Thanks for sharing this. I researched this for my A level project a few years ago, and this is a really neat cross reference. I didn't mention V2Ray as much.
How is traffic controlled inside PRC? Is GFW a central hub for all traffic between all hosts? Or between residential ASNs and commercial ones only? In the UK and Iran a lot of censorship was implemented by leaning on ISPs at IP level (eg BT Cleanfeed) and with DNS blocks but I haven’t kept up to date with how networks might handle residential hosting. Maybe internal traffic is just all banned?
Unknown. I haven't seen any injected fake DNS or reset packets so far to domestic hosts. But there are rumors that Google's servers in Beijing (AS24424) was once black holed.
> Is GFW a central hub for all traffic between all hosts?
It's supposed to has centralized management system, but not a single hub.
> Or between residential ASNs and commercial ones only?
Yes, the injecting devices are deployed in IXPs, the AS borders. See <Internet censorship in China: Where does the filtering occur?>.
> In the UK and Iran a lot of censorship was implemented by leaning on ISPs at IP level (eg BT Cleanfeed) and with DNS blocks but I haven’t kept up to date with how networks might handle residential hosting.
I believe Iran has more centralized system like China controlled by Tehran.
> Maybe internal traffic is just all banned?
No, internal HTTPS traffic is not banned in that hour.
Not only individuals, but also major companies were locked down. If this was a dry run for "certain measures" in the future, I can't believe how much of a blow it would cause to the economy. Therefore, I think this was more of a human error.
Determining the scope of the impact would also be part of such a dry run. And if it is meant to be used along some kind of military action then it's going to throw the economy into chaos anyway.
You can't even have a blog in China without authorization. It doesn't matter if you pay "AWS" for a machine. It won't open port 80 or 443 until you get an ICP recordal. Which you can only do if you are in China, and get the approval. It should also be displayed in the site, like a license plate. The reason "AWS" is in quotes is because it isn't AWS, they got kicked out. In Beijing, it is actually Sinnet, in Nginxia it's NWCD
You can only point to IPs in China from DNS servers in China - if you try to use, say, Route53 in the US and add an A record there, you'll get a nasty email (fail to comply, and your ports get blocked again, possibly for good).
In a nutshell, they not only can shutdown cross border traffic (and that can happen randomly if the Great Firewall gets annoyed at your packets, and it also gets overloaded during China business hours), but they can easily shutdown any website they want.
I laughed when I saw "Nginxia", thinking it was a portmanteau of, well, nginx and wuxia, a Chinese fiction genre. Reality is much less funny when I looked up NWCD, and you likely just made a typo of Ningxia.
"Xia" would map to a single character (code point) in Chinese. For instance, in simplified Chinese, it could be 下 (xia, meaning down), 侠 (martial arts - like the xia in wuxia), or any number of other homophones. Since the characters are already combinatorial, I'm not sure a Chinese speaker would think of this as a portmanteau.
Both KMS and CloudHSM are FIPS 140-2 Level 3 and AWS claims they cannot read private keys from KMS. The main difference is KMS uses IAM and the AWS REST API while CloudHMS uses PKCS #11/JCE and a separate permissions system.
My understanding is that AWS KMS uses AWS designed HSMs and are tightly integrated with all AWS services while while CloudHSM uses LiquidSecurity 2 Cloud HSM adapters and use more conventional APIs
>My understanding is that AWS KMS uses AWS designed HSMs
That's my take as well reading about how they handle firmware (sounds like they're using their own chips, presumably similar to how they use other hardware acceleration and offload)
Actually, they wouldn't really know unless this domain is used. I guess they check the `Host` header to get the domain that targeted this IP and then check where the MX are hosted.
> You can only point to IPs in China from DNS servers in China - if you try to use, say, Route53 in the US and add an A record there, you'll get a nasty email (fail to comply, and your ports get blocked again, possibly for good).
Wait what? So I can DoS any Web site in China by creating a rogue DNS record that points to its IP address, even under a completely unrelated domain? How would they even find those records?
I guess they would find it the moment someone in China using a Chinese resolver tries to resolve your rogue record, since that would recurse to one of the root mirrors in China, which presumably feeds this mechanism.
Seems like a very minor speed bump in your plan, though: presumably something like https://www.chinafirewalltest.com would achieve that, or send a few emails for folks to click.
I wonder if this is actually tied to Chinese domains and Chinese run registrars? That way it would be easy to flag the usage of foreign nameservers and there's no DoS risk.
OK, AWS again, I know it not only complies with Beijing but also Russia and many other dictatorships. Banned domain fronting and recently enforced S3 bucket-based subdomains for government to better inspect.
Their point is if you’re served within China (aka hosted off a chinese IP, or accessing anything from a Chinese IP) it doesn’t matter if the other company interacts or complies with China’s rules - the other half of the transaction will be blocked.
So using DNS hosted outside won’t matter, because the destination Chinese IP will get blocked. Or if using outside hosting, it won’t matter, because anyone in China trying to access it will get blocked. Or anyone trying to publish anything to it the CCP doesn’t like. Presumably also with some follow up in-person ‘check-ins’.
The GFW is a pretty massive and actually impressively effective piece of technology, even if we don’t agree with it’s purpose.
Not only that, it seems to be entirely unimpressive: The premise is that they would be able to allow everything except for what they want to censor, which isn't what they're doing.
If you allow connections to random websites outside of your jurisdiction then you're de facto allowing everything, because people can proxy arbitrary traffic that way. If you don't, you're effectively disconnecting your country from the global internet, which is not an impressive technological feat. Anybody with a backhoe can do a fiber cut.
You’re just ignorant of what it does. The GFW autodetects and blocks a truly impressive number of tunnel encapsulation schemes, VPN’s, etc. and blocks a wide variety of proxy attempts.
It really isn’t dumb at all, and is quite difficult to get past.
It also auto detects ‘problematic’ content in near realtime for a huge swath of things. It does deep packet and content inspection, including of a bunch of encrypted traffic that it really shouldn’t be able to.
At massive (national) level scale.
Don’t get me wrong. It’s evil. But it’s an impressive bit of evil kit.
> The GFW autodetects and blocks a truly impressive number of tunnel encapsulation schemes, VPN’s, etc. and blocks a wide variety of proxy attempts.
They made a list of tunnel systems that don't attempt to disguise themselves and then blocked them. That's not really that hard, and it meanwhile causes lots of innocuous things to be blocked. There are uses for a tunnel other than bypassing censorship.
The hard thing is to block the ones that actively attempt to look like something they're not, and release updates to change their profile whenever the authors notice it being blocked, while still allowing the thing they're attempting to look like.
> It also auto detects ‘problematic’ content in near realtime for a huge swath of things. It does deep packet and content inspection, including of a bunch of encrypted traffic that it really shouldn’t be able to.
All of this is assuming the content is being distributed unencrypted or is otherwise leaking its contents through e.g. having a specific data length, none of which an encapsulation method is required to expose.
Sure, that’s why saying things like Tianmen square - over voice audio - in a game with an encrypted connection to the server gets everyone’s connections in China severed, even when the game servers are in another country and the game company has nothing to do with it.
The GFW is run by the definition of a Nation State Actor/NPT. They’re not perfect, or omniscient, but they aren’t fools or incompetent either.
And knowing all the people taking the ‘totally secret’ backdoor is not even a complex trick.
Folks like the NSA in the US have to stay in the shadows, and have a tiny budget and population to draw experts from. What do you think happens when they get to be direct, obnoxious, AND somewhat public in a national pride kind of way?
In fact, it’s a common tactic to do something unusual, in a recurrent way, so people aren’t alerted when it happens for real. (When the Mossad stole 7 boats from a French port (that they had fully paid), they prepared a few months in advance by having the pilots start the engines every night at 23:00, pretending they needed it against the cold temperatures. When they day came, they started the engines and left, no-one saw it coming).
You shouldn't use razors haphazardly or you might cut yourself.
A mistake that also weirdly increments some TCP fields for the three subsequent RST packets when that's not how the existing GFW devices behave would need some explanation before you could conclude it to be the most likely explanation.
A new hardware/software rollout is one of the more common breakage situations, though. It definitely could have been on purpose but my gamble is still on a fuckup with a new system rollout.
Could you bring something like a starlink mini for backup i wonder? Id imagine this would be very worrying being stuck there as a foreigner in such a situation.
Starlink connects you to the internet via a ground station in the country where you are registered, and the antenna will also only operate in an approved zone (depending on your country and account type). You cannot use it in China.
It’s still true because in order to be operating in a country Starlink has to get approval from the Gov and if the Gov requires Starlink to have to connect through a ground station then they’ll either comply or not operate in that country
They have a minor capability to do intra-constellation routing now but if they want to operate in China the authorities are going to demand all data be downlinked through Chinese downlink stations so they can do their monitoring.
I wasn't aware that China does this. I know India does too though, for this reason only Inmarsat is allowed there because they cooperate with the authorities (and I believe even that is subject to local licensing).
Though India doesn't have a great firewall so it's much less of an issue for foreigners visiting there.
I don't know specifically that they do but it makes sense they would and Musk has a lot of points where China can squeeze him if he tries to not comply and China takes their internet monitoring seriously so I can't see them not demanding it.
Oddly, many travel SIMs have started to route traffic through China. I used one in India that clearly routed through Hong Kong, and caused a lot of problems.
No it won't but if it did would take just few hours for china to shoot a bunch of them down and with how tightly packed their orbits are the debree would take care of the rest.
I’m not so sure debris would help take down other satellites in that orbit. The orbit is very low so much of the debris that ends up with a deviation in its orbit will fall down. Even if it doesn’t there’s still air resistance up there which may cause more of the debris to deorbit before jt has time to hit other satellites.
And I doubt China would want to make LEO impossible to move through anyway. It’d affect China badly as well
potentially very dangerous for everyone if they did that. could make it impossible for even them to make a launch. Kessler Syndrome is nothing to toy with.
> "Researchers call for development of anti-satellite capabilities including ability to track, monitor and disable each craft / The Starlink platform with its thousands of satellites is believed to be indestructible"
"Easy to bring down" vs. "believed to be indestructible"—some tension there!
If you're talking about nuclear weapons, their major effect on satellites (Starfish Prime as the reference point) isn't EMP effects, but ionizing radiation—creating a persistent radiation belt of MeV electrons. (A physical process that took months to disable some satellites). Beyond that I don't know much.
Not feasible. That would entail putting shrapnel into orbit (unlike extant anti-sat weapons which are short-range suborbital), which would mean a full orbital launch for every satellite target orbit. There's hundreds[0] of Starlink orbital groups already, so that'd require hundreds of independent orbital launches in a short timescale—far beyond China's launch capabilities today.
(On general principles, you could argue you'd need 1:1 launch vehicle parity (number, not payload) to defeat a satellite constellation this way. For each satellite launch, you'd need one corresponding anti-satellite launch into that same, newly-defined orbit).
If you make a dense-ish cloud that cuts across the Starlink orbits you'd eventually intersect them all if you could make the artificial debris field last It wouldn't require that many different counter orbiting fields to cover most of the orbits.
Yes but there's so many starlinks that you're going to get lots and lots of collateral damage to sats from allies and enemies alike. It's going to be a huge footgun.
Not much else uses those orbits right now. Other comms satellites and surveillance birds are all higher up. The debris would in theory also clear pretty quickly and should be fairly contained so the cascade of additional damage might be relatively small too. Hard to know that without a huge simulation budget to see how high the shattered satellite bits might get tossed.
For your shrapnel to hit the satellite, it needs to be at the same height and inclination. Otherwise, your shrapnel will likely miss the targets.
Starlink satellites are pretty low and experience a lot of drag, with square-cube law working against you. Your shrapnel's orbit will likely decay pretty rapidly.
No it does not. Against a huge state adversary like China it does not matter. They have satellites looking down so they can quickly locate any starlink users. And then ...
The only thing that could bypass is GPS + laser links (meaning physically aiming a laser both on the ground AND on a satellite). You cannot detect that without being in the direct path of the laser (though of course you can still see the equipment aiming the laser, so it doesn't just need to work it needs to be properly disguised). That requires coherent beams (not easy, but well studied), aimed to within 2 wavelengths of distance at 160km (so your direction needs to be accurate to 2 billionths of a degree, obviously you'll need stabilization), at a moving target, using camouflaged equipment.
This is not truly beyond current technology, but you can be pretty confident even the military doesn't have this yet.
The aim doesn't need to be that accurate. Laser beams diverge due to diffraction. You can't break the laws of physics - a non-divergent laser beam would need to be infinitely wide. A 1cm wide laser beam of 700nm light will have a divergence width of approximately asin(0.0000007/0.01) which is 0.004 degrees, which is 14 arcseconds, which is very easily aimable using off-the-shelf components. People get a tracking accuracy around 1 arcsecond using standard hobbyist telescope mounts.
However, this solution is going to stop working when a cloud drifts past.
> However, this solution is going to stop working when a cloud drifts past.
Not really, because you'd be using a frequency that passes through clouds. A snow storm or hail is impenetrable, and there are weather events that cause a 1-2 second blackout, as well as cause refraction (which is mostly a challenge in reaiming the beam fast enough to compensate), but anything in the air is fine. Clouds, mist, ... But is aiming at a 1 arcsecond target moving across the sky at at least 1 degree per second from a normal (ie. moving) building really doable with "standard hobbyist telescope mounts" ?
I know 5 years ago we were still doing this with lasers on rockets toward planes, because planes can just keep their angle to a rocket essentially constant. I know there's experiments doing direct laser to satellite, no idea how well that works.
You are correct in that most "hobbyist telescope mounts" are good for tracking stars at ~1 arcsecond, only where those stars don't move across the sky very quickly (up to 15 arcseconds/second). However, it is quite within the realm of "hobbyist" telescope mounts, albeit towards the upper end, to track orbital objects. I have seen an example of a telescope mount tracking the international space station to get good images, and the tracking was pretty solid. It is assisted by a secondary telescope on the mount that helps the mount maintain good tracking, not just pre-knowledge of where the object will be.
The clouds are however much more of a problem than you're suggesting. One promising infrared band is around 10 microns, but a thick cloud will still scatter that. You'd need a 20cm wide laser beam at that wavelength for it to diverge to a beam width of around 10 arcseconds. Which is basically a reasonably-sized telescope, working in reverse.
Alternatively, you could go for millimeter waves, which would pass through the clouds reasonably well, but then you're well outside the realms of "laser" and into the standard directional dish antenna. And it'd have to be a very large dish to give you a narrow beam. For instance, a rather unsubtle 2 metre wide dish with a 1mm wavelength will give a beam that diverges by 100 arcseconds. And there will probably be omnidirectional leakage which the dastardly authorities are likely to be able to detect. At least visible and infra-red leakage can be easily blocked and concealed, but radio is much harder.
What makes it so that this kind of precision is required? I have little knowledge of the physics behind it, but a few decades ago, a local university had an open day where they bounced lasers off of a retro reflector on the moon to measure the distance: https://en.wikipedia.org/wiki/Lunar_Laser_Ranging_experiment...
The moon is 700 times farther away than the starlink satellites (or twice that, if you consider the bounce), so I find it hard to imagine that it would be impossible to communicate with much closer satellites over laser when both sides can have an active transmitter.
The infrastructure for that kind of control clearly already exists. What's unclear is how coordinated or deliberate these events are versus being side effects of testing or internal changes
That's what's so great about LoRA. Decentralized txt msgs, ultra cheap radios people run at home or wherever. $10-35USD ON AMAZON. Least txts get through.
FT8 has such a small payload that you couldn't fit an emoji, much less an average English sentence.
There's no authentication so anyone can pretend to be you. Traditional methods of verifying the sender (HMAC) would take so many hours to transmit that the physical propagation paths you're communicating through will probably collapse before you deliver the smallest verified message.
If you need to communicate information, FT-8 is not for you.
Agreed but if you're trapped in a war zone, time is one thing you have. And equipment for FT8 is simple to build yourself. It's also very difficult to trace. And you can take up some fields used for other stuff and convert them to data (like the sender). This would be illegal on amateur bands since it's required to identify oneself but again in a war situation this is less relevant since any covert communication will probably be forbidden anyway.
You do need a time source though. GPS is generally used for that but it doesn't need to be extremely accurate with FT-8 like with some other protocols.
I would imagine using it for a regular "I'm ok" message for the home front in such a situation using pre-arranged contents.
Local police already equipped with signal jammer cars. Usually only used in college entrance exam period. They also appeared in recent protest in Jiangyou city.
Look up Meshtastic. It’s kinda fun. Can chat with random people around you. But I don’t think it’s really that useful unless you have a really good spot like an antenna on your roof with no trees or buildings in the way.
It's not that finicky in practice. I live in a heavily wooded area and I can still see plenty of nodes, some pretty far away. Trees are actually somewhat helpful there because you can easily rig up a node up high by throwing a line over a branch.
I live in the suburbs, not really any high rises around be but some townhouses, I can “see” 180 nodes, but I can’t reliably message my friend 1km away. I get a lot of messages on the public chat but if I send one it’s a 50/50 if it will be acknowledged by any nodes.
I tried it while staying in a high rise hotel and the experience was great. Instant acknowledgement and super reliable communication
The most depressing is that what happens in China, will eventually happen in the west too. I'm sure certain US, UK, and EU bureaucrats are already crafting campaigns about how this ability will 'save the children' and that it should be implemented immediately (politicians and certain other selected people will be exempt of course).
There's nothing inevitable about this. Civil society needs to organize, coordinate, and spend money on PR about this.
Right now liberal people mostly sit back and wait for things to get better, it's not enough. (Also going and walking up and down is not really effective.)
It's inevitable because we've seen time and again that all it takes to get the public opinion behind this kind of thing is to talk about how it is needed to catch pedophiles and terrorists.
And if you talk back? Why, you must be a pedophile or a terrorist, otherwise why would you have anything to hide?
It's gotten bad enough that people here on HN - Hacker News! - non-ironically make more or less this argument.
It is inevitable, because the means by which civil society can organize, coordinate, and spend money on PR about this, are all firmly in the control of a very few people. These same people are generally on the side of more centralized control, because they are the ones who will wield it.
Think of how many people who have remote jobs with American companies couldn't connect to their meetings while they "work from home" while secretly being in China!
Normally they have to fight VPN issues anyway, but having a sovereign state inject your packets is certainly a fun new one.
Anyone operating in/around China who needs a real VPN has a service they pay for and use that isn't mainstream that isn't blocked (using V2ray or similar). There's a reason why Shadowrocket is the number 1 app on the app store. I'm sure there are a lot of cases of people using e.g., off-the-shelf VPN apps and have trouble, but power users in China are always running a VPN, usually to Japan, that doesn't have this problem.
If you aren't aware: a Virtual Private Network creates a fully encrypted link between you and a remote node. So long as your encryption keys are secure, there's no way for anyone (even a global superpower) to listen to or intrude on that connection. There is no possible way to break into this connection, even with the entire planet's computing resources.
From the outside, all you can see is a stream of encrypted data between two nodes. You cannot tell where the traffic goes once it exits the VPN server or what it contains.
The only way to compromise a VPN connection is the most straightforward and pedestrian: compromise the VPN host and directly spy on their clients with their own hardware.
The GFW certainly can and has detected such encrypted streams and blocked them for being un-inspectable. With a VPN you can perfectly hide what you're doing and you can perfectly prevent intrusion. You cannot prevent someone noticing you're using a VPN. China can simply blanket ban connections that look like VPN traffic. But they cannot tell what you're doing with that VPN.
Thanks for the reply. In order to connect to the VPN, your first call must be over https, from China, to the VPN. How does that circumvent the phenomenon in the article, where a nation state was injecting TCP to cause your connection to hang up, thus no VPN connection?
You do not establish a VPN connection in the clear. You must give your client the encryption key before connecting. All transactions are fully encrypted from the beginning.
Besides that, when negotiating a secure connection through unencrypted channels you typically use Diffe-Hillman to establish the encryption keys. As far as I'm aware, this method cannot be broken. Both nodes compute their own private encryption key and do math to create unencrypted data that must be verified by the other node's key. Even if you had full control of the data stream, you can't determine those private keys and cannot break into the encrypted connection that follows.
Also VPNs are typically UDP, but there's no hard requirement as far as I know.
Awesome thanks for all of that. Then it sounds like the only way a nation state could block VPNs is if they decided to "go nuclear" and do what the person above said-- block anyone who they detect is using a VPN/encrypted channel.
Based on that information, the theory for why a nation state would block https like this for a moment is either an accident, or to only block the low hanging fruit of people who don't use a VPN.
There are special virtual SIM cards that provide access to services from mainland China, as well as VPNs that function normally without issues. I used both while I was in China.
Yeah, have used one. Mine was a downloadable eSIM and meant for foreign travelers with 1-week plan. It actually establishes an IPsec VPN to the origin country. Beijing dare not to block foreigners' roaming services.
I definitely appreciate that a percentage of so called "employees" are actually just full fledged Chinese nationals, living permanently in China, paid a salary to pretend to be an American who had their identity stolen.
But there absolutely is also a non-negligible number of Chinese and Indian nationals, who have some type of visa status in the US (especially a green card) who spend many months in their original countries making $200,000 or more per year while living like royalty in their home countries :)
If you get a green card and leave the us for any amount of time, on return the border agent makes a determination on the spot if you intended to live abroad.
Less than six months is simply less suspicious than more.
And what are you supposed to do if they make a determination against you, return to your passport holding country and hire a lawyer?
If the answer is yes, well then it is yet more proof that the US immigration system operates basically extrajudicially just like the IRS and ATF, and only occassionally do the courts pull them back in after much hardship for the plantiff.
Words and policies are supposed to have meaning, and I doubt we'll get any charts or graphs on border refusals per amount of time spent abroad for GC holders.
I live in a popular Digital Nomad friendly country, and myself included, work with Europe/American companies roughly matching their time zones.
Now, the people I work with know that I'm not really located in the same time zone, but I know people who don't bother to mention it. I rarely get phone calls, but I have a roaming connection active for banking/OTP/etc. Plenty of cheap cafes with great WiFi (500mbps+ almost everywhere), and several times cheaper too.
Sadly much more common than it should be. The durations vary widely, but with the price of airline tickets and the nature of corporate software engineering jobs, it's extremely easy to self-justify a month abroad. The US government allows 6 months officially for green card holders.
If it wasn't literally 10x cheaper to live abroad than it is to live in Seattle/San Jose, it wouldn't be as prevalent. And not to mention, the quality of life is often better at the 10x cheaper price as well.
China spans 9.6M km. It has some of the biggest and most modern megacities (Beijing, Shanghai, Chongqing, Shenzhen to name a few) and features ancient historical wonders like the Great Wall, Forbidden City and Terracotta Warriors.
The nature spans salt lakes and rainbow mountains akin to South America, to the Northern Lights in Mohe down to karst formations of Guilin shared with Vietnam's Halong Bay.
The cuisine is diverse and dishes popular in places like Xi'an reveal lasting influences dating back to the Silk Road.
If you can't find "somewhere really nice" amongst the myriad people and locations you haven't tried.
I don't want to try when they have an authoritarian government.
Visiting somewhere means submitting yourself to their laws. With China's, that's not an option for me. Having restricted communication with home is a dealbreaker too. I would not let that stand so I'd have to break their laws.
It may be a beautiful country but it's not a beautiful place to be. At least not for someone like me.
Though having said that there are many places I refuse to travel to. The US is currently one as well for obvious reasons.
No I have not. And I never will unless their government gives up its autocratic tendencies. I would never submit to that. Because of that it doesn't matter how beautiful it is, for me it will not be a nice place to be.
You say that because you don't hold a Chinese or Indian passport. Now think of those who do, who have family obligations, food preferences, local bank accounts.
> You say that because you don't hold a Chinese or Indian passport.
Not really. People like it in China, regardless of whether they're Chinese.
I took an English teaching certification course in Shanghai. The teachers for that course were used to rotating around the world as the company held courses in various random locations.
One day the teachers asked what was apparently a standard question for them, "are you planning to stay here after you get the certification?"
And they were flabbergasted when everyone answered yes. Apparently in most of the locations that offer CELTA courses, the majority of people come for the course and get out as soon as they can.
I didn't think so. There were only two or three students in that course who held a Chinese passport. There were almost as many Ethiopians. A clear majority was Americans, some ethnically Chinese, some white.
The teachers, incidentally, were British and New Zealander, and they were firm about instructing us in teaching British pronunciation. I assume most of the students went on to ignore that part of the curriculum.
Well for starters recreate the situation and test out different approaches. Thanks to the detailed analysis that can be attempted.
If I understand right, a good next step would would be with eBPF or some type of proxy ignore the forged RST+ACK at the beginning.
Then it would come testing to see if sending a bunch of ACK packets, perhaps with sequence numbers that would when reconstructed could complete the handshake. Trying to send them alongside the SYN+ACK or even before if it can be predicted. Maybe try sending some packets with sequence id 0 as well to see what happens.
See <Ignoring the Great Firewall of China> in 2006. That won't work if RST/ACK was injected to both sides.
> Then it would come testing to see if sending a bunch of ACK packets, perhaps with sequence numbers that would when reconstructed could complete the handshake. Trying to send them alongside the SYN+ACK or even before if it can be predicted. Maybe try sending some packets with sequence id 0 as well to see what happens.
This is an interesting approach already being utilized, namely TCB desync. But currently most people tend to buy VPN/proxy services rather than studying this.
Continents are a social construct. In North American English, we typically divide the Americas into a North and South America. The collective noun for North and South America is the Americas. (Though this remains ambiguous in respect of the Caribbean and Pacific Islands.)
Getting pedantic about calling America America is sort of like insisting on referring to China as Zhonghua. Like, sure. Whatever. But you’re clearly insisting on substituting a substantial discussion with a semantic one.
I thought continents are a geographical term divided by tectonic plates and such. Still seams to be weird to single out a single country to assign the name of a continent.
> thought continents are a geographical term divided by tectonic plates and such
Common misconception, but incorrect. Here is a map of major tectonic plates [1]. They sort of map to our continents. But only loosely. European countries often fissure Eurasia, same way many Spanish-language countries unify the North American, South American, Caribbean, Cocos, Nazca, Scotia and Juan de Fuca plates into an Americas. (Or include the Arabias and India in Asia, et cetera.)
> seams to be weird to single out a single country to assign the name of a continent
New Zealand doesn’t like the Australian plate, Trump doesn’t like the Gulf of Mexico, Riyadh the Persian Gulf, et cetera. At the end of the day, you have to decide if you’re having a substantive or semantic discussion. I personally tend to find the latter boring and repetitive unless actually digging into the meat of the issue (versus the usual “I like to say it this way QED”.)
I'm speaking as someone who has done a bit of research into this topic.
I'm not aware of a single example of an English-speaking country that teaches that there's a continent named "America." It's taught as two continents: North America and South America. "America" is just short for the "United States of America," and in English it's entirely unambiguous.
Even the phrase Americentrism undermines your point. This is like reading about a Dacian complaining about the Romans using the term Mare Nostrum. Nobody really pays any mind to the client states of an empire.
I would not say "unambiguously" when it comes to natural languages.
And no, "America" may have referred to the US when I was a kid and here in Central Europe we had Back to the Future type of shoes with the American flag, yeah, and I would not say unambiguously so.
If someone says "America" to refer to a place, they really ought to specify if they want you to understand them.
I can't think of any English speaking countries in central Europe off the top of my head.
"America" is short for "The United States of America" in English. That's its definition. I don't understand how people have difficulty with this concept.
> The Americas, sometimes collectively called America, are a landmass comprising the totality of North America and South America. When viewed as a single continent, the Americas are the 2nd largest continent by area after Asia, and is the 3rd largest continent by population. The Americas make up most of the land in Earth's Western Hemisphere and constitute the New World.
Yeah, OK, not sure "America" refers to The Oh-So-Great United of America according to this. Guess what? You can find 10 in each direction. Specify. If you disagree with "one should specify", why down-vote? Baffling, baffling indeed.
It’s a silly side discussion in which nothing new is being said. Complaining that America generally refers to the country is a hobby for some folks, and that’s fine, but it’s only entertaining for them.
If someone needs the America you’re talking about specified, i.e. they can’t figure it out from context, the discussion is sort of moot. (Same way one can use the word Europe despite it being incredibly ambiguous. Overspecificity comes at the cost of conciseness.)
I keep getting down-voted, but I have never been against being specific, in fact, I was advocating to be specific[1], i.e. North American, Latin American, South America, etc.
[1] "If someone says "America" to refer to a place, they really ought to specify if they want you to understand them.".
Additionally, natural languages are inherently ambiguous.
If someone can’t figure out what America I’m referring to when comparing America and China, I’m not sure how much useful conversation is left in them on the topic.
Reading this interchange, I think I'd really enjoy a forum where all the responses a poster thinks they'd want to make in a thread are pre-committed-- but not yet viewable-- when the initial comment is posted. Any consequent responses in that thread are then limited to those that are pre-committed-- e.g., that user can select them from a dropdown-- and the full list of pre-commitments is (eventually?) publicly viewable.
Maybe that doesn't apply to what you're replying to here. But my gut is that anything nested deeper than level 2 on HN is one or more respondents doing low-effort, pedantic heel-digging. (Single exception for any and all of Alan Kay's posts where the references cited are always worth whatever level the nesting is at.)
> A Brief, Incomplete, and Mostly Subjective History of Chinese Internet censorship and its countermeasures
https://danglingpointer.fun/posts/GFWHistory
Posted 6 days ago (https://news.ycombinator.com/item?id=44898892)
Thanks for sharing this. I researched this for my A level project a few years ago, and this is a really neat cross reference. I didn't mention V2Ray as much.
How is traffic controlled inside PRC? Is GFW a central hub for all traffic between all hosts? Or between residential ASNs and commercial ones only? In the UK and Iran a lot of censorship was implemented by leaning on ISPs at IP level (eg BT Cleanfeed) and with DNS blocks but I haven’t kept up to date with how networks might handle residential hosting. Maybe internal traffic is just all banned?
> How is traffic controlled inside PRC?
Unknown. I haven't seen any injected fake DNS or reset packets so far to domestic hosts. But there are rumors that Google's servers in Beijing (AS24424) was once black holed.
> Is GFW a central hub for all traffic between all hosts?
It's supposed to has centralized management system, but not a single hub.
> Or between residential ASNs and commercial ones only?
Yes, the injecting devices are deployed in IXPs, the AS borders. See <Internet censorship in China: Where does the filtering occur?>.
> In the UK and Iran a lot of censorship was implemented by leaning on ISPs at IP level (eg BT Cleanfeed) and with DNS blocks but I haven’t kept up to date with how networks might handle residential hosting.
I believe Iran has more centralized system like China controlled by Tehran.
> Maybe internal traffic is just all banned?
No, internal HTTPS traffic is not banned in that hour.
It's in operators but managed by the regional government.
So what's blocked differs by region
Not only individuals, but also major companies were locked down. If this was a dry run for "certain measures" in the future, I can't believe how much of a blow it would cause to the economy. Therefore, I think this was more of a human error.
Determining the scope of the impact would also be part of such a dry run. And if it is meant to be used along some kind of military action then it's going to throw the economy into chaos anyway.
As an aside, it’s incredible how many internal chinese websites are completely unsecured with a certificate and don’t use HTTPS and require login.
Terrible, this is Internet curfew. It's not uncommon to imagine they'd shutdown Internet across border during any war (like against Taiwan).
> Terrible, this is Internet curfew.
If you think this is bad...
You can't even have a blog in China without authorization. It doesn't matter if you pay "AWS" for a machine. It won't open port 80 or 443 until you get an ICP recordal. Which you can only do if you are in China, and get the approval. It should also be displayed in the site, like a license plate. The reason "AWS" is in quotes is because it isn't AWS, they got kicked out. In Beijing, it is actually Sinnet, in Nginxia it's NWCD
You can only point to IPs in China from DNS servers in China - if you try to use, say, Route53 in the US and add an A record there, you'll get a nasty email (fail to comply, and your ports get blocked again, possibly for good).
In a nutshell, they not only can shutdown cross border traffic (and that can happen randomly if the Great Firewall gets annoyed at your packets, and it also gets overloaded during China business hours), but they can easily shutdown any website they want.
I laughed when I saw "Nginxia", thinking it was a portmanteau of, well, nginx and wuxia, a Chinese fiction genre. Reality is much less funny when I looked up NWCD, and you likely just made a typo of Ningxia.
"Xia" would map to a single character (code point) in Chinese. For instance, in simplified Chinese, it could be 下 (xia, meaning down), 侠 (martial arts - like the xia in wuxia), or any number of other homophones. Since the characters are already combinatorial, I'm not sure a Chinese speaker would think of this as a portmanteau.
AWS in China also doesn't have the Key Management Service, which leads to me to conclude it must be pretty secure.
I added an A record for subdomain and pointed it at Chinese IP addresses. I wonder if I will get that angry email?
Or they just dont want to be put in the position of having to give out keys.
I think the real paranoid people use cloudHSM.
Both KMS and CloudHSM are FIPS 140-2 Level 3 and AWS claims they cannot read private keys from KMS. The main difference is KMS uses IAM and the AWS REST API while CloudHMS uses PKCS #11/JCE and a separate permissions system.
The docs say both use HSM. Under "Secure" in the accordion menu https://aws.amazon.com/kms/features/#topic-0
My understanding is that AWS KMS uses AWS designed HSMs and are tightly integrated with all AWS services while while CloudHSM uses LiquidSecurity 2 Cloud HSM adapters and use more conventional APIs
https://www.marvell.com/products/security-solutions/liquidse...
>My understanding is that AWS KMS uses AWS designed HSMs
That's my take as well reading about how they handle firmware (sounds like they're using their own chips, presumably similar to how they use other hardware acceleration and offload)
Actually, they wouldn't really know unless this domain is used. I guess they check the `Host` header to get the domain that targeted this IP and then check where the MX are hosted.
> You can only point to IPs in China from DNS servers in China - if you try to use, say, Route53 in the US and add an A record there, you'll get a nasty email (fail to comply, and your ports get blocked again, possibly for good).
Wait what? So I can DoS any Web site in China by creating a rogue DNS record that points to its IP address, even under a completely unrelated domain? How would they even find those records?
I guess they would find it the moment someone in China using a Chinese resolver tries to resolve your rogue record, since that would recurse to one of the root mirrors in China, which presumably feeds this mechanism.
Seems like a very minor speed bump in your plan, though: presumably something like https://www.chinafirewalltest.com would achieve that, or send a few emails for folks to click.
I swear to use this power only for lulz.
I wonder if this is actually tied to Chinese domains and Chinese run registrars? That way it would be easy to flag the usage of foreign nameservers and there's no DoS risk.
What about other protocols, could you run eg Gopher or NNTP? I guess IMAP could work as well.
> It should also be displayed in the site, like a license plate.
https://de.wikipedia.org/wiki/Impressumspflicht (Mandatory real name & address, not only for business, but private persons with web presence, too.
Same for Domain/DNS(which applies to everything in the European Union))
Not all Western companies comply with Beijing, like Route53, a name I've never heard of; Cloudflare seems to be most popular in China.
But yeah, they can shutdown anything unless proxy server is widely used. as <Nearly 90% of Iranians now use a VPN to bypass internet censorship>.
AFAIK Route53 is AWS’s managed DNS product, not a company.
OK, AWS again, I know it not only complies with Beijing but also Russia and many other dictatorships. Banned domain fronting and recently enforced S3 bucket-based subdomains for government to better inspect.
Their point is if you’re served within China (aka hosted off a chinese IP, or accessing anything from a Chinese IP) it doesn’t matter if the other company interacts or complies with China’s rules - the other half of the transaction will be blocked.
So using DNS hosted outside won’t matter, because the destination Chinese IP will get blocked. Or if using outside hosting, it won’t matter, because anyone in China trying to access it will get blocked. Or anyone trying to publish anything to it the CCP doesn’t like. Presumably also with some follow up in-person ‘check-ins’.
The GFW is a pretty massive and actually impressively effective piece of technology, even if we don’t agree with it’s purpose.
Technology backed by force is not impressively effective as a technology.
So nuclear weapons were and are totally boring and unimpressive?
Not only that, it seems to be entirely unimpressive: The premise is that they would be able to allow everything except for what they want to censor, which isn't what they're doing.
If you allow connections to random websites outside of your jurisdiction then you're de facto allowing everything, because people can proxy arbitrary traffic that way. If you don't, you're effectively disconnecting your country from the global internet, which is not an impressive technological feat. Anybody with a backhoe can do a fiber cut.
You’re just ignorant of what it does. The GFW autodetects and blocks a truly impressive number of tunnel encapsulation schemes, VPN’s, etc. and blocks a wide variety of proxy attempts.
It really isn’t dumb at all, and is quite difficult to get past.
It also auto detects ‘problematic’ content in near realtime for a huge swath of things. It does deep packet and content inspection, including of a bunch of encrypted traffic that it really shouldn’t be able to.
At massive (national) level scale.
Don’t get me wrong. It’s evil. But it’s an impressive bit of evil kit.
> The GFW autodetects and blocks a truly impressive number of tunnel encapsulation schemes, VPN’s, etc. and blocks a wide variety of proxy attempts.
They made a list of tunnel systems that don't attempt to disguise themselves and then blocked them. That's not really that hard, and it meanwhile causes lots of innocuous things to be blocked. There are uses for a tunnel other than bypassing censorship.
The hard thing is to block the ones that actively attempt to look like something they're not, and release updates to change their profile whenever the authors notice it being blocked, while still allowing the thing they're attempting to look like.
> It also auto detects ‘problematic’ content in near realtime for a huge swath of things. It does deep packet and content inspection, including of a bunch of encrypted traffic that it really shouldn’t be able to.
All of this is assuming the content is being distributed unencrypted or is otherwise leaking its contents through e.g. having a specific data length, none of which an encapsulation method is required to expose.
Sure, that’s why saying things like Tianmen square - over voice audio - in a game with an encrypted connection to the server gets everyone’s connections in China severed, even when the game servers are in another country and the game company has nothing to do with it.
The GFW is run by the definition of a Nation State Actor/NPT. They’re not perfect, or omniscient, but they aren’t fools or incompetent either.
And knowing all the people taking the ‘totally secret’ backdoor is not even a complex trick.
Folks like the NSA in the US have to stay in the shadows, and have a tiny budget and population to draw experts from. What do you think happens when they get to be direct, obnoxious, AND somewhat public in a national pride kind of way?
In fact, it’s a common tactic to do something unusual, in a recurrent way, so people aren’t alerted when it happens for real. (When the Mossad stole 7 boats from a French port (that they had fully paid), they prepared a few months in advance by having the pilots start the engines every night at 23:00, pretending they needed it against the cold temperatures. When they day came, they started the engines and left, no-one saw it coming).
It could also be a test to look for surprising things that break, in case they want to do this permanently at some later point.
Hanlon's and Occam's razors point to it being a mistake by the GFW operators, imo.
If it's on purpose, I think you have the most likely motivation.
You shouldn't use razors haphazardly or you might cut yourself.
A mistake that also weirdly increments some TCP fields for the three subsequent RST packets when that's not how the existing GFW devices behave would need some explanation before you could conclude it to be the most likely explanation.
A new hardware/software rollout is one of the more common breakage situations, though. It definitely could have been on purpose but my gamble is still on a fuckup with a new system rollout.
It was five boats [1], an good story nonetheless. Think whatever you want about Mossad, it can not be denied that these guys have balls.
[1] https://en.wikipedia.org/wiki/Cherbourg_Project
One might even say they have chutzpah.
[dead]
Could you bring something like a starlink mini for backup i wonder? Id imagine this would be very worrying being stuck there as a foreigner in such a situation.
Starlink connects you to the internet via a ground station in the country where you are registered, and the antenna will also only operate in an approved zone (depending on your country and account type). You cannot use it in China.
> Starlink connects you to the internet via a ground station in the country where you are registered
Not true anymore.
> and the antenna will also only operate in an approved zone (depending on your country and account type). You cannot use it in China.
This is still correct.
> Not true anymore.
It’s still true because in order to be operating in a country Starlink has to get approval from the Gov and if the Gov requires Starlink to have to connect through a ground station then they’ll either comply or not operate in that country
They have a minor capability to do intra-constellation routing now but if they want to operate in China the authorities are going to demand all data be downlinked through Chinese downlink stations so they can do their monitoring.
I wasn't aware that China does this. I know India does too though, for this reason only Inmarsat is allowed there because they cooperate with the authorities (and I believe even that is subject to local licensing).
Though India doesn't have a great firewall so it's much less of an issue for foreigners visiting there.
I don't know specifically that they do but it makes sense they would and Musk has a lot of points where China can squeeze him if he tries to not comply and China takes their internet monitoring seriously so I can't see them not demanding it.
You can still bring a foreign SIM card. 100% effective (via data roaming) at bypassing the firewall, but expensive.
Oddly, many travel SIMs have started to route traffic through China. I used one in India that clearly routed through Hong Kong, and caused a lot of problems.
A friend of mine tried, no signal.
If war breaks out, it'll likely be enabled.
No it won't but if it did would take just few hours for china to shoot a bunch of them down and with how tightly packed their orbits are the debree would take care of the rest.
I’m not so sure debris would help take down other satellites in that orbit. The orbit is very low so much of the debris that ends up with a deviation in its orbit will fall down. Even if it doesn’t there’s still air resistance up there which may cause more of the debris to deorbit before jt has time to hit other satellites.
And I doubt China would want to make LEO impossible to move through anyway. It’d affect China badly as well
potentially very dangerous for everyone if they did that. could make it impossible for even them to make a launch. Kessler Syndrome is nothing to toy with.
space is huge and the orbit is low. I'm not so sure debris would be as effective as on higher orbits.
Starlink are very low orbit. Easy to bring down.
Very expensive to take down 10-100k at once. No one today has that many antisat-capable missiles stockpiled.
Relevant, Chinese domestic media reporting on China's own perspective:
https://www.scmp.com/news/china/science/article/3178939/chin... ("China military must be able to destroy Elon Musk’s Starlink satellites if they threaten national security: scientists" (2022))
> "Researchers call for development of anti-satellite capabilities including ability to track, monitor and disable each craft / The Starlink platform with its thousands of satellites is believed to be indestructible"
"Easy to bring down" vs. "believed to be indestructible"—some tension there!
EMP?
At the point anyone is using nukes in LEO, things have gotten really out of control already.
If you're talking about nuclear weapons, their major effect on satellites (Starfish Prime as the reference point) isn't EMP effects, but ionizing radiation—creating a persistent radiation belt of MeV electrons. (A physical process that took months to disable some satellites). Beyond that I don't know much.
how though?
https://en.wikipedia.org/wiki/2007_Chinese_anti-satellite_mi...
Every major power has polluted near Earth space as a show of power.
One missile for one satellite? This gets expensive really fast.
They follow well defined orbits and propellant limited. You could easily cover their trajectory with some shrapnel and attack it one lane at a time.
Not feasible. That would entail putting shrapnel into orbit (unlike extant anti-sat weapons which are short-range suborbital), which would mean a full orbital launch for every satellite target orbit. There's hundreds[0] of Starlink orbital groups already, so that'd require hundreds of independent orbital launches in a short timescale—far beyond China's launch capabilities today.
[0] https://planet4589.org/space/con/star/planes.html
(On general principles, you could argue you'd need 1:1 launch vehicle parity (number, not payload) to defeat a satellite constellation this way. For each satellite launch, you'd need one corresponding anti-satellite launch into that same, newly-defined orbit).
If you make a dense-ish cloud that cuts across the Starlink orbits you'd eventually intersect them all if you could make the artificial debris field last It wouldn't require that many different counter orbiting fields to cover most of the orbits.
Yes but there's so many starlinks that you're going to get lots and lots of collateral damage to sats from allies and enemies alike. It's going to be a huge footgun.
Not much else uses those orbits right now. Other comms satellites and surveillance birds are all higher up. The debris would in theory also clear pretty quickly and should be fairly contained so the cascade of additional damage might be relatively small too. Hard to know that without a huge simulation budget to see how high the shattered satellite bits might get tossed.
Have you ever heard of https://en.wikipedia.org/wiki/Project_West_Ford ?
For your shrapnel to hit the satellite, it needs to be at the same height and inclination. Otherwise, your shrapnel will likely miss the targets.
Starlink satellites are pretty low and experience a lot of drag, with square-cube law working against you. Your shrapnel's orbit will likely decay pretty rapidly.
Tiny propellant burns turn into thousands of kilometer changes quickly.
Entirely speculation.
Of course it is entirely speculation. But there are previous datapoints you can look at (i.e. iran).
Elon doesn't sell cars or Powerwalls in Iran.
Very easy to jam.
Also, fairly easy to find from the air.
Depends on if Elon wants to be sanctioned by PRC or not.
https://www.theverge.com/2022/10/10/23397301/elon-musk-starl...
Depends a lot whether Starlink decides to let you.
No it does not. Against a huge state adversary like China it does not matter. They have satellites looking down so they can quickly locate any starlink users. And then ...
The only thing that could bypass is GPS + laser links (meaning physically aiming a laser both on the ground AND on a satellite). You cannot detect that without being in the direct path of the laser (though of course you can still see the equipment aiming the laser, so it doesn't just need to work it needs to be properly disguised). That requires coherent beams (not easy, but well studied), aimed to within 2 wavelengths of distance at 160km (so your direction needs to be accurate to 2 billionths of a degree, obviously you'll need stabilization), at a moving target, using camouflaged equipment.
This is not truly beyond current technology, but you can be pretty confident even the military doesn't have this yet.
The aim doesn't need to be that accurate. Laser beams diverge due to diffraction. You can't break the laws of physics - a non-divergent laser beam would need to be infinitely wide. A 1cm wide laser beam of 700nm light will have a divergence width of approximately asin(0.0000007/0.01) which is 0.004 degrees, which is 14 arcseconds, which is very easily aimable using off-the-shelf components. People get a tracking accuracy around 1 arcsecond using standard hobbyist telescope mounts.
However, this solution is going to stop working when a cloud drifts past.
> However, this solution is going to stop working when a cloud drifts past.
Not really, because you'd be using a frequency that passes through clouds. A snow storm or hail is impenetrable, and there are weather events that cause a 1-2 second blackout, as well as cause refraction (which is mostly a challenge in reaiming the beam fast enough to compensate), but anything in the air is fine. Clouds, mist, ... But is aiming at a 1 arcsecond target moving across the sky at at least 1 degree per second from a normal (ie. moving) building really doable with "standard hobbyist telescope mounts" ?
I know 5 years ago we were still doing this with lasers on rockets toward planes, because planes can just keep their angle to a rocket essentially constant. I know there's experiments doing direct laser to satellite, no idea how well that works.
You are correct in that most "hobbyist telescope mounts" are good for tracking stars at ~1 arcsecond, only where those stars don't move across the sky very quickly (up to 15 arcseconds/second). However, it is quite within the realm of "hobbyist" telescope mounts, albeit towards the upper end, to track orbital objects. I have seen an example of a telescope mount tracking the international space station to get good images, and the tracking was pretty solid. It is assisted by a secondary telescope on the mount that helps the mount maintain good tracking, not just pre-knowledge of where the object will be.
The clouds are however much more of a problem than you're suggesting. One promising infrared band is around 10 microns, but a thick cloud will still scatter that. You'd need a 20cm wide laser beam at that wavelength for it to diverge to a beam width of around 10 arcseconds. Which is basically a reasonably-sized telescope, working in reverse.
Alternatively, you could go for millimeter waves, which would pass through the clouds reasonably well, but then you're well outside the realms of "laser" and into the standard directional dish antenna. And it'd have to be a very large dish to give you a narrow beam. For instance, a rather unsubtle 2 metre wide dish with a 1mm wavelength will give a beam that diverges by 100 arcseconds. And there will probably be omnidirectional leakage which the dastardly authorities are likely to be able to detect. At least visible and infra-red leakage can be easily blocked and concealed, but radio is much harder.
What makes it so that this kind of precision is required? I have little knowledge of the physics behind it, but a few decades ago, a local university had an open day where they bounced lasers off of a retro reflector on the moon to measure the distance: https://en.wikipedia.org/wiki/Lunar_Laser_Ranging_experiment...
The moon is 700 times farther away than the starlink satellites (or twice that, if you consider the bounce), so I find it hard to imagine that it would be impossible to communicate with much closer satellites over laser when both sides can have an active transmitter.
You want to hide, with sufficient guarantees, from someone looking down from above.
The infrastructure for that kind of control clearly already exists. What's unclear is how coordinated or deliberate these events are versus being side effects of testing or internal changes
That's what's so great about LoRA. Decentralized txt msgs, ultra cheap radios people run at home or wherever. $10-35USD ON AMAZON. Least txts get through.
It won't get you from where you are to China though.
No but something like WSPR or FT8 would. Needs a license though.
FT8 has such a small payload that you couldn't fit an emoji, much less an average English sentence.
There's no authentication so anyone can pretend to be you. Traditional methods of verifying the sender (HMAC) would take so many hours to transmit that the physical propagation paths you're communicating through will probably collapse before you deliver the smallest verified message.
If you need to communicate information, FT-8 is not for you.
Agreed but if you're trapped in a war zone, time is one thing you have. And equipment for FT8 is simple to build yourself. It's also very difficult to trace. And you can take up some fields used for other stuff and convert them to data (like the sender). This would be illegal on amateur bands since it's required to identify oneself but again in a war situation this is less relevant since any covert communication will probably be forbidden anyway.
You do need a time source though. GPS is generally used for that but it doesn't need to be extremely accurate with FT-8 like with some other protocols.
I would imagine using it for a regular "I'm ok" message for the home front in such a situation using pre-arranged contents.
At a whole 3kbps and line of sight!
Local police already equipped with signal jammer cars. Usually only used in college entrance exam period. They also appeared in recent protest in Jiangyou city.
That would be LoRa. LoRA is a different thing.
[dead]
Can you recommend a guide? I’m interested in trying it out.
Look up Meshtastic. It’s kinda fun. Can chat with random people around you. But I don’t think it’s really that useful unless you have a really good spot like an antenna on your roof with no trees or buildings in the way.
It's not that finicky in practice. I live in a heavily wooded area and I can still see plenty of nodes, some pretty far away. Trees are actually somewhat helpful there because you can easily rig up a node up high by throwing a line over a branch.
I live in the suburbs, not really any high rises around be but some townhouses, I can “see” 180 nodes, but I can’t reliably message my friend 1km away. I get a lot of messages on the public chat but if I send one it’s a 50/50 if it will be acknowledged by any nodes.
I tried it while staying in a high rise hotel and the experience was great. Instant acknowledgement and super reliable communication
The most depressing is that what happens in China, will eventually happen in the west too. I'm sure certain US, UK, and EU bureaucrats are already crafting campaigns about how this ability will 'save the children' and that it should be implemented immediately (politicians and certain other selected people will be exempt of course).
There's nothing inevitable about this. Civil society needs to organize, coordinate, and spend money on PR about this.
Right now liberal people mostly sit back and wait for things to get better, it's not enough. (Also going and walking up and down is not really effective.)
It's inevitable because we've seen time and again that all it takes to get the public opinion behind this kind of thing is to talk about how it is needed to catch pedophiles and terrorists.
And if you talk back? Why, you must be a pedophile or a terrorist, otherwise why would you have anything to hide?
It's gotten bad enough that people here on HN - Hacker News! - non-ironically make more or less this argument.
It is inevitable, because the means by which civil society can organize, coordinate, and spend money on PR about this, are all firmly in the control of a very few people. These same people are generally on the side of more centralized control, because they are the ones who will wield it.
> Right now liberal people mostly sit back and wait for things to get better
First they came for the socialists, and I did not speak out because I was not a socialist.
Then they came for the trade unionists, and I did not speak out because I was not a trade unionist.
Then they came for the Jews, and I did not speak out because I was not a Jew.
Then they came for me and there was no one left to speak for me.
Precisely. Works every time. It's a like zero-day exploit on society.
Well slightly updated version today would be: Immigrants, Anti-Zionists, Socialists, Homeless, Welfare recipients, ...
Think of how many people who have remote jobs with American companies couldn't connect to their meetings while they "work from home" while secretly being in China!
Normally they have to fight VPN issues anyway, but having a sovereign state inject your packets is certainly a fun new one.
Anyone operating in/around China who needs a real VPN has a service they pay for and use that isn't mainstream that isn't blocked (using V2ray or similar). There's a reason why Shadowrocket is the number 1 app on the app store. I'm sure there are a lot of cases of people using e.g., off-the-shelf VPN apps and have trouble, but power users in China are always running a VPN, usually to Japan, that doesn't have this problem.
How do you propose users in China will magically get around a nation state injecting packets?
That's literally what VPNs are for.
If you aren't aware: a Virtual Private Network creates a fully encrypted link between you and a remote node. So long as your encryption keys are secure, there's no way for anyone (even a global superpower) to listen to or intrude on that connection. There is no possible way to break into this connection, even with the entire planet's computing resources.
From the outside, all you can see is a stream of encrypted data between two nodes. You cannot tell where the traffic goes once it exits the VPN server or what it contains.
The only way to compromise a VPN connection is the most straightforward and pedestrian: compromise the VPN host and directly spy on their clients with their own hardware.
The GFW certainly can and has detected such encrypted streams and blocked them for being un-inspectable. With a VPN you can perfectly hide what you're doing and you can perfectly prevent intrusion. You cannot prevent someone noticing you're using a VPN. China can simply blanket ban connections that look like VPN traffic. But they cannot tell what you're doing with that VPN.
Thanks for the reply. In order to connect to the VPN, your first call must be over https, from China, to the VPN. How does that circumvent the phenomenon in the article, where a nation state was injecting TCP to cause your connection to hang up, thus no VPN connection?
VPN doesn't need HTTPS nor does it need TCP
You do not establish a VPN connection in the clear. You must give your client the encryption key before connecting. All transactions are fully encrypted from the beginning.
Besides that, when negotiating a secure connection through unencrypted channels you typically use Diffe-Hillman to establish the encryption keys. As far as I'm aware, this method cannot be broken. Both nodes compute their own private encryption key and do math to create unencrypted data that must be verified by the other node's key. Even if you had full control of the data stream, you can't determine those private keys and cannot break into the encrypted connection that follows.
Also VPNs are typically UDP, but there's no hard requirement as far as I know.
Awesome thanks for all of that. Then it sounds like the only way a nation state could block VPNs is if they decided to "go nuclear" and do what the person above said-- block anyone who they detect is using a VPN/encrypted channel.
Based on that information, the theory for why a nation state would block https like this for a moment is either an accident, or to only block the low hanging fruit of people who don't use a VPN.
> using V2ray or similar
How many people suddenly "lost internet" mid-meeting and had to blame it on their router...
> Normally they have to fight VPN issues anyway
There are special virtual SIM cards that provide access to services from mainland China, as well as VPNs that function normally without issues. I used both while I was in China.
Yeah, have used one. Mine was a downloadable eSIM and meant for foreign travelers with 1-week plan. It actually establishes an IPsec VPN to the origin country. Beijing dare not to block foreigners' roaming services.
I suspect those connections worked fine.
It’s good to know the boss.
I definitely appreciate that a percentage of so called "employees" are actually just full fledged Chinese nationals, living permanently in China, paid a salary to pretend to be an American who had their identity stolen.
But there absolutely is also a non-negligible number of Chinese and Indian nationals, who have some type of visa status in the US (especially a green card) who spend many months in their original countries making $200,000 or more per year while living like royalty in their home countries :)
The green card isn't citizenship, you lose it if you don't live in the US. It's not like they don't know when you enter or exit the country.
6 months is a very long time.
There is no magic amount of time.
If you get a green card and leave the us for any amount of time, on return the border agent makes a determination on the spot if you intended to live abroad.
Less than six months is simply less suspicious than more.
And what are you supposed to do if they make a determination against you, return to your passport holding country and hire a lawyer?
If the answer is yes, well then it is yet more proof that the US immigration system operates basically extrajudicially just like the IRS and ATF, and only occassionally do the courts pull them back in after much hardship for the plantiff.
Words and policies are supposed to have meaning, and I doubt we'll get any charts or graphs on border refusals per amount of time spent abroad for GC holders.
Well yes the actual please has meaning.
Green cards are for people who intend to continuously by resident in the united states.
If you go home for 3 months and get a job and rent a house then you no longer continuously reside in the united states.
It's that's simple, but there's no hard or fast rule on how many days.
Not with my amount of doctor visits it is not.
2019 feels like 6 months ago.
Feels more like 20 years ago.
So much has happened since then...
How common can this really be? And what kind of companies? I’m finding it really hard to imagine this to be widespread.
I live in a popular Digital Nomad friendly country, and myself included, work with Europe/American companies roughly matching their time zones.
Now, the people I work with know that I'm not really located in the same time zone, but I know people who don't bother to mention it. I rarely get phone calls, but I have a roaming connection active for banking/OTP/etc. Plenty of cheap cafes with great WiFi (500mbps+ almost everywhere), and several times cheaper too.
Microsoft was caught doing it for the US federal government, so presumably Chinese software engineers are working on other Microsoft products too.
I'll just say Microsoft is not the only company doing that, and there are also Chinese-owned SAASes which American companies pay for.
Sadly much more common than it should be. The durations vary widely, but with the price of airline tickets and the nature of corporate software engineering jobs, it's extremely easy to self-justify a month abroad. The US government allows 6 months officially for green card holders.
If it wasn't literally 10x cheaper to live abroad than it is to live in Seattle/San Jose, it wouldn't be as prevalent. And not to mention, the quality of life is often better at the 10x cheaper price as well.
I can give you as much proof as you would like!
Lookup the North Korean version of this with the laptop farms
Example: https://www.justice.gov/opa/pr/justice-department-announces-...
Yeah if I'd sneak off to work from another place I'd pick somewhere really nice. Not China.
China spans 9.6M km. It has some of the biggest and most modern megacities (Beijing, Shanghai, Chongqing, Shenzhen to name a few) and features ancient historical wonders like the Great Wall, Forbidden City and Terracotta Warriors.
The nature spans salt lakes and rainbow mountains akin to South America, to the Northern Lights in Mohe down to karst formations of Guilin shared with Vietnam's Halong Bay.
The cuisine is diverse and dishes popular in places like Xi'an reveal lasting influences dating back to the Silk Road.
If you can't find "somewhere really nice" amongst the myriad people and locations you haven't tried.
I don't want to try when they have an authoritarian government.
Visiting somewhere means submitting yourself to their laws. With China's, that's not an option for me. Having restricted communication with home is a dealbreaker too. I would not let that stand so I'd have to break their laws.
It may be a beautiful country but it's not a beautiful place to be. At least not for someone like me.
Though having said that there are many places I refuse to travel to. The US is currently one as well for obvious reasons.
None of that matters when it's not a safe place to be.
Have you ever been to China?
Because they have some of the most beautiful scenery and buildings I've seen and I've been to dozens of countries.
Personally I wouldn't go there for remote work, because the internet interference is a pain but a holiday definitely.
No I have not. And I never will unless their government gives up its autocratic tendencies. I would never submit to that. Because of that it doesn't matter how beautiful it is, for me it will not be a nice place to be.
You say that because you don't hold a Chinese or Indian passport. Now think of those who do, who have family obligations, food preferences, local bank accounts.
> You say that because you don't hold a Chinese or Indian passport.
Not really. People like it in China, regardless of whether they're Chinese.
I took an English teaching certification course in Shanghai. The teachers for that course were used to rotating around the world as the company held courses in various random locations.
One day the teachers asked what was apparently a standard question for them, "are you planning to stay here after you get the certification?"
And they were flabbergasted when everyone answered yes. Apparently in most of the locations that offer CELTA courses, the majority of people come for the course and get out as soon as they can.
We are agreeing with each other
I didn't think so. There were only two or three students in that course who held a Chinese passport. There were almost as many Ethiopians. A clear majority was Americans, some ethnically Chinese, some white.
The teachers, incidentally, were British and New Zealander, and they were firm about instructing us in teaching British pronunciation. I assume most of the students went on to ignore that part of the curriculum.
How would one get around this if they found themselves in such a situation?
In this exact scenario, just use ports other than :443
But GFW certainly had the capability to block all ports. So no one really knew.
[dead]
Well for starters recreate the situation and test out different approaches. Thanks to the detailed analysis that can be attempted.
If I understand right, a good next step would would be with eBPF or some type of proxy ignore the forged RST+ACK at the beginning.
Then it would come testing to see if sending a bunch of ACK packets, perhaps with sequence numbers that would when reconstructed could complete the handshake. Trying to send them alongside the SYN+ACK or even before if it can be predicted. Maybe try sending some packets with sequence id 0 as well to see what happens.
> ignore the forged RST+ACK
See <Ignoring the Great Firewall of China> in 2006. That won't work if RST/ACK was injected to both sides.
> Then it would come testing to see if sending a bunch of ACK packets, perhaps with sequence numbers that would when reconstructed could complete the handshake. Trying to send them alongside the SYN+ACK or even before if it can be predicted. Maybe try sending some packets with sequence id 0 as well to see what happens.
This is an interesting approach already being utilized, namely TCB desync. But currently most people tend to buy VPN/proxy services rather than studying this.
Shouldn’t the rest of the world be blocking connections from China.
That'd be somewhat more workable than blocking importation of anything made in China. Somewhat.
[dead]
[flagged]
> Imagine what people would say about Cloudflare if they had an hour long outage
That Cloudflare had an outage. Not America.
> That Cloudflare had an outage. Not America.
You probably mean the USA? After all, it was China and not Asia which was responsible for the incident ;)
In English, there is no continent named "America." It's unambiguously used to refer to the United States.
How is the continent called then?
Continents are a social construct. In North American English, we typically divide the Americas into a North and South America. The collective noun for North and South America is the Americas. (Though this remains ambiguous in respect of the Caribbean and Pacific Islands.)
Getting pedantic about calling America America is sort of like insisting on referring to China as Zhonghua. Like, sure. Whatever. But you’re clearly insisting on substituting a substantial discussion with a semantic one.
I thought continents are a geographical term divided by tectonic plates and such. Still seams to be weird to single out a single country to assign the name of a continent.
> thought continents are a geographical term divided by tectonic plates and such
Common misconception, but incorrect. Here is a map of major tectonic plates [1]. They sort of map to our continents. But only loosely. European countries often fissure Eurasia, same way many Spanish-language countries unify the North American, South American, Caribbean, Cocos, Nazca, Scotia and Juan de Fuca plates into an Americas. (Or include the Arabias and India in Asia, et cetera.)
> seams to be weird to single out a single country to assign the name of a continent
New Zealand doesn’t like the Australian plate, Trump doesn’t like the Gulf of Mexico, Riyadh the Persian Gulf, et cetera. At the end of the day, you have to decide if you’re having a substantive or semantic discussion. I personally tend to find the latter boring and repetitive unless actually digging into the meat of the issue (versus the usual “I like to say it this way QED”.)
[1] https://www.usgs.gov/media/images/tectonic-plates-earth
[flagged]
I'm speaking as someone who has done a bit of research into this topic.
I'm not aware of a single example of an English-speaking country that teaches that there's a continent named "America." It's taught as two continents: North America and South America. "America" is just short for the "United States of America," and in English it's entirely unambiguous.
Even the phrase Americentrism undermines your point. This is like reading about a Dacian complaining about the Romans using the term Mare Nostrum. Nobody really pays any mind to the client states of an empire.
I would not say "unambiguously" when it comes to natural languages.
And no, "America" may have referred to the US when I was a kid and here in Central Europe we had Back to the Future type of shoes with the American flag, yeah, and I would not say unambiguously so.
If someone says "America" to refer to a place, they really ought to specify if they want you to understand them.
I can't think of any English speaking countries in central Europe off the top of my head.
"America" is short for "The United States of America" in English. That's its definition. I don't understand how people have difficulty with this concept.
[dead]
But America isn't a place. There's the Americas, as in plural, referring to the continents of North America and South America.
So America is unassigned, hence why we assigned it to the USA colloquially.
Just for the sake of it I checked Wikipedia.
> The Americas, sometimes collectively called America, are a landmass comprising the totality of North America and South America. When viewed as a single continent, the Americas are the 2nd largest continent by area after Asia, and is the 3rd largest continent by population. The Americas make up most of the land in Earth's Western Hemisphere and constitute the New World.
Yeah, OK, not sure "America" refers to The Oh-So-Great United of America according to this. Guess what? You can find 10 in each direction. Specify. If you disagree with "one should specify", why down-vote? Baffling, baffling indeed.
This wikipedia excerpt aligns exactly with what I said.
There's North and South America. These, together, are the Americas.
America is not that typically. Which makes sense, America is singular. But the Americas are two. So which one are we referring to?
Because if we say both, then the correct term is Americas. If we say just one, then it's North America or South America.
> why down-vote? Baffling
It’s a silly side discussion in which nothing new is being said. Complaining that America generally refers to the country is a hobby for some folks, and that’s fine, but it’s only entertaining for them.
If someone needs the America you’re talking about specified, i.e. they can’t figure it out from context, the discussion is sort of moot. (Same way one can use the word Europe despite it being incredibly ambiguous. Overspecificity comes at the cost of conciseness.)
> Overspecificity comes at the cost of conciseness.
And this is why we have (programming) language wars. Ada or Forth?! :P
I keep getting down-voted, but I have never been against being specific, in fact, I was advocating to be specific[1], i.e. North American, Latin American, South America, etc.
[1] "If someone says "America" to refer to a place, they really ought to specify if they want you to understand them.".
Additionally, natural languages are inherently ambiguous.
So ugh, I do not think we disagree.
If someone can’t figure out what America I’m referring to when comparing America and China, I’m not sure how much useful conversation is left in them on the topic.
Reading this interchange, I think I'd really enjoy a forum where all the responses a poster thinks they'd want to make in a thread are pre-committed-- but not yet viewable-- when the initial comment is posted. Any consequent responses in that thread are then limited to those that are pre-committed-- e.g., that user can select them from a dropdown-- and the full list of pre-commitments is (eventually?) publicly viewable.
Maybe that doesn't apply to what you're replying to here. But my gut is that anything nested deeper than level 2 on HN is one or more respondents doing low-effort, pedantic heel-digging. (Single exception for any and all of Alan Kay's posts where the references cited are always worth whatever level the nesting is at.)
Praise to that. :P
outage would mean a connection timeout
in this case, the connection works fine, some extra RST+ACK packets were delivered to your network on purpose
Which could easily be explained by a buggy rollout to their great firewall. What does China gain from intentionally blocking SSL for one hour?
Data on the impact that such measures would have, should they decide to implement them in the future.
Hanlon's razor
I mean... it got blocked by their censorship infrastructure, does it really matter if it only got misconfigured?
[flagged]
There's no good reason to do that.
But "good reason" depends a lot on your perspective
Yeah, dont want their citizens to voice anti-CCP thoughts
Pretty sure it's an incident.
[flagged]