China Tells Carriers To Block Access to Personal VPNs By February (bloomberg.com) 173
China's government has told telecommunications carriers to block individuals' access to virtual private networks by Feb. 1, people familiar with the matter said, thereby shutting a major window to the global internet. From a report: Beijing has ordered state-run telecommunications firms, which include China Mobile, China Unicom and China Telecom, to bar people from using VPNs, services that skirt censorship restrictions by routing web traffic abroad, the people said, asking not to be identified talking about private government directives. The clampdown will shutter one of the main ways in which people both local and foreign still manage to access the global, unfiltered web on a daily basis. China has one of the world's most restrictive internet regimes, tightly policed by a coterie of government regulators intent on suppressing dissent to preserve social stability. In keeping with President Xi Jinping's "cyber sovereignty" campaign, the government now appears to be cracking down on loopholes around the Great Firewall, a system that blocks information sources from Twitter and Facebook to news websites such as the New York Times and others.
Business VPNs (Score:5, Interesting)
How will business users be impacted, since they will typically need to use a VPN if working remotely?
At the same time I wonder how long it will be before the mouse works out how camouflage the VPN access? It really is a cat and mouse arms race.
Re:Business VPNs (Score:5, Informative)
Also, if they block VPNs, then the people will just start tunnelling over SSH. Can they block all VPN an SSH connections? That would basically disable a huge portion of the internet.
Jail if they catch you (Score:3)
Also, if they block VPNs, then the people will just start tunnelling over SSH. Can they block all VPN an SSH connections? That would basically disable a huge portion of the internet.
They don't have to. They just put you in jail or worse you if they catch you using a VPN.
Re:Jail if they catch you (Score:5, Interesting)
Any Chinese person I know would scoff at that threat, only Americans are so dedicated to law and order. Breaking the law is a way of life in many places (and in some places in the US, ask any NYer).
Yes, it's still illegal and if they decide to come after you, you are totally in trouble, and this is a horrible oppressive regime we really ought to hate and stop doing business with. But the reason the regime stays in power, and the reason it has managed to become successful in spite of itself, is because it is impotent and corrupt in all the right places. If their government were to ever fix that, and effectively police itself, I imagine the people would revolt in mere days and they wouldn't need the "free" world to tell them anything.
Deterence (Score:3)
Any Chinese person I know would scoff at that threat, only Americans are so dedicated to law and order.
Americans aren't the ones with the giant firewall. (Our government is more subtly evil in how it spys on us) You seem to have missed the point. The point isn't that the Chinese government will catch everyone, merely that they will deter VPNs through threats of jail and/or other punishment. I'm sure lots of people will ignore the laws but the stakes just got higher.
Breaking the law is a way of life in many places (and in some places in the US, ask any NYer).
Every citizen breaks the law dozens of times a day. Nevertheless the punishments for some "crimes" are much harsher depending on the local
Re: (Score:2)
Re: (Score:2)
The only way they could identify offenders would be through targeted or incidental collection -- spyware on an endpoint, or a laptop search at customs. In either of those cases, though, the VPN use itself would likely be the least of the offenses they would be concerned about, and they wouldn't expose their capabilities simply to prosecute VPN usage, but rather the underlying information that was transmitted or received. It's really a law without teeth.
Re: (Score:2)
The only way they could identify offenders would be through targeted or incidental collection -- spyware on an endpoint, or a laptop search at customs.
No, traffic pattern analysis is good enough to identify most VPN traffic. You don't have to identify what's in the traffic, just that it's overwhelmingly likely to be VPN traffic, and then you can go after the endpoints.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
China does not allow access to that huge portion of the internet. That is the whole point of their great firewall. Not protecting citizens from bad memes and crude jokes, but protecting themselves from dissenting views being visible to their people.
This is how authoritarian regimes work, and nobody should be surprised. It's a great reminder for the rest of us, for when our whackadoodle politicians start claiming they want control.
Re:Business VPNs (Score:5, Interesting)
Not protecting citizens from bad memes and crude jokes, but protecting themselves from dissenting views being visible to their people.
Which is why I now like to ask the people working in calls centers in China when they call trying to scam me:
If they are aware of the book sellers in Hong Kong that have turned up in mainland Chines jails
If they know that Tibet was a sovereign nation until it was invaded and now its native population is being replaced.
If they are aware of the Uyghur issues
Asking if they know about the June 4th incident or the student protest of 1989 in Tienanmen Square.
Personally I am hoping to get the Chines government to shut down these scam call centers by bringing up issues it doesn't want discussed [wikipedia.org] as there is a whole list of things one can bring up. Anything else is a side benefit.
Re: (Score:2)
Re: (Score:2)
And are you aware that very same book seller (singular) has been freed long ago, went back to HK, and then after engaged in some anti-China publicity, suddenly got a big bunch of money to open a new bookstore in Taiwan?
The Fake News Networks in the US is even more effective as brainwashing people than the Great Firewall of China.
What are you talking about? There were five, and they were imprisoned and forced into false confessions. FYI, I'm in Hong Kong. https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
Most Chinese people never saw the videos we saw of what actually happened in that square. Show one of those to a Chinese person (one who hasn't been out of the country for very long yet)... look at their face.
The reason they don't care is because all they ever *saw* was a bunch of spoiled, rich kits shouting slogans. And then they were told that a few got injured when the police shut down the illegal protest to restore law and order. They never saw those kids being brutally murdered.
Re: (Score:2)
"Tianmen Square" was a big deal in Western media
In the UK the media focussed on an incident in which a demonstrator stood in the road in the path of a tank and the tank stopped. We were shown that clip over and over and over again.
I never did figure out the point that the media and UK politicians were trying to make. What crossed my mind was that if you did that in Whitehall you would be promptly run over by a car. But that would be OK as you would have been run over democratically.
Re: (Score:2)
Not only can they... They currently do. You would not believe how much it costs me to work around this, and how little I get in return. It would shock you even more to see how valuable it is.
Re: (Score:2)
Both SSH and all standard VPN traffic is distinguishable from unencrypted HTTP, SSL/TLS, and other traffic types. You need firewall gear that examines things like packet size & frequency, but the detection is reliable and fairly quick. It's not a complete block the way you can block an IP address or port from starting a connection in the first place. Within a few seconds of opening the connection, the traffic type is detected and the connection reset.
Add a little analytics to determine source or dest
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
On the road to revolution (Score:2, Insightful)
President Xi should study his people's history. Every dynasty eventually loses the 'mandate of heaven'.
Re: (Score:2)
President Xi should study his people's history. Every dynasty eventually loses the 'mandate of heaven'.
Exactly my point. [slashdot.org]
Re: (Score:2)
But Broken Sword may convince Nameless that President Xi should not die...
Re: (Score:2)
President Xi should study his people's history. Every dynasty eventually loses the 'mandate of heaven'.
Happens in all civilisations. So what do you expect Xi to do - say "OMG, I never knew that!", and top himself?
Re: (Score:2)
Biggest Surprise (Score:3)
The biggest surprise here is that this loophole hadn't been closed down years ago.
Re: (Score:2)
Chinese leadership is getting desperate, losing contact with what is and isn't technically possible.
They will be playing 'whack a mole' until they 'declare victory' and give up.
Re: Biggest Surprise (Score:1)
You obviously don't know how harmful communism is.
Re: (Score:3)
Communism isn't harmful. Singlular control of all resources is harmful. Restriction of ideas and speech is harmful.
Also nationalizing companies is also harmful. The same way monopolies are harmful. But limiting choices you let scum rise to the top and pollute the structure.
So governments can tax corporate profits but shouldn't get direct benefits other than taxation. That way other companies can come and go and losing one company won't break the country. See Venezuela and all other dictatorships were nati
Re: Biggest Surprise (Score:5, Insightful)
Wow, you sure are opinionated for a topic you know fuckall about.
Marx believed communism wouldn't be viable unless it was part of a democracy. It was later communists who came up with the "state" owning things "on behalf of" the workers - and while they were the ones who took over the Soviet Union and then spread their version world-wide they weren't even the majority until some 20 years AFTER the Russian revolution. The majority of communists were democrats or anarchists - whose version had no state at all, merely the ownership of the means of production vested in the actual workers in the form of coops.
Such anarcho-communists ran Andalusia in Spain for 20 years (and it was a successful, industrial city. George Orwell fought on their side in the Spanish civil war and described them as the closest thing to a perfect society he had ever witnessed - and a society where there was no hunger, poverty or suffering). Nor an overbearing state - in fact, no state whatsoever.
Communism, capitalism and socialism are all, really, collective nouns for dozens of different philosophies (each) which contradict each other on many key points. In each situation - only having one thing actually in common.
In capitalism the means of production are owned by investors ("capitalists"), and in communism it is owned by the workers. This is the only part that applies to all versions of either. Socialism was originally a synonym for what came to be called communism, then Marx defined it as the end-state communism is supposed to one day achieve, currently it's best thought of as "capitalism but with a rock-solid social safety net", another word for "welfare state" as that's how it's mostly used these days.
So yes, communism is actually quite rife in the US - and government has nothing to do with it. America's largest carpet factory, and largest robotics factory, and LA's largest bakery are all worker-owned coops. A worker-owned coop is the very definition of communism - and everyone of those workers will tell you they are MORE free than they would be in any other company since, in this company, they get an equal share of the profits (it doesn't go to outside investors - it all goes to the people who actually did the productive work that produced the profits), and they all get a vote in management decisions. Does the company need a new slogan ? Should we open a new location in Albuquerque or would it be better to reinvest that capital locally in more staff and higher wages for us all ?
Instead of hoping and praying that a bunch of wall street stockholders who have no actual understanding of what they do will direct the CEO to make the best decision (and thus secure their livelihoods) - they can vote on that decision themselves, relying on their actual experience in the business and the wisdom of crowds to guide them. Because it's their business -they own it. And while, of course, every decision has risks - they never have to feel that they are being punished because of somebody else's idiocy in making a terrible business decision. They made that decision, they were part of it - and the decisions that determine whether they can feed their families tomorrow, are decisions they are themselves responsible for.
That's more freedom than most anybody else in the world gets. And it's communist to the very heart and soul of it, in fact, I would say it's much MORE communist than what the Soviet Union did - since those workers never truly owned the means of production - the state did, and without democracy, that state couldn't EVEN legitimately claim to be representing the workers.
By the way - more than 80% of companies in Argentina are worker-owned coops now, representing well over 90% of all employment (the remainder being almost exclusively civil service jobs). This came about after a complete economic collapse led to absolute capital flight and every shop, factory and office in the country was shut as the owners fled with their hoards. The workers just showed up and took over the abandoned businesses and ran those bus
Re: (Score:2)
Wall of text and all you've shown is you are a halfwit.
Re: (Score:2)
When somebody cites a whole bunch of facts, all of them easily verified, and the only response you can offer is an insult - you've lost the argument.
Re: (Score:1)
Re: (Score:1)
Re: Biggest Surprise (Score:2)
Re: (Score:2)
The biggest surprise here is that this loophole hadn't been closed down years ago.
Since the concept of connecting to a private network and alt-routing around infrastructure has existed since the days of dial-up concentrators, I'd say this delay is more political than anything.
Re: (Score:3)
China has been going after and is already blocking lots of VPN services. But of course all the time new such servers will pop up, new domain name, new IP address, and the mainlanders have their connection back.
How will they ever be able to block all VPN connections? They could of course start by blocking some common ip ports, but there's nothing stopping people from using a different port, e.g. port 80, and we're back to situation we have now, where they have to go hunt down server after server.
Re: (Score:3)
Re: (Score:2)
I thought VPN is encrypted pretty much by default already, making it hard to detect.
OK, maybe I used a wrong example with port 80 (http - unencrypted - can be inspected indeed), make that 443 (https). The outside observer can only see which IP it goes to, with no way to figure out what the content of the transmission is. With the world moving to https everywhere it's going to be hard to block that port. It'd also be an issue for all the local services that rely on encryption to remain safe.
Re: (Score:3)
You don't need to know the content, you just do traffic analysis. A "Normal" https connection has a certain traffic distribution/fingerprint. An SSL connection is setup between the client and server, the http request is made, the content/object delivered, and the connection torn down.
SSL VPNs, even if operating over proper https and port 443, behave very differently. The connection is held open for long periods of time, and there is much more back and forth between the client and the server, as all further
Re: (Score:2)
You meant: making it easier to detect, right?
For all the plaintext connections, you can examine them and rule them out. (Countermeasure: hide your steganographic VPN here, so it gets ruled out. Downside: low bandwidth.)
Then all the remaining connections, you can't look at the contents but you can see if they happen to just keep talking to this one possible-VPN-endpoint all the time. Ah, this guy seems sshed to his linode a
Re: (Score:2)
Yes I know I used the wrong example with unencrypted port 80. More and more web traffic moves to encrypted traffic fast.
Re: (Score:2)
Re: (Score:1)
ssh can easily be blocked to the "outside." Pretty much any way you try to tunnel can be detected with traffic analysis
Indeed. Although I don't know any examples of countries that have done this, it would be fairly easy to set up a nation-wide ssh permit system. By default, the ssh protocol could be blocked by the national firewall. But if some business executives needed to ssh to a server outside the country, then the business could apply for a special permit to allow ssh traffic to that one specific server.
Of course, a national firewall won't stop satellite internet connections, such as Inmarsat. And it's unlikely tha
Re: (Score:2)
When Zhang visited last year VPN connections were blocked around the convention center and at least parts of Wan Chai. Typically Cisco VPNs were unprotected, but that week at least even Cisco's IPSEC was blocked. I thought L2TP was often blocked in HK, but hadn't tried in years. I experienced this both on hotel wifi and cellular.
It might have had something to do with the snipers on the roof of the Hyatt that we could wave at.
Re:Just imagine (Score:4, Insightful)
Wait till their real estate bubble pops. It's going to be ugly as fuck.
Re: (Score:2)
You should buy condos in China. It's a good investment!
Re: (Score:2)
So do it. Talk is cheap.
The Chinese are babes in the capitalist woods. They still think keeping their currency low for all these years was a good move. I predict a Chinese revolution inside 10 years, after their savings evaporate. It's going to be _ugly_. Central committee members children will be hanging from lampposts.
Re: (Score:2)
Everybody in China want's land (or real estate anyhow). It's cultural.
Unfortunately for China, they are parking their money in a huge bubble. Their big cities are massively overbuilt to shit construction standards.
The truism in real estate is the real value of property is the loan that rent would cover. In China that's about 10% of the current market price. Chinese people often keep investment properties empty as the rent doesn't cover the added cost vs just leaving it.
China has a government set curr
Re: (Score:2)
And if you feared that happening, what would you do about it? Today's idea: install Great Firewall to control most peoples' media, and by extension, th
this shows the problem with workarounds (Score:2, Insightful)
Whenever something unpleasant happens to human rights online, a lot of people shout, "Just use a VPN, and all your problems are solved!"
In a small way, they're not wrong. But this misses the big picture: VPNs are few and easy for centralized authorities to block. The ultimate answer cannot be narrow and fragile circumvention measures. It has to be a robust, decentralized, and authoritarian-resistant internet architecture. It needs to be all-or-nothing: either authoritarians block the entire internet, or
Re: (Score:3, Insightful)
You don't know how VPNs work? Unless China bans all encrypted connections to the outside world, this will do exactly fuckall.
I'm pretty confident that China has long since set it up so 'everybody's a criminal', same as the 'western world', so that's not in play.
Re: (Score:1)
You don't know how VPNs work? Unless China bans all encrypted connections to the outside world
No. They only have to ban connections to the VPN services, which are relatively few and well known IP ranges. It's just like some US companies or web forums will ban those ranges for incoming connections. If they can do it, China can also do it.
Re: (Score:2)
I wish the Chinese government luck (not really), they're going to need it.
Re: (Score:3)
How many Chinese people in the west with broadband connections? They will provide routing for relatives if they have to. You'll see them tunneling through gaming servers (which will piss the gamers off).
There are already a _buttload_ of VPN services. IP banning will be a never ending, rarely working game of 'whack-a-mole'. With lots of potential for fucking with China by baiting them into banning important hosts.
Re: (Score:2)
You know how your advertising list updates. User reports.
You know what China won't be getting? User reports.
Re: (Score:2)
The fact that some Chinese families have relatives abroad and will jump through a lot of hoops to get around this is irrelevant. It doesn't have to work perfectly to be effective.
Re: (Score:2)
You don't know how VPNs work? Unless China bans all encrypted connections to the outside world, this will do exactly fuckall.
Assuming you have DPI capabilities, which I presume the Chinese government has, it's pretty trivial to block the normal VPN mechanisms without affecting other encrypted traffic. VPN (and SSL VPN) connections behave very differently from your typical connection to an https website. You basically just do traffic analysis and look for, say, SSL connections that have been open for more than 15 minutes, those where there has been more client sourced traffic than your typical http get, or whatever other thing tha
Re: (Score:2)
This is already "handled" by international obligation. If you look at the coverage maps for Iridium, Inmarsat, etc... there is a nice big hole over China. Same thing with the internet service offered by the likes of Lufthansa and so forth on airliners. Once over Chinese territory, the services cease to function. One of the basics of international law is that sovereign nations have the right to control what RF spectrum is used within their territories, and China simply refuses to issue licenses, thus the ope
Impossible due to widespread use of ASICs in netwo (Score:3, Interesting)
Network engineer here. My theory is that any blocking attempt where the users seek to avoid being blocked is doomed to fail unless literally no traffic of any kind (even DNS etc.) is allowed through. This is because all serious network kit uses ASICs to achieve acceptable performance at the cost of flexibility, but all the endpoints are CPUs that are inherently flexible. If the users have an orchestration system that allows the developers to change the protocols as and when, and they play to the weaknesses of ASICS, the network vendors will never be able to keep up. Anytime you let any traffic through whatsoever between two parties you don't fully control, it's game over for your perimeter. Hurray!
Re: (Score:2)
Zone Transfer.
This is how one DNS server shares its list of DNS entries with another. The transfer could also include a bunch of TXT records with cleverly included "certificates" as part of its payload.
I am thinking all that Facebook has to do to make WhatsApp global would be to sponsor one of the root servers that can use UDP 53 with cleverly encoded TXT records for the transaction. It would also work for DNS delegation where direct connections are not possible.
Re: (Score:1)
Re: (Score:2)
limiting the rate of queries to 1 query per second.
Great, now every web page takes several minutes to load by the time you look up all the caching servers, ad networks, and social network scripts.
Re: (Score:2)
So relax the rate limit for queries that can be answered from cache.
Whose cache? Does China already block the use of 3rd-party DNS servers?
Re: (Score:1)
"orchestration system"? What on earth are you talking about, that won't solve anything.
Real System Engineer here, this has already been happening for years. China can and does block VPN users, it's just they don't have a complete crackdown on it yet. We _do_ have employees in China who are kept behind internal walled gardens due to that.
In case anyone else has been asleep the last 10 years, VPNs are very easily detectable, as is SSH. The problem is with the initial exchange, it's all in clear. Try it
Re: (Score:2)
china simply cant trust its own citizens online... (Score:3, Insightful)
...what are they afraid of them learning on the open internet?
Re: (Score:1)
...what are they afraid of them learning on the open internet?
It's a phobia that is similar to the frothing at the mouth defenders of the US Constitution's second amendment. They feel if they give even an inch that it will become an unstoppable force that ultimately destroys them thus they must not let up in allowing even the most minor of concessions. People can be reasonable but some individuals just aren't.
Re: (Score:3)
...what are they afraid of them learning on the open internet?
All kinds of things. But they are actually more afraid, believe it or not, of the power of social media to encourage wild cat demonstrations against the government. The main job of the CCP (Chinese Communist Party) is not really to make China better. They do want to do that, but the main job is to protect the CCP itself at any cost. Did you know that the Chinese constitution (yes, they have one) actually has something in it pledging the military (so called People's Liberation Army) to protect the CCP?
Re: (Score:1)
As a frequent traveller in China :
1) Incorrect for the people I deal with
2) As above
3) To some extent, but it is still discussed
4) Taiwan is a funny thing, but I discussed it many times, and the locals seems well informed. ( I am often in Xiamen, very close to Taiwan - in viewing distance...)
BTW: All major hotels in China has their own VPNs, so I can access EVERYTHING when on the hotel network. Be it in Shenzhen, Qingdao, Xiamen or Ningbo....
I will wait to see this go away.....Wont happen....
Now I'm really confused... (Score:2)
So China is protecting itself against communist, leftist, progressive, NWO fake news? Are they "MACA" (Making China Great Again)?
As for the inevitable snowflake trolls that will moderate this down - Are you familiar with the concept of self-fornication?
Re: (Score:2)
Waiting for the "WAR" headline as I check the news each morning
If the U.S. declares war, it'll be announced first on Twitter.
Whack-a-Mole, Communist China edition (Score:2)
Memo to Communist Chinese government: You can't stop the signal. You're going to fail; it's inevitab
Re: (Score:1)
The Signal doesn't exist on its own, it's produced by people. Kill enough people, and eventually the Chilling Effect will Stop The Signal, long before you run out of people.
Re: (Score:2)
Re: (Score:2)
I'm sure Russias legions of state-sponsored hackers would be very interested in your opinion that they can 'easily become a thousand rotting or burned corpse in a ditch', so interested in fact that they'd turn your life into a 'rotting, burned corpse in a (virtual) ditch', draining your accounts, ruining your credit, pissing off everyone you know to the point where they won't even talk to you, planting child porn on your computer and
Re: (Score:2)
China is playing an open-ended game of Whack-a-Mole with it's citizens, with the global Internet as the venue. It's obvious that Chinese citizens want free and unfettered access to the Internet and all the information on it. The communist Chinese government can keep trying to deny them, but just like with copy protection schemes, DRM, and all other censorship-like things, people will find a way around it. Memo to Communist Chinese government: You can't stop the signal. You're going to fail; it's inevitable. Why not give up now, and stop oppressing your people? When the revolution comes, are you going to change, or are you going to fight the future, and go the way of Bashar al-Assad and start slaughtering your own people en masse? It's up to you how History will view you, China. Choose wisely.
Sounds like the free internet is China's "War on Drugs".
China Cracking Down (Score:2)
Just recently it was reported that China will start censoring videos on certain video platforms, taking down content that criticizes the government or depicts LGBT people. http://www.independent.co.uk/n... [independent.co.uk]
People were saying it wasn't a huge deal because citizens "mostly use VPNs anyway" to access foreign videos, but this kinda throws a wrench in that plan.
Expelling large numbers of foreign workers too (Score:2)
Chain has also just started a program that makes it very hard for foreigners to renew their residence permits too. They are starting to use a point system that is all but impossible for most of the foreigners to be eligible. The Resident permits for all non-Han worked have been one year permits; so there is a near exodus of foreign workers going on right now.
Controlling the market (Score:2)
This looks a lot like what happens in mid-eastern countries like Saudi Arabia, where you can get fined $50K US for using a VPN. It isn't a security issue so much as they do not want people not paying the local voice carriers the $6 US/minute or whatever for voice communications. The owners of the carrier are typically relatives or close business associates of the ruling government.
China of course want to monitor online political activity so they want to make sure that nobody can post online content anon
The more you keep tightening your grip (Score:2)
The more will slip though your fingers...
China will eventually faced with the prospect of just disconnecting from the rest of the world or giving up on censorship. Depends on if they want to turn into a huge version of North Korea or not. I'm guessing, not.
Shush, the UK Government might be listening... (Score:2)
Run your VPN on same port as web server (Score:2)
You should be able to stealth your VPN behind a legit appearing website.
Same IP, same port
Re: (Score:2)
Same IP, same port, different traffic pattern. The folks who build these system aren't stupid. Now if rather than a VPN you're running an https proxy, that's a little harder to detect, but even then, if all the traffic from one host is going to another host, and not touching anything else, it's not hard to develop a high degree of confidence that you're looking at a VPN or proxy service.
This sucks (Score:2)
Re: (Score:2)