most stable countries that changed systems of government had a revolt which originated by native people. In France, it was the working class that overthrew the nobility. In the USA, it was farmers and working people who overthrew the british. In neither case was the revolution inspired or promoted by a forigen power. Sure, the people found friends and allies, but the allies didn't cause the revolution. Now contrast to Iraq where the USA is the source of the revolution. There are not enough Iraqi people who believe in USA values to sustane any form of stable government. That is the reason outside nations should not interfear.

        Now, what if the government of China finds people using the software these three USA programmers wrote. China find this software violates their laws. Can China arrest those programmers. Or send operatives to kill them? The Israelis often send mussad agents to track and assasinate people who are not friendly to their nation.

        It seems to me to be an unfreindly move by the USA to help dissadents in China.

        • Say he uses the software expecting to hide his identity, and the government discovers who he is. those people making the tool should be damn sure the tool works.

          Fighting criminals is dangerous, but it's worth the risk. The people helping the dissidents need to do the best they can on the software, but the possibility of failure or disaster shouldn't deter them from trying. Even if the software is flawed, it may save a Chinese programmer a lot of time by serving as a base that can be improved upon.

          Thi

    • So by your logic we should not attempt to intervene next time some psychotic general in an African nation decides to purge it's society of those pesky million or so people of whatever minority they don't like.

      Certainly culture and sovereign interests need to be respected, but it comes down to a question of is what they are doing right or wrong? Denying your people the truth and the ability to make actual informed decisions for themselves is wrong, at least by my standards. And, it certainly doesn't erode
    • Iraq has taught us that an outside power can't change a people or their culture.
      I think you've strained this analogy past the breaking point. How is invading a foreign country analogous to helping political dissidents communicate safely?

      Imagine if the people of amsterdam decided that drugs should be more available in the USA. Should they help Americans break the law inside the borders of the USA?
      Sure, why not? If they believe drug laws are unjust, then it makes sense for them to help Americans circumve

    • ...people could die

      Nonononono - they don't die; the government just publicly says that "they cannot be found" (after the government has privately gotten to them).

    • by argoff ( 142580 ) on Sunday May 07, 2006 @09:53PM (#15283221)

      This is not one world where all people believe the same things. One nation should be allowed to keep its culture, even if another nation disagrees.

      Nations and cultures do not have rights, indnviduals have rights, but the statement above is implying just the opposite. It also implies that individual rights are just some kind of culturial thing, and not inherent. What about HK? their culture strongly respects rights. But China does not want to respect those at all. Funny how Chineese citizens who go to HK seem to adjust in a matter of days.

      Hey, "if not us, then who? if not now, then when?" This has nothing to do with US policy, it has to do with us and if we are willing to help people looking for freedom.

  • They named this vaporware "Freenet 2."
  • Circumventing censorship in China, if needed (it rarely is), is easy, and most people know how to do it (it is spread by peer education in homes and internet cafes). No one is gonna lock you up for doing it either, so I don't know what TFA is talking about.

    Now, tearing down the firewall would be the easiest thing in the world. It just requires a collaborate effort between governments in the West, or at least some powerful companies in the West, namely to host servers for distributed protocols a la Tor and s
    • For Iran... I recommend we nuke'em. It is the simplest and least painful way.
      The simplest and least painful way to neuter Iran would be to bomb their oil producing infrastructure into the ground.

      It wouldn't kill many people, but you won't ever see such an effort. I leave it as an exercise to figure out why.
  • by louarnkoz ( 805588 ) on Sunday May 07, 2006 @08:47PM (#15283066)
    TFA points out the obvious problem: if the great firewall can identify a relay, it can close it. It can also find out whoever is using it, making it a dangerous proposition. To me, it is fairly obvious that the response has to rely on "strength in numbers": place a great many relaying pages all over the internet. In fact, what about placing at least one such page on every web site? The great firewall would then have to either lock the entire Internet, or give up!
  • How is this effort different than peekabooty? [sourceforge.net]

  • It's true, you know. The tripple-barrel pun on firewalls, China's great wall, and the Berlin wall.
  • You have to wonder (Score:3, Insightful)

    by Gorshkov ( 932507 ) <AdmiralGorshkov@[ ]il.com ['gma' in gap]> on Sunday May 07, 2006 @09:05PM (#15283110)
    Not to put to fine a point on it ... but as strongly as they feel about their cause, I wonder if they realise that what they're doing - if used by poeple inside those countries - could get people killed? I can't help but wonder how zealous they will be if they have to think about the potential blood on their hands. Doing what you can to help from your end is one thing. Helping somebody become a martyr is another. To my mind, it's like giving dynamite to a suicide bomber, without thinking about either the bomber or any of his victems.
  • by mcostas ( 973159 ) on Sunday May 07, 2006 @09:17PM (#15283134)
    If we provided people in China with satellite internet terminals, like this [wildblue.com] then the firewall would be completely out of the loop. And since the antennas are directional, it wouldn't be too hard to conceal your RF signals and would be difficult to jam.
  • How're you enjoying all the free speech and intelligent exchange of ideas?

    Yeah, I'm just looking at the boobies too.
  • Traffic analysis (Score:4, Insightful)

    by Michael Woodhams ( 112247 ) on Sunday May 07, 2006 @09:34PM (#15283177) Journal
    It sounds easy to defeat to me. The proxies will have a distinctive profile in traffic analysis:
    * Communicates on port 443 (SSL)
    * Only a few Chinese computers ever connect to the foreign proxy
    * Those that do connect, tend to do so extensively.

    So the Chinese see this pattern and block the proxy or worse.

    As an alternative countermeasure, would it be feasible for the Great Wall to act as a man-in-the-middle on all SSL connections which cross it?
    • Very good point about the easy detection. Of course, man-in-the-middle does not work with public key cryptography. The idea is based upon modular mathmatics, and laws of exponents. Basically one computer knows the number "a", and sends a number derived from "a" across the network. "a" itself cannot be determined from this number. The other computer generates a number "b" and sends a number derived from "b" across the network, and again, only the second computer will ever know "b". A computer needs to k
      • by proxima ( 165692 )
        Of course, man-in-the-middle does not work with public key cryptography

        As I understand it, not unless the initiator of the connection knows which host key to trust. If you don't distribute a trusted set of host keys by another method, then the MITM can just emulate both sender and receiver, and intercept all communications.

        That's why your ssh client will save a list of trusted hosts, ask you to authenticate new hosts, and give a big warning when the key for an IP doesn't match what's on file. It's also w
  • I don't see the big deal. Most people around here know that you just need to get a secure connection to a proxy server in a non censoring country and then you can access the web without trouble. A guick google search will turn up lots of companies that offer web proxing for a very small charge (avoid all the 'free' proxy lists since many of then are honey pots).

    Unless the gov't is specifically spying on you this is more than enough.
  • by mapkinase ( 958129 ) on Sunday May 07, 2006 @09:49PM (#15283207) Homepage Journal
    Ron Deibert, Nart Villeneuve, and Michael Hull, does not sound Chinese to me. Does anybody know what is the mood among Chinese in US? I have got plenty of Chinese coworkers (hi tech) at my previous job.

    You know how many of them were disseidents, that is expressed even slightest dissatisfaction with Chinese government? None. Including Taiwanese.

    For me it is clear indication that the weakness of Chinese opposition is a result of genuine destaste of Chinese to all sort of revolutions in favor of a piecemeal balanced development, not information blackout.

    May be westerners should get themselves a break for a change and let Chinese decide what to do with the country?

    What is with this Kiplingian (Kiplinguesque) "burden of a white man"? It is XXI century already... Stop revolving other peoples lives!
  • This isn't the first time China has taken this strategy. The last time they built a wall they were nvaded by the Mongol Hordes. There is no way China's firewall is any match for a planet of computer geeks.
  • Collateral damage (Score:2, Interesting)

    by Anonymous Coward

    Sometimes the lab performs tests remotely, taking control of unprotected computers inside the censoring country without permission. This poses an ethical controversy, but Deibert says it's for the greater good: "We don't worry about that too much."

    They should be very worried about that! This tactic frames owners of the unprotected computers. How many will be investigated or even arrested because somebody used their computer to access forbidden sites? It is one thing to have willing accomplices who accept

  • by JediLow ( 831100 ) * on Sunday May 07, 2006 @09:56PM (#15283232)
    No program is going to lead to a mass movement of people looking to circumventing the firewall. From TFA:

    One is that many people in a place like China are not even aware they're being censored, says Geist. Even if they are, he predicts, few will make the attempt to get around it. Qiang notes that even young urban males, the greatest beneficiaries of China's economic boom, are reluctant to rock the boat and risk their wealth.

    Beyond that, the vast majority of users in China do not own their own computers - they spend their time in internet cafes... which means they're even less likely to have the proxy program. While its a huge topic outside of China, in China itself its not an issue at all.

    The only way to tear down the Great Firewall of China is for the regime to collapse.


  • SSH has a SOCKS proxy built in, is on a large number of boxes by default, and everybody has to leave the port open anyhow because the only other option would be to use unencrypted access protocols and administration which would leave computer networks vulnerable.

    Perhaps having public ssh accounts on secure VM's with a method of decentralized authentication or standardized access rules would work better. In theory they could even use full fledged x-windows apps over the internet leaving no trace of their ac
  • It is a dupe from February [slashdot.org].
  • by aepervius ( 535155 ) on Sunday May 07, 2006 @10:55PM (#15283393)
    How would you feel if China actively was fighting against law in the US ? For example what if they start "fighting against the great drug firewall of the US" and publish method to avoid law enforcement to smuggle drug ? How would you feel (well I am sure some USian would feel happy but that is not the point you are hinting at).

    On the paper I am sure it is a noble goal "freedom of speech" but de facto you are publishing way to go around china law. So how would you fee if China did the same to US law ?

    This might sound like a troll, but this is an earnest question : many country are feeling sick of US interventionnism from its governement, or from its citizen... Furthermore , you know the proverb "do not do unto me what you would like to be done by me unto you".



    PS: feel free to mod me as flamebait or troll, I always like irony (cue to the discussion theme).
    • by Beryllium Sphere(tm) ( 193358 ) on Monday May 08, 2006 @02:39AM (#15283802) Journal
      In this case the US isn't doing anything. A group of hackers at a university is creating this project on their own. So the comparison isn't exact.

      You ask a good question if we refine the example a bit. Imagine citizen activism against a foreign government's unjust laws. Take your drug example, and ask how the US government would react to Chinese citizens creating covert systems for delivering medical marijuana to the US.
    • Exactly. How would it be if, for instance the story was "Browse child porn in the US and never get caught!"

      While I recognise the obvious other problems with that content the basic principle is the same, you're trying tobreak another country's laws simply because you disagree with them. It's basically trying to imprint your morals on the world, something it's fair to say western countries have been accused of before.

      I'm very uneasy about this.
  • Propaganda. (Score:3, Insightful)

    by Fantastic Lad ( 198284 ) on Monday May 08, 2006 @06:06AM (#15284140)
    The Toronto Star makes its money by selling media to suburban families.

    Their stories are tailored to a certain head-space. They don't present news so much as they filter ideas and pre-digest them for a bunch of working parents raising kids. The Star is basically just a really fat daily edition of, "For Better or For Worse." (--Or, "How to accept slavery and severely limited possibilities in life while pretending you are happy and that there is nothing more.")

    Poor Lynn Johnston. She's a shill and doesn't know it. That's the best way to subvert a populace; get genuine and honest creators to believe in the lie and then repeat it with charisma and talent. There's a reason why, "For Better or For Worse" is the MOST popular comic strip in North America. It's morphine for the wounded.

    The problem is that The Star, (and papers like it), are direct arms of the corporate paradigm, which are linked to all kinds of nastiness. Whenever a paper uses emotionally charged terminology when sharing facts, you automatically know that biases are involved. The fact that it's so bald-faced is an indicator of just how far the people have been subverted.

    For example. . .

    "But the computer smarts of Ron Deibert, Nart Villeneuve, and Michael Hull, combined with their passion for politics and free expression, have led them to develop a highly anticipated software program that allows Internet users inside China and other countries, such as Iran, Saudi Arabia and Burma, to get around repressive censorship and not get caught."

    The average person if they were to read the same phrase usage in a Chinese newspaper, would gag and cry, "Propaganda!" but when it's displayed right in their hometown paper, it's suddenly invisible while retaining all of its subversive power.

    So is there an Agenda? Hell, yes! I wonder how exactly the Toronto Star is going to spin Bush's military strikes against Iran?

    That's right! Iraq all over again. Baseless lies about war ambitions spun into a such a fear frenzy that the cozy suburban family provider will shudder at the very thought and willingly go along with corporate fascism. Same old story.

    Our 'Liberal Media' is designed to make us stupid.


    -FL

The person who can smile when something goes wrong has thought of someone to blame it on.

Working...