Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Censorship Software

Ultrasurf Easily Blocked, But So What? 74

Frequent Slashdot contributor Bennett Haselton writes "A simple experiment shows that it's easy to find the IP addresses used by the UltraSurf anti-censorship program, and block traffic to all of those IP addresses, effectively stopping UltraSurf from working. But this is not a fault of UltraSurf; rather, it demonstrates that an anti-censorship software program can be successful even if it's relatively trivial to block it." Read on for Bennett's analysis.

UltraSurf is an enormously popular program used to circumvent Internet censorship in countries like China (as well as schools and workplaces in mostly-free countries like the US, with mixed success). When you run UltraSurf on your computer, it re-routes your outgoing Internet traffic to external IP addresses controlled by UltraSurf, so that it looks to observers (and network censors) as if you are connecting to UltraSurf's IP addresses, rather than a website like YouTube or Facebook that may be banned on your network.

UltraSurf uses a list of thousands of external IP addresses, to make it non-trivial for an adversary to locate all of their IP addresses and block them all. However, using a few steps that would be obvious to many programmers facing the same problem, I did find a way to detect all the IP addresses that UltraSurf connects to, and block all of them so that UltraSurf stopped working. It would not be hard for a government censor operating the filter in a country like China to do the same thing. But this does not mean that UltraSurf's network is likely to collapse any day now; on the contrary, it means that it and similar programs are likely to flourish for years to come, since the censors obviously have other priorities.

Some background information first. Most Internet censorship circumvention tools fall into one of two categories (whose names I have just invented for the purpose of this article):
(1) Self-bootstrapping. If a program is self-bootstrapping, then in a censored country you simply run a copy of the program and it will establish a connection to an IP address outside the country, one of many in a large "cloud" of IP addresses controlled by the software program's publisher. Thereafter, your Internet usage is routed through that connection in order to evade your country's filter. UltraSurf and Tor fall into this category.
(2) Non-self-bootstrapping. To use one of these programs from a censored country, first you have to get a friend in a non-censored country to install the software on their computer (or their webserver, if they have one). Then they give this location (normally in the form of a URL) to their friend in the censored country, and their friend types that URL into their browser to circumvent their country's filtering. Psiphon is the best-known program in this group.

In 2006 I wrote that even though the first category of programs was more convenient to use (not requiring you to rely on a friend in an uncensored country), any program in that category could be blocked by an adversary willing to make only a modest amount of effort: Install the program, see what IP addresses it connects to, block those, see if the program connects to any other backup IP addresses, block those, and so on, until the program runs out of IP addresses to use. There are a few simple countermeasures that designers of a program could take, but they can also be defeated easily.

(For example, if the program randomly chooses an IP address from a large internally stored list, then you just have to run the program over and over until you've found most of the IP address chosen by its random algorithm. A cleverly written program could try to evade this as follows: Pick a set of IP addresses at random from the list, and then "lock in" to that set of IP addresses, so that future runs of the program on that PC will always connect to those IP addresses, ignoring the other ones in the list. This makes it a little bit harder for the censor to pry out all of the IP addresses in the program's internal list. But then you, as the censor, can either (a) run the program repeatedly, but find where the program stores its "locked set" and erase that between each run, so that on future runs the program will keep selecting a different IP address set, or (b) if you can't figure out where the program is storing its "locked set" between each run, then just install the program repeatedly on different machines.)

One way or another, if the program knows what IP addresses to connect to when it bootstraps itself, the attacker can trick the program into revealing all of them. The attacker doesn't even need to reverse-engineer the software to see the set of instructions that it's executing internally; they only need to be able to see the IP addresses that the program is connecting to.

Much later, I was able to reduce this to practice in an experiment on my own machine, using a Perl script, the built-in Windows "netstat" tool to list connections from locally running programs to outside IP addresses, and the "ipseccmd" tool to add new firewall rules blocking those IP addresses. After the script was left running overnight, it had collected and blocked all the IP addresses that UltraSurf apparently used, and on future runs, UltraSurf would display an error message saying that it couldn't find any IPs to connect to.

(Interestingly, netstat also showed that UltraSurf frequently opened connections to www.google.com over SSL -- that is, accessing URLs that would begin with "https://www.google.com/" -- so that traffic between the program and the Google website would be encrypted, and the contents would be invisible to censors in China. When I saw it was doing that, I added an exception to the script so that the Google IP addresses would not be blocked. Perhaps it was submitting search terms to Google in order to find pages that give the location of the latest UltraSurf connection points, or perhaps it was checking a GMail account created by UltraReach that stores messages containing more IP addresses; I didn't reverse-engineer UltraSurf to find out. But even if this was UltraSurf's clever means of obtaining new IP addresses, the system still runs up against the same problem: Any IPs that can be connected to by the UltraSurf client, can also be ascertained by the attacker who watches UltraSurf to see where it connects to, and then blocks those IPs as well.)

Naturally I had mixed feelings about pointing this out publicly, since I agree with UltraReach's goal of providing unfiltered access to users in China and other censored countries. But this idea is sufficiently obvious, that I don't think anything is lost by demonstrating it. There may be programmers interested in creating even more programs to help users in censored countries, and it would be counterproductive for those programmers to believe that existing programs like UltraSurf "magically" evade the censors by using some complex algorithm to hide the IP addresses that they connect to. In fact, the program doesn't conceal the IP addresses that it connects to (how could it?), and it would be straightforward to design and build a new program that did roughly the same thing. We should give UltraReach credit for the right things: they made a tool that provides unfiltered access to millions of people, they made the tool small and easy to use, and they arranged with their partners to subsidize the unfiltered Internet connections at no expense to those end users (although see some caveats, which have been pointed out the Hal Roberts at the Berkman Center, about the price of this "free" access). But the one thing UltraReach did not do is find a way to get around the problem of an attacker installing the problem to see what IP addresses it connects to. That's not a criticism of UltraReach; this is presumably an impossible problem to solve.

(Side note about counter- and counter-counter-measures: If UltraReach does think that censoring countries might try harder to block UltraSurf at some point in the future, they should start releasing different versions of the product every month that use different sets of IP addresses. Release one version for September 2009 that uses one set of IP addresses, then another version in October 2009 that uses another set, and so on. Then if the censors decide in December 2009 to start seriously trying to block all UltraSurf IP addresses, they'll be able to find and block all the IP addresses used by the Dec09 version, just by installing a copy of the program and observing it. But, users who downloaded previous months' versions of the program will be able to continue using their copies. If the Chinese censors wanted to find and block the IP addresses used by preivous months' copies of UltraSurf, they would have to either (a) figure out how to distinguish UltraSurf traffic from other Internet traffic, not an easy thing since UltraSurf uses encrypted traffic on port 443, the same port used for encrypted Web traffic, or (b) obtain copies of the program that users had downloaded in previous months, which is no longer as trivial as simply observing the current version of the program. The more often UltraReach swaps out a new version of UltraSurf that connects to a new set of IP addresses, the harder it will be for the Chinese censors to find all the sets of IPs used by previously released versions. However, once the Chinese censors start trying seriously to block UltraSurf, even though the trick just described will allow previous downloaders of the program to continue surfing freely, all new users who download the program after that point, can be easily blocked -- because the Chinese censors can just watch how often a new version of UltraSurf is made available for download, and block the IPs used by that copy.)

But I think the fact that the Chinese have not done this reveals something usually overlooked about the nature of the anti-censorship arms race. The situation is frequently cast as a battle between the evil geniuses who run the government filters and the good geniuses who write the software to get around the filters, while the grateful citizens of the censored country are the beneficiaries. But if the government censors haven't even done some simple experiments like this in order to block UltraSurf, they must not think it's a high priority to stop the program from working. This in turn suggests that the number of people using UltraSurf in a country like China, while large in absolute numbers, don't constitute a large enough proportion of the population to worry the government. Presumably either the ideas leaking in through an unfiltered Internet are not reaching a large enough proportion of the population, or the ideas are not expected to take hold in enough people's minds to reach a tipping point that causes a problem for the ruling party.

It's not that the Chinese censors don't care about controlling the Internet and the effect that it has on their citizens' thinking. The Chinese have reported fielded a droid army of about 50,000 cubicle drones to help fight Internet propaganda battles, such as drowning out anti-government posts on public forums. Why would they spend such enormous efforts to generate forum posts, but not make the effort to find and block all UltraSurf IP addresses? Because the battlefront is about defaults. If the user tries to access a site and it's blocked, then only a tiny proportion will make a significant effort to circumvent the block. (The exception would be when an extremely popular site like YouTube is blocked; operators of Web proxy sites report that during these periods, they get so much traffic from Chinese users trying to view YouTube videos, that the servers often crash.) Similarly, if users see that 90% of the posts on a given forum are on one side of the issue, then they're more likely to think that's the majority viewpoint (whether they agree with it or not). Hence the usefulness of the army of 50,000 to invade forum threads. Defaults matter; would Internet Explorer have ever displaced Netscape's browser (kids, ask your parents) if it hadn't been the default browser in all versions of Windows?

So the moral for any would-be designers of new anti-Internet-censorship tools, is not to worry too much about whether there's a theoretical way (or even a practical way) that the censors could shut the tool down. UltraSurf became enormously popular without solving that problem, and perhaps another tool could as well.
This discussion has been archived. No new comments can be posted.

Ultrasurf Easily Blocked, But So What?

Comments Filter:
  • Blahblahblah (Score:2, Interesting)

    by Anonymous Coward

    It can also automatically sign you up for a government trojan horse upgrade or a special observation list. If you have nothing to hide, why use it? Anything that does not look like random noise or latest pop mp3s via p2p, will land you on said lists in countries with no human rights, so why bother?

    • Re: (Score:3, Interesting)

      by eleuthero ( 812560 )
      While the above has been modded flamebait, the poster does have somewhat of a point. If one is part of the crowd of "normal" internet users simply looking at "acceptable" news for the filter-happy country of choice, and if the user is participating in nominally "criminal" activities like downloading bootlegs, the country is not likely to care nor will it matter if the individual user has a means to block detection. The government might well start to care if everything from John Doe's IP address suddenly bec
      • if the program randomly chooses an IP address from a large internally stored list, then you just have to run the program over and over until you've found most of the IP address chosen by its random algorithm.

        Fun until I as the app programmer include the 1000 highest traffic IP's like googles servers, Microsoft servers, and pretty much any random server I imagine people would want to access in glorious republic and set my app to keep trying until it gets a valid connection.
        They try to blacklist every server my app tries to connect to and ... hey... where's the internet gone!

  • How do you solve the problem where the jackbooted thugs come to your door because they now know you are using this software? Seems the only real advantage Chinese citizens have over the censors is the ratio of censors to users is very low.

    • by Zerth ( 26112 ) on Monday October 26, 2009 @11:42AM (#29873835)

      Easy, live next door.

      When the jackbooted thugs drag off the elderly lady in the house with the oddly configured wifi, you know to leave town before she tells them who "helpfully" set it up for her.

      • Er ... I assure you Mrs Buttle, the Ministry is always very scrupulous about following up and eradicating error. If you have any complaints which you'd like to make, I'd be more than happy to send you the appropriate forms. Look, I'm very sorry, but I'm afraid I don't know anything about it... I'm really just delivering the cheque. If you wouldn't mind signing these receipts, I'll go and leave you in peace.

    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Monday October 26, 2009 @11:53AM (#29873973)
      Comment removed based on user account deletion
      • That's why the US has a Second Amendment, and why embedding the capability for armed violence has been well worth the cost. There can be no real personal security without the autonomous power to kill an attacker (even in Iraq, the Coalition allow one Kalashnikov per householder), and dispersion of weapons means that the people can always post a threat to government if they are willing to sacrifice.

        Sure, going heads up against an army is difficult, but the Viet Cong and Taliban prove that if you have the bal

  • by Kenja ( 541830 ) on Monday October 26, 2009 @11:15AM (#29873529)
    Stopping the geeks with the ability to use a proxy was never the point. I cant get my grandparents to hold the mouse the right way around, no way would they be able to understand something like Ultrasurf. If it works on 90% of the people, it's working very well.
  • small issue (Score:4, Insightful)

    by Anonymous Coward on Monday October 26, 2009 @11:30AM (#29873689)

    The author does not seem to account for onion routing - which is what TOR essentially is.

    There is no way to lookup all of the nodes in a TOR network using the methods described - since they are using tunnels to reach secondary (and further) nodes, this only accounts for the first node you lookup.
    You can block the server that provides the first node, yes.
    The one you know about. How many are there that you don't know about ?
    How about the one that's not behind your great firewall, but in some kinds bedroom ?

    Looks to me like you would most likely block stuff thats on your network anyway.

    • Re:small issue (Score:4, Insightful)

      by Golddess ( 1361003 ) on Monday October 26, 2009 @12:14PM (#29874239)
      What does it matter if they cannot block nodes 2-n, if all they need to do is block the first node that the program connects to? Once you block all nodes which could be first nodes, all subsequent nodes are useless to users behind the blocking.
    • Re: (Score:3, Insightful)

      by TubeSteak ( 669689 )

      There is no way to lookup all of the nodes in a TOR network using the methods described - since they are using tunnels to reach secondary (and further) nodes, this only accounts for the first node you lookup.

      You don't need to.
      The bad actor just sets up fast Tor nodes (or nodes that look fast) and traffic will come flooding in.

      Never forget that we're talking about State actors here.
      They have the resources to do things at a scale we'd normally write off as unlikely or implausible.

    • Actually TOR is pretty easy to block. There are a pretty finite amount of servers that are available as an entry node. TOR caches all of these servers in flat text file and it is much more then just the one you are using. All you have to do is write a simple script to pull out those IP addresses and insert then into your blacklist. You have to disconnect and reconnect a couple of times to get all of them (it took my maybe three times), but the process is relatively quick and can be pretty easily automated.

      • Re:small issue (Score:4, Informative)

        by TheCarp ( 96830 ) * <sjc@nOSpam.carpanet.net> on Monday October 26, 2009 @01:50PM (#29875529) Homepage

        There is only one flaw here: Bridge servers.

        Bridge servers are ORs that are not in the main directory lists. They are setup to be useful first contact nodes, and often run on port 443 or some other well used port. Since they use SSL, they make it very hard to distinguish them from every day web connections.

        You have to manually find bridge nodes. They can be passed around manually, or you can go to websites that list them, though, they take steps to make it hard to get more than a few at a time.

        Since anyone can setup a bridge node, its very easy for the network to continue despite blocks.

        • You are saying that these nodes aren't publicly accessible and must be entered manually to use? That's the only way I could see it being helpful.

          In this line of work you find there is never a 100% solution on either side. Typically if you make something a big enough pain in the butt to use, end users will start looking elsewhere. The method above effectively blocks TOR for the vast majority of users. Sure, there will always be more servers, the job is never completely done, but the same goes for any other p

          • by TheCarp ( 96830 ) *

            Yes and no. That is... the full list isn't public. Anyone can put one up and choose to manually publish it somewhere or not. There are publicly available lists. However, those lists are simply the lists of bridges that someone chose to publish. Many of them are restricted such that you can only download a small portion of the list at a time, and with IP restrictions to make it more difficult to get the whole list.

            Its entirely possible that many ORs exist that are not published anywhere, or are published onl

            • "Many of them are restricted such that you can only download a small portion of the list at a time, and with IP restrictions to make it more difficult to get the whole list."

              Whether I block all entry nodes or just the portions my IP address is given seems irrelevant. I'm aware that I don't get all entry nodes at once, that's why in the past I kept reconnecting until I didn't receive any new nodes. If I never get the entire list, because the servers are intelligent enough not to disclose any more entries, it

  • by tlhIngan ( 30335 ) <slashdot AT worf DOT net> on Monday October 26, 2009 @11:34AM (#29873749)

    The obvious solution is to block the IPs to keep it from working. But then another one will pop up and you'll have to block that, lather, rinse, repeat.

    No, I'm sure places like China already know about it. Instead of preventing the access, it's probably easier to monitor who's using them when they connect to those addresses. People work around blocks easily enough. But if you let a circumvention tool work, especially one that results in easily tracable activity, why block it? Monitor, find the user, and do some "re-education".

    Blocking is an arms race. People will make better blocks and others make better workarounds and it escalates rapidly. But if you keep the current workaround keep working, more people will be using it, making it easy to monitor and track. And evolution won't happen as fast. It'll evolve so the monitoring programs will have to be adjusted, but when it works, the movement to evolve is far lower than if it was blocked and now you have a bunch of people trying to find a way to evade it.

    • by eyv ( 636790 ) on Monday October 26, 2009 @12:24PM (#29874399) Homepage
      This is shameless self-promotion, but my colleagues and I have a paper at this year's ACM CCS that addresses just this problem. It's called "Membership-concealing overlay networks," and discusses a network with the explicit security goal of hiding the participants. Since we consider IP addresses to be sufficient to break this concealment, this makes the system also difficult to block at the IP layer. You can find the paper here here [google.com], and I would love to get some feedback.
      • by renoX ( 11677 )

        The paper was a bit over my head, I find the subject very interesting..
        I was thinking that it would perhaps be possible to use a MMO game as a way to hide communications, using the MMO's servers to bypass the filter.
        The company hosting the MMO game wouldn't even necessarily be upset by this if the CPU&bandwith used are payed by the monthly subscription fee .. except of course in the case where the country choose to filter access to the MMO game when it becomes known that you can use the MMO like this.

    • It's all encrypted. You could detect it, but not really "monitor" the activity.

      • Launch a MITM attack on the encryption. Sure, if they are using certificates for authentication then the program will warn about insecure connection, but, what are you going to do?

        1) Not use the program - the State wins, they just blocked the program
        2) Use the program anyway - the State wins, they can monitor your connection.

      • by tlhIngan ( 30335 )

        It's all encrypted. You could detect it, but not really "monitor" the activity.

        No, but knowing both parties (one end is this thing, which you detect, and the other end is someone using it), it's often "good enough".

        Think of it as a pen recorder for the destination - you'll know who's using the service and where it's coming from inside the network. Trace that IP back to an address.

        This is assuming that all uses for such a service are "illegal" in China (with the thinking of if it was legal, why use it?). Now

  • by SnarfQuest ( 469614 ) on Monday October 26, 2009 @11:35AM (#29873763)

    If you really want to block out all the bad web sites, just install Norton Antivirus. It pretty much bricks the system. It also has the effect of blocking all the good sites too, but you can't have everything.

    • by swanzilla ( 1458281 ) on Monday October 26, 2009 @11:45AM (#29873881) Homepage

      If you really want to block out all the bad web sites, just install Norton Antivirus.

      Antivirus 2009 is far superior. I didn't even know my girlfriend's system was at risk until she installed it.

      • Re: (Score:1, Funny)

        by Anonymous Coward
        All computers are "at risk" ... what the hell are you trying to say anyways?

        Did you mean "I didn't know my girlfriend's system was infected until she installed" Norton 2009?

        Dear product shill, if you want to advertise on slashdot, please use intelligent statements. Additionally, claiming to have a girlfriend doesn't help your cause, being as most of this demographic does not have a girlfriend ;o
        • Apparently you didn't have anyone recruit you to wipe AV2009 off of their Windows machine...I thought that joke was fairly obvious.
      • It was at risk, all right... from HER.

      • Antivirus 2009 is far superior. I didn't even know my girlfriend's system was at risk until she installed it.

        And give them your credit card and it magically all goes away. Along with your credit card. :)

        As someone who kills spyware infections for clients on a regular basis, I got the joke (good god, I hope you're joking). But I imagine a few people here won't, so I'll explain. In short: Google it. In slightly longer, Wikipedia it [wikipedia.org]. In even longer: It's not a real antivirus program. It pretends to be, finds an assload of nonexistent problems, then tells you the "full version" fixes them, only $x9.95! Where X is an

    • by Xtifr ( 1323 )

      In my experience, not installing Norton Antivirus can be just as bad! In fact, simply installing a system that can actually run Norton Antivirus seems to be a pretty high-risk activity, whether or not you actually do install it. This risk can be somewhat mitigated by using a VM or an emulator or an "...Is Not an Emulator" hosted on a system that can't use NAV--but only somewhat. :)

      Of course (to bring this slightly back towards on-topic), if you can get the authorities to believe you installed their (real)

  • It would not be hard for a government censor operating the filter in a country like China to do the same thing. But this does not mean that UltraSurf's network is likely to collapse any day now; on the contrary, it means that it and similar programs are likely to flourish for years to come, since the censors obviously have other priorities.

    Other priorities? That's a new assumption, not stated before the final assessment was made. It seems like all the Chinese Gov't needs to do is give one person the task of keeping the Great Firewall up to date for UltraSurf's range of IPs, so to any user in China: "UltraSurf's network is likely to collapse any day now"

  • by Jartan ( 219704 ) on Monday October 26, 2009 @11:41AM (#29873825)

    I get the feeling that the Chinese govt's attitude towards censorship has been changing. In a way you could say they are becoming more skilled with it and choosing to be a lot more subtle here and there. This is actually probably a lot more dangerous. Instead of hiding the truth they are using the censorship along with propaganda to make the people accept the truth and support it.

    Probably in the future they'll model their whole system on the way the Western world uses the media to alter public perception. Of course they won't be stupid and hand over the reigns to people like Rupert Murdoch. They'll keep that power for themselves.

    • The reality is that the Chinese government's censorship policy and implementation has been the most successful and comprehensive one ever applied. The Chinese population remains both connected to the internet, yet blissfully ignorant of any and all controversial politics in their country. By adopting a strategy of simply making it a nuisance to access prohibited information, the chinese communist party has achieved what no other government before it ever could; Control over mindshare. Searching for information online, in a seemingly open way, will lead most citizens to pro-government sites and information. it is effectively impossible to be a dissident in such an environment without the equivalent of an undergraduate degree in computer science.

      This model has been successful and we are beginning to see being implemented in western world. Organisations like the Internet Watch Foundation, who privately and silently block access to swathes of websites are essentially doppelgängers of Chinese censorship boards, behaving and oeprating in precisely the same way. They make information difficult to find, but in a covert way. Technologies like deep packet inspection, pioneered by western companies for the great firewall, are now being sold to western governments and ISPs. The internet genies is not being put back in the bottle, but instead the cap is being screwed down so that only the odd puff can escape, and this is all that is needed.

      The Chinese model works. It works well. It is going to be implemented in the Western world, and indeed the first steps have already been taken. What is needed is a method of mass circumvention so absurdly easy to use and transparent that it is actually easier to use that than it is to silently acquiesce to censorship. Something like a one click install firefox extension which creates a Tor or eDonkey like network hosting censored websites, and that operates completely silently, offering automatic access for people that don't have it.

      We need such a system soon, because if the Chinese model goes unchallenged it will become the default model for countries around the world and there will be no more exit nodes, and no more free internet.

      • by Jartan ( 219704 )

        The Chinese population remains both connected to the internet, yet blissfully ignorant of any and all controversial politics in their country.The Chinese population remains both connected to the internet, yet blissfully ignorant of any and all controversial politics in their country.

        That's a bold statement and does not match with what I know of the situation. From everything I've heard the situation is well understood by China's middle class. They just don't seem to care like we do.

        • The US population remains both connected to the internet, yet blissfully ignorant of any and all controversial politics in their country.

          Stupid User Syndrome. Or is that Stupid Human Syndrome? Or apathy? I don't know, but too many people buy everything they're fed by a certain propaganda station. If we have internet access, yet remain blissfully ignorant, how can we expect the Chinese to do any better?

  • by bzzfzz ( 1542813 ) on Monday October 26, 2009 @11:44AM (#29873855)
    Chinese internet filtering is justified publicly by stating that it is done to help Chinese people avoid inadvertent violations of the law, and that is how it is seen by most Chinese. The real purpose of the censorship there is to facilitate prosecution of dissidents by making it impossible to violate laws against anti-government speech and unlawful assembly inadvertently.
  • The purpose of the Great Firewall is to simply keep people from accidentally surfing to the "wrong" sites. If you are pure in heart, you wouldn't want to go places where Big Brother says you oughtn't to go.

    If you're not pure in heart, then you get to go visit room 101. You'll get to go there when you manage to get your hands on the firewall evasion software written by Emmanuel Goldstein (and here I'm specifically referring to the character in the book, not Eric Corley).

  • Have every copy include a few dozen or hundred random addresses out of the larger pool. Add and "retire" addresses to the pool daily, so it won't be possible to see "retired" addresses by repeatedly downloading the program.

    "Retired" doesn't mean no longer in use, just no longer included with new downloads.

    • by vlm ( 69642 )

      Have every copy include a few dozen or hundred random addresses out of the larger pool. Add and "retire" addresses to the pool daily, so it won't be possible to see "retired" addresses by repeatedly downloading the program.

      Wouldn't it be better to generate the exe file (or zip or rar or whatever) that is downloaded by means of a CGI script that compiles each and every copy with a random selected starter set and randomly selected file name?

  • Solution? (Score:2, Insightful)

    by dascandy ( 869781 )

    Make it target-dependant which IP addresses you send to whom. I've thought about this for copy-protection (but haven't told anybody). You can give every downloader his/her own copy of your executable with a fresh MD5. Make the executable contents (the IP address list) IP address dependant. Better yet, get 128 of them and give out a set of 64, based on the IP address and some awkward hash of the IP address. That way, every user has half of the targets (making the chance of finding a working host really big)

    • no country can get the full list (since they lack a few bits in the IP address range they use).

      What about open proxies in other countries...

  • A Bigger Worry (Score:4, Interesting)

    by starfarer42 ( 682198 ) on Monday October 26, 2009 @12:15PM (#29874259)
    Never assume your adversary is incompetent. If they can easily find and block all IP addresses used by this program, then why would they choose not to? I can think of one possibility, and it doesn't bode well for people who are using this program under the belief that it will protect their anonymity. We all know that monitoring *all* Internet traffic into and out of a country (especially one as populous as China) is a futile task. But suppose you could identify which fraction of those connections are specifically trying to evade government controls? Wouldn't it make sense to focus your attention on those connections? And instead of blocking them out right, why not trace them back to their source? Even if you can't decrypt the traffic, you can at least identify those "subversives" that could be in need of "reeducation". And remember that just because you choose to block those connections *right now* doesn't mean you can't start blocking them at some point in the future.
    • Re: (Score:3, Insightful)

      by marnues ( 906739 )
      Sorry, but you've missed the point of Chinese censorship, just like most people on Slashdot. Yes, the Chinese themselves are generally A-OK with such censorship. They have a very different culture than ours. Sure, if someone was bypassing the firewall to organize a rally, then absolutely that would be used against them. But the vast majority of people bypassing aren't doing anything of interest to their government and so will be happily ignored. The CCP is very intelligent and knows that letting some C
  • "Presumably either the ideas leaking in through an unfiltered Internet are not reaching a large enough proportion of the population, or the ideas are not expected to take hold in enough people's minds to reach a tipping point that causes a problem for the ruling party."

    Comrade Minister of People's Internet Service Provider: "Comrade Minister of Enforcement of Proper Thinking, I am pleased to announce that Great Firewall 3.0 is now in place and operational. "

    Comrade Minister of Enforcement of Proper Thinking: Comrade Minister of People's Internet Service Provider, this is a glorious accomplishment. We can now prevent all manner of dangerous information from reaching the people and disrupting our peace and prosperity. But..., you have blocked my access to RedTube. I ca

  • IPv6 (Score:4, Insightful)

    by NotBornYesterday ( 1093817 ) * on Monday October 26, 2009 @01:23PM (#29875177) Journal

    Having a near-inexhaustable list of IPs for Ultrasurf would make tracking and filtering them all virtually impossible. That, combined with IPsec (required by IPv6) could either punch vast holes in the Great Firewall of China, or force them to step up their game considerably.

    If it does prove to be a factor in fighting Chinese censorship, is interesting that the massive growth of the internet in Asia has been one of the driving factors behind the need for IPv6 migration.

    • The problem isn't only IP count but the fact that all the traffic ends up over a handful of trunk lines between any given set of countries. I once calculated that a single 64-bit subnet of IPv6 addresses would give you enough IPs to cover roughly every square centimeter of the Earth with IPv6 addressable devices, including uninhabited areas and oceans. We could allocate such a IPv6 subnet to use by a new short-link mesh topology network, set up completely between immediate neighbors and outside the control

  • My usual favorite, FreeGate, stopped working around August of this year. There are sporadic times where the client software will find 1 server with >1000ms pings, which makes it effectively useless.

    I tried every other free proxy client out there to no avail and gave up soon after. Apparently they're all blocked now.

    I've got nothing now. No more youtube, no more boobs in gis along with 90% of other perfectly legitimate pictures (not to say that boobs are never legitimate), certain word searches in google

  • Consider this: if you make it just harder than trivial to circumvent the block, then you get three categories of people.

    1) The ones who don't circumvent the block. These are sheep. You can ignore them.

    2) The ones who circumvent the block. These are opposition ringleaders. Watch them carefully.

    3) The ones who circumvent it but only after a known associate already circumvents it. These are motivated followers. Subvert and enlist them.

    As Yogi Berra said, "You

One good suit is worth a thousand resumes.

Working...