558 comments

[ 2569 ms ] story [ 4295 ms ] thread
“Two days ago the police came to me and wanted me to stop working on this. Today they asked me to delete all the code from GitHub. I have no choice but to obey.

I hope one day I'll live in a country where I have freedom to write any code I like without fearing.

I believe you guys will make great stuff with Network Extensions.

Cheers!”

Not being facetious here - what country do you live in that you think the government can't/won't interfere with your code?
Maybe China? There's a bit of Chinese in the author's other repos: https://github.com/clowwindy?tab=repositories
From the fact that there's lots of other stuff related to networking/tunneling, and the username has some "Chinese characteristics" to it, I also think it's China.
Yes it's china, because chinese government fears that the citizens who lived in china know about the truth of government's corruption.
Dear Alex, although this may sound like a revelation, but governments do not fear. They are fictitious entities. Non-humans. One may think about them as a software.
Dear ommunist, I think you are right, governments like "Matrix" which control every childprocess.
No, dear. They are just putting childprocesses into existence. If there is no state, there are no citizens.
Knowing about corruption, and being able to get away with it are 2 separate things I think. If you don't abuse people human rights) and give them a good life; you can get away with a lot of corruption I presume.
Perhaps I am misunderstanding your use of English, because it is difficult to see how this is not a facetious question.

There are relatively few countries in which the government both could and would interfere with someone's publication of code, and I think only in China is there both widespread computer use and internet access, on the one hand, and state security actors (the civil police, actually) who have the sophistication and funding to intervene with specific projects such as this one.

Did you mean to ask what country he was in?

I think there are more than a few countries where this sort of thing could easily happen. Tech talks get canceled at the behest of the powers that be with some regularity, I don't think requests to take down source code would be out of the question.

https://www.washingtonpost.com/blogs/the-switch/wp/2014/07/2...

http://www.csoonline.com/article/2947377/network-security/pr...

You think that, but your links are to two cancelled presentations at conferences, neither of which has any clear connection with the 'powers that be', unless you consider the SEI and Carnegie Mellon University to be the 'powers that be'.

Both those conferences occur in a single country, one which was not even able, under its own laws, to effectively suppress the distribution of cryptographic code when it was legally considered to be militarizable as a weapon.

Do you think you're allowed to talk about the government suppressing you?

And the point isn't that they weren't able to suppress crypto code; it's that they tried.

The US does "interfere" with the publication of some code. I'm thinking of cryptography code. Quoting from https://en.wikipedia.org/wiki/Export_of_cryptography_from_th... .

> Since World War II, many governments, including the U.S. and its NATO allies, have regulated the export of cryptography for national security considerations, and, as late as 1992, cryptography was on the U.S. Munitions List as an Auxiliary Military Equipment. ...

> As of 2009, non-military cryptography exports from the U.S. are controlled by the Department of Commerce's Bureau of Industry and Security. Some restrictions still exist, even for mass market products, particularly with regard to export to "rogue states" and terrorist organizations. Militarized encryption equipment, TEMPEST-approved electronics, custom cryptographic software, and even cryptographic consulting services still require an export license

> ... Other countries, notably those participating in the Wassenaar Arrangement, have similar restrictions.

But in the US, you can sue the government: https://en.wikipedia.org/wiki/Bernstein_v._United_States
I think you mean "at least", rather than "but"? You'll notice the WP quote I gave includes restrictions post-Bernstein (and links to that case). Even these restrictions count as 'interfer[ing] with someone's publication of code', no?
> There are relatively few countries in which the government both could and would interfere with someone's publication of code

It's not about interfering with someone's publication of code. It's about neutralizing threats to rulers' rule.

China's rulers shut this guy down because his tool might enable too much free speech among the masses, which, in turn, would pose a threat to the government's rule.

As for the idea that "it couldn't happen here!", see how the US government "interfered" with someone's publication of articles: https://www.youtube.com/watch?v=dUYMPZ4nEOY

See also: https://www.youtube.com/watch?v=u2ebudnWlh4

I'd add the USA to that list - plenty of evidence that National Security Letters have been used to stifle/gain access to/alter coding projects in the interests of US GOV.

It's probably even more insidious, because simply confirming the existence of an NSL can be a crime punishable by significant custodial sentences. In the USA, posting "The police asked me to delete this code" could land in you federal pound you in the ass prison for 10+ years.

I find this is a very gentle warning compared to what we hear about secret law enforcement in general and China in particular. Isn't the practice to stage a suicide after deleting his repositories?
Let's hope this isn't one of those cases.
Main site for the software: https://shadowvpn.org

Were the repos mirrored anywhere, or would that present a risk to the original author?

(comment deleted)
It's hard to see how that would present a risk to the original author, given the current circumstances as we know them.

What is described was a visit from the police in which they asked him to take down his own Github distribution. He clearly hasn't been arrested, and although he may be being fined, he doesn't mention it. You will notice that his message encourages others to continue work and is generally unhappy and defiant.

If this was a matter of any seriousness with regards to state security, it seems more likely to me that the repositories would be simply shut down without explanation.

My expectation based on my own few encounters with the regular civil police[1] is that those who specialize in computer matters are unlikely to be idiots; I assume they will know how version control systems work. It would probably be overly cheeky of him to actually contribute to someone's fork, or work on similar software, but there shouldn't be any negative consequences based on what we've heard.

My experience in China is limited, and someone else might offer contradictory insights, but that's what my expectation would be based on that experience so far.

[1] an edit to clarify: "In China."

what was this?
Shadowsocks for iOS Notice: This version is deprecated. Please wait for iOS 9's new VPN API

Features

Shadowsocks is a cross-platform tunnel proxy which can help you get through firewalls.

This iOS version is for non-jailbroken devices. It has two features.

A web browser with all the traffic going through a Shadowsocks proxy A background global proxy, with some restrictions Install

Available on the App Store

Please visit the App Store.

As a web browser

Shadowsocks works as a multi-tab web browser. It's really easy to use.

Tap the + button to open menu. Tap Settings to configure Shadowsocks proxy settings. Tap New Tab to open a new Tab. Tap URL field on the top to input URL. Swipe a tab to scroll the tabs. Hold and press a tab to swap tabs. If you've changed Proxy Mode, a restart is needed to take effect. (Kill the app, then open the app again). As a global proxy

Shadowsocks works as a background global PAC proxy, with some restrictions.

Only works with Wi-Fi network. But we are working on the cellular network. Only works for a few minutes. Due to iOS restrictions, Shadowsocks can't keep running in the background. It's killed after you leave it for a while. To keep it running for an extended period of time, you have to come back to the Shadowsocks app every few minutes. So it's a little tricky to use global proxy.

Set up proxy settings in shadowsocks. Copy this link http://127.0.0.1:8090/proxy.pac Open iOS Settings -> Wi-Fi -> i icon on the right of your connected Wi-Fi -> HTTP Proxy. Choose Auto, paste the link in the URL field. Tap back. Other apps now go through the proxy. If they don't, kill and restart them. Come back every few minutes to keep Shadowsocks running in the background.

Shadowsocks is the most popular solution for circumventing China's GFW these days. It has the advantage of obfuscating the traffic, thus making it hard for GFW to detect it, unlike say SSH or OpenVPN traffic, which are easy to detect.
While I understand what the gov is trying to do, who's to say somebody else that doesn't live in China maintains the project and puts it on GitHub for all the world to see?
Maybe they are going to block or attack GitHub again until GitHub takes down all clones of it.
The Chinese government just has to take control of the repo and make a new commit that contains the word "retard" and GitHub will make sure it never sees the light of day again for them.
They will, one day. anyway Gmail was gone, which I think is the most impossible site to be blocked.

PS: nice to see you here. :)

I was shocked to see Gmail blocked, given how many business users were dependent on it. Previously they didn't censor websites critical to business and economy, but now they seem to be prioritizing control of speech over economic development.
Because it is a lot of hard work without much in the way of rewards or recognition. Hundreds of thousands people use clowwindy's code, some of them even make money by building services using his code, yet very few people are willing let alone be able to contribute. Until a few days ago he was complaining that the user community is now full of leechers and he is pondering when to quit. The police visit was probably the final straw.
And there are more than 500 forks. I'd say good luck deleting that :D
I downloaded the source code on principle. It's good to know there are plenty of online copies.
same did I. Seems like it's pretty good written piece of software, so might be good exercise to hack it a little bit and maybe learn something
In this specific case, DMCA doesn't apply. But it's interesting to read GitHub's policy about taking down forks.

> GitHub will not automatically disable forks when disabling a parent repository. This is because forks belong to different users, may have been altered in significant ways, and may be licensed or used in a different way that is protected by the fair-use doctrine. GitHub does not conduct any independent investigation into forks. We expect copyright owners to conduct that investigation and, if they believe that the forks are also infringing, expressly include forks in their takedown notice.

https://help.github.com/articles/dmca-takedown-policy/

This wasn't a thorough deletion. The shadowsocks-iOS project has been switched to the 'rm' branch, but the 'master' branch still contains all the source code: https://github.com/shadowsocks/shadowsocks-iOS/tree/master There's also a downloadable 2.6.3 release with a built .dmg and source code: https://github.com/shadowsocks/shadowsocks-iOS/releases

Even if it does get completely removed, a duplicate exists on GitLab: https://gitlab.com/mba811/shadowsocks-iOS (No guarantee that it has all the commits prior to deletion, or that it hasn't been modified from the original in some way.)

I can only hope the police in clowwindy's country don't know how to switch GitHub branches.

I don't know what you're talking about. That repo is totally empty. Nothing to see here, move along.

;)

What are you taking about? Does not work. Cannot access the code.
Years ago, news said China "banned" bitcoin, years later miners in China live just fine. I guess this is not going to be so different.
This is different. China(ese government) has a much, much stronger incentive and political resolution to reinforce their Internet speech control than crackdown a couple of bitcoin miners.
> Implying bitcoin has nothing to do with free speech.

I'm saying that the result is not going to be so different, as in people will still use shadowsocks to circumvent the firewall and won't get "disappeared" or whatsoever.

Edit: letters

The only thing that's "banned" regarding bitcoins in china is that financial institutions arn't allowed to trade them. You can mine them, you can set up companies that mine them, you can trade them if you're not a financial institution.
Yes, it's more like regulation that poorly implemented. But less people knew it at the time according to what the news and bitcoin users in China said. As a result, news related to China still can impact the price greatly sometimes, which leads people ask has China really banned bitcoin or not? You could find many discussions in term of this at the time. Of course people by now understand the "ban" itself is limited.
And as an aside they're the easiest way to exchange money when overseas. It's like a bank where the bank meets you at your hotel and gives you cash, and you never have to worry that your PIN won't work or your home bank will decide not to honor your transaction for fraud protection.
That duplicate will get flushed after they run the 'git pruned' on the 2AM cronjob. Nothing to worry about.
That mostly a side effect of GitHub's caching mechanism. It's all gone now.
All of the links in the post you're replying to still work fine for me.
No, it's not there. You must just be seeing something in your browser cache. It's all gone forever. cough wink cough
(comment deleted)
The last commit on the GitLab mirror is cf485148bd9f4d4520d13e2169997cd72464f3c0. On GitHub, it's not the last one, but it's on the first page (not that much commits since).

Because it's the same SHA, and because of the way git works, we know that all the history before it is exactly the same on GitHub and GitLab.

From Wikipedia:

> The Streisand effect is the phenomenon whereby an attempt to hide, remove, or censor a piece of information has the unintended consequence of publicizing the information more widely, usually facilitated by the Internet.

If you control virtually every aspect of media in a country, I don't see how Streisand effect works...
Because hackers will always find a way.
Tell that to the RIAA and MPAA, and every politician wanting more surveillance and censorship. The reality is that law, and money, and force currently, and always will, trump a geek at a keyboard.

Further, please consider that you don't have to kill a thing to control it. Even when something is technically possible, and arguably inevitable, it can still be neutered and effectively subdued. It's all fine and well to say things that suggest the human spirit will always triumph - that's optimism - but the human body can still be held in chains. A technical solution that is only accessible to a tiny set of people, under the right theoretical conditions, does not make freedom a solved problem.

It works in your theoretical scenario unless you also take away word of mouth, international communication, and international travel. I don't see China banning any of those any time soon.
(comment deleted)
Its NOT the police....

ITS THE MOB...

It's worse than either: it's really the government.
I find this comment amazing:

https://github.com/shadowsocks/shadowsocks-iOS/issues/124#is...

Even with root account, you are not in full control of your Mac - you are sandboxed by Apple.

This is the result of a recent change in OS X 10.11, called System Integrity Protection.

It's a big step in the wrong direction [opinion], especially because it does nothing to verify "integrity". It prevents changes to the System directory by conventional means (and injection into system processes).

If malware were to figure out a way to disable SIP from userland, it could install itself in such a way that nothing short of disabling SIP could uninstall it.

Does booting an alternate OS still work to get around it, or have Apple thought of that route and somehow blocked it too?

(I have limited experience with OS X - only briefly played around with driver development and bootloaders in the 10.4 era with osx86 - and I did have to boot from the DVD a few times when I made the system unbootable.)

This raises the question, what good is root if it's not really root anymore?

There is a supported option to disable SIP from recovery mode, so there's no need to get around it per se. (Recovery mode because it would be hard to impossible to verify the user's intent when malware that already has root privileges is running...)
> Does booting an alternate OS still work to get around it, or have Apple thought of that route and somehow blocked it too?

It's easier than that. It's just a kernel argument to disable it. Simply add "rootless=0" to your boot-args and you have control of your machine back.

I'm running the 10.11 beta and I've already had to disable rootless because I like to have /usr/local as a symlink to somewhere else and by default the rootless configuration prevents writes to /usr. :-/

Does this break homebrew? Or does it only block writes to entries in /usr and not subdirectories like /usr/local ?
You are allowed to write to /usr/local. But making /usr/local itself into a symlink requires writing to /usr which is prohibited. So I was screwed but for the normal case it should work fine.
Apple has stated that the "rootless=0" boot argument to disable System Integrity Protection is temporary and will be gone in the GM version of El Capitan. Allowing this route to disable the feature would defeat the entire purpose of it.
Source? They said in the WWDC session (http://asciiwwdc.com/2015/sessions/706) that the process to disable rootless may change during the beta, but didn't say that it won't be possible in the GM.

They know that rootless will break some applications/drivers, plus some types of development may need it disabled.

The supported mechanism for disabling System Integrity Protection is via the recovery partition.
This has been the plan for several years. I remember seeing block diagrams for GlobalPlatform's Trusted Execution Environment[1] that were based on the idea of the "Rich OS" (OSX, Linux, etc) being able to run more or less normally, with something that isn't really a hypervisor providing the "secure"/"trusted" environment.

The idea is that a combination of a SecureBoot-style trusted boot sequence and technologies like Intel's SGX instructions to create an area that is protected from everything else, root included.

Ever since (heavily controlled) iOS was accepted by the tech crowd as a replacement for a proper General Purpose Computer, we've been slowly loosing more and more control. At least there seems to be workarounds for this particular OSX "feature". It is incredibly important to stop this trend now; it will be a lot harder to work around these restrictions when it gets hardware support.

[1] http://i.imgur.com/rjbzWyB.jpg

If you have some malware that actually needs to modify system files, that still significantly ups the ante. Sure, if you have a kernel exploit, you can do it, but currently malware does not need any exploits to take over a system if it can convince a user to download and type in their password to install - Gatekeeper is one mechanism to prevent this, but I've personally been served multiple ads offering malware with a valid Developer ID signature, so it's tricky... (though I don't know how aggressively Apple is working to revoke their certificates). The difference in skill required between just writing an installer disguised as legitimate software on one hand, and continuously coming up with working exploits on the other, is pretty huge. And in any case, the easiest-to-exploit OS X privilege escalation vulnerabilities are things like rootpipe that don't compromise the kernel.

However, this argument falls down a little if malware doesn't actually need to modify system files, which it doesn't for most typical evil stuff I can think of.

what if some os x malware finds a way past the limitations on editing system files? the malware would become undeletable
It wouldn't be undeletable, it would just involve booting into a recovery volume (either the automatic Apple recovery partition or a user supplied volume).

Since all System locations will now be signed (as part of the move to SIP), it means that the basic Apple recovery partition will be able to purge any such malware by a simple signature verification.

Does it actually do that? I haven't heard of it... But just reinstalling the OS accomplishes the same, slightly less quickly. Of course, if the malware is nasty enough, it might modify user settings to make a program run automatically, e.g., by adding it as a startup item, which, unless that OS reinstall included a patch, could then exploit the bug again and reinstall itself to the system locations. Not much Apple can do about that.
Not really surprising, though: Apple has been making OS X a little worse with every iteration.
I am doing my best to NOT update my OSX, every time I update it, the thing get slower, it is really annoying.
El-Cap is the fastest version yet in my experience and seems to be getting important security fixes too.
Tell me about it. I recently bit the bullet and upgraded to 10.10 after waiting for quite a while. Man... Firefox has been crashing regularly since then, the Mail.app will also crash every now and then, and to top it off, the system itself has crashed twice on me over the past... two weeks. Sigh
Try installing a fresh copy, or do some HDD/RAM checks. I have been running 10.10 since it came out (+Firefox) without any problems.
But that's the thing, you can't disable SIP from userland. It can only be disabled when booted into recovery mode. So yes, it absolutely does verify integrity, because it makes it so malware cannot embed itself into the system. Your last sentence there is 100% pure grade A FUD. You may as well just say "every security measure is bullshit, because if malware were to figure a way around it, then it wouldn't work". It's a meaningless statement.
It's a boot argument to the kernel, stored in NVRAM. These arguments are normally mutable. Apple had to write code to prevent modifying said arguments. Said code can have flaws.

But lets say you don't find a vulnerability in SIP userland detection, and instead find a kernel exploit to get around the protection:

If malware were to figure a way around it, then even antivirus software can't uninstall it. Only Apple can. It's not FUD.

It is FUD since it is not impossible to make these changes, it's just (intentionally) more difficult than casually supplying a sudo password. Anyone can detect signature changes in a system directory and anyone can boot to a recovery volume (either the default Apple one or one provided by an anti-virus company, if desired) to make whatever corrective change they want.
This is absolutely FUD. Even if you're correct and malware finds a way around it, then it obviously doesn't work, which means antivirus software could use the same mechanism to kick out the malware.
Unless the malware uses the backdoor/exploit then patches it out once it's inside. It has complete system control, after all.
Don't be alarmist, worst case a cleaning tool would have to be run from recovery mode, but nuke and pave is usually the recommended cause of action if you get a infected with a rootkit.

SIP holes will be found, and Apple will patch them just like other security flaws.

> Apple will patch them just like other security flaws

With the condition that you have to upgrade to the very latest system :)

There are a few exceptions but generally you can stay one or two versions behind. While Apple annoyingly don't state how long they support OS releases, they currently ship security patches for 10.8 and 10.9. The last patch for Lion was just before the 10.10 release.
>nothing short of disabling SIP could uninstall it

At the very least, the OS needs to be reinstalled from an off-disk source, and that's assuming you haven't been hit by something sophisticated enough to put itself in firmware. We're fast approaching an era where you need to trash the hardware. You should never trust an OS install that was ever compromised, and making it more difficult to do so is a good thing in my book.

Windows 10, now OS X... and meanwhile I have installed Linux on all my workstations. Looks like big corporations are shooting themselves in the foot.
Wow. OSX ... it was nice knowing you.
This is an iOS app, not a Mac app.
Yes, but from the same commenter earlier: "I want to try this api on MAC OS 10.11. I understand the reason why I need to ask apple for some permission to publish the app with this api to app store, but I can't believe that I have to ask them for permission to run this api on my development machine."
It's possible that commenter is misguided. The documentation on NETunnelProviderManager[1] says it needs the extension and that you should send an email to get it, but there's no indication as to whether there's anything stopping you from granting yourself this entitlement on a development machine (obviously Apple needs to approve it for an app on the MAS; I don't know what limitations there are for non-MAS apps in this regard).

[1] https://developer.apple.com/library/prerelease/mac/documenta...

Where by "extension" I of course meant to say "entitlement".
I think you have that backwards. You, as the person with physical access, is in full control as SIP can be controlled from recovery mode. Processes running as root are no longer trusted to have full access to the system. This is definitely a step in the right direction.
For people who are not aware of this: Shadowsocks is a popular and very simple tool to circumvent Great Fire Wall in China. It is written to reduce characteristics in network traffic so that GFW cannot easily block it by deep traffic analysis. clowwindy is the original author.
Who is the target audience of this software and how does it work? Do non technical users set this up on a VPS provider and then connect to it? I'd imagine most developers in China would just SSH tunnel their way out.
SSH dynamic port forwarding is no longer working for years. It is so easily picked up by GFW and minutes later it is gone together with the whole SSH connection. So does PPTP and L2TP VPN. GFW has been upgraded so many times for the past few years. The target audience is developers. The install is super simple via one line of `pip install`, the start code for daemon is also one line with the configuration inline or through <10 lines of json. On the client side the author and other contributors developed native clients that allow connection by supplying just 1 password and 1 server address. Super simple and highly reliable to this day.
(comment deleted)
@olalonde GFW is known to tighten the control on national holidays or any event they see fit. The day after Tianjin explosion, IKEV2 stopped working for 1 day on my network (I was in Beijing). PPTP from time to time suffer the same issue though I couldn't say when. Also check your ip location, I found out one provider was having reliable PPTP connection about a week ago, and it turned out they were just relaying traffic in a data center in China. Those traffic are not blocked by GFW as long as it is domestic and I could only imagine that data center simply forwarded the traffic onward using other means.
(comment deleted)
(comment deleted)
Why not just wrap all your SSH packets as HTTPS?
This I wonder as well. stunnel + openvpn used to work. Not sure if it still does.
I believe that the traffic patterns (up/down request amount and timing) will still look sufficiently different from a 'normal' https connection to be detected and cut off within an hour.
SSH tunnel is just too easy for the GFW to detect, it's so unstable that you cannot even browse the web with it.

Yes, setting up a VPS provider would be the most common way. There are Shadowsocks implementations that supports multiple users so that more than one person can use it simultaneously. There are also commercial solutions for Shadowsocks that you can just purchase an account instead of setting up your own server.

SSH still work, but it's not designed to give a high throughput, so ideally one would not want to watch a youtube clip over SSH. And DPI can identify and kill SSH session when there are too much traffic happening over it (ie. no obfuscation is taking place to hide SSH traffic)
There are many import/export companies in China, they are also the target audience of this software. Gmail is important for them.
And to add more context: Shadowsocks isn't just a tool nowadays, it's a group of applications that target both developers and common folks.

People have built successful VPN services using Shadowsocks, and they are available on many platforms, like routers and embedded systems.

And the iOS version is more or less the author's recent efforts to build a VPN client that can run on non-jailbroken iPhone, much like Cisco AnyConnect.

I think shadowsocks' popularity as a whole concerns the chinese government, so they do their usual rooting out the leader thing: now that shadowsocks org is headless in the literal sense (no owner, no main repo), they hope its development will die out.

What is to stop any non-chinese person from rehosting the old code? I mean, they obviously wouldn't like it and if I was said person I'd never visit China's sphere of influence again...
I guess nothing.

There are plenty of people on HN who are i) wealthy ii) interested in beating censorship.

It'd be nice to see some effort going into creating software to beat censorship; having excellent translations of the documentation into a variety of languages; etc.

I believe GFW doesn't do traffic analysis just yet. Otherwise shadowsocks won't stand a chance either.
> I hope one day I'll live in a country where I have freedom to write any code I like without fearing.

Can the author reach the US by whatever mean and apply for political asylum? That 'fear that they will suffer persecution due to: ... Political opinion'[0] seems legit.

[0] http://www.uscis.gov/humanitarian/refugees-asylum/asylum

> I hope one day I'll live in a country where I have freedom to write any code I like without fearing.

Frankly I don't know if we are that country. :(

Yes, he should move to the US, where he'll be forced to use NSA approved (read: cracked) or no encryption.
??

US citizens can use any encryption they wish.

Seeing the position of the US and UK governments on encryption is coming in-line with china, I would be careful of traveling to those countries.
I was visiting China recently (my first time there). I thought bypassing The Great Firewall was going to be as simple as an "ssh -D" SOCKS setup, or a "ssh -w" tunnel. Oh boy, I was wrong. If you try this, or even a basic OpenVPN setup, you will quickly find out your VPN works fine for about 5 minutes, but then latency increases to 5sec, 10sec, 30sec(!), and then everything times out. After some research I read online the government does deep packet analysis and uses machine learning to find heuristics to guess which TCP connection or UDP stream is likely being used as a VPN. When they think there is a high probability a VPN is detected, they simply start dropping all the packets.

Encryption is not enough. You need to disguise your VPN traffic to make it look like standard HTTPS sessions (since they don't block HTTPS). For example in a traditional HTTPS session, if the client browser downloads, say, a 500kB image over HTTPS, it will send periodical empty TCP ACK packets as it receives the data. But when using a VPN that encrypts data at the IP layer, these empty ACK packets will be encrypted, so The Great Firewall will see the client sending small ~80-120 bytes encrypted packets, and will count this as one more sign that this might be a VPN.

That's why people in China have to use VPN tools that most westerners have never heard of: obfsproxy, ShadowVPN, SoftEther, gohop, etc. All these tools try to obfuscate and hide VPNs. I have a lot of respect for all these Chinese hackers like clowwindy who try to escape censorship, as it takes more technical prowess than you think to design a VPN that works in China.

How do multinational companies' china offices get through the firewall? For example if my company uses Google apps, how do I ensure that my china office has access?
(comment deleted)
As far as Microsoft office in Beijing, I think they VPN to their Tokyo office first. Their traffic is ensured by negotiating directly with the big telecom company. Disclaimer: I do not work for them.
This is correct

Source: worked there for a while

This is interesting, I'd love to read/hear more about it. Is the negotiation an above-board thing? What are the conditions and costs to getting this kind of exception ensured?
From what I've heard, it's something like 100 000 USD a year for a 100 Mbit connection.
Funny thing is: this is the same price payed in Brazil for a 100mbps MPLS link.
Not all VPN services are censored, and not all VPN protocol triggers the reset. But you can bet whatever you get for free (thus likely popular), will get banned soon enough.

OpenVPN is like a prime suspect of a police procedural novel, it gets hunt down no matter what.

Personally experience: I did work for Microsoft Shanghai and VPN works just fine. You need to have the right set of tools, and better, have a good channel of negotiation with the government.

Pay one of the telcos (i.e China Unicom) for an MPLS circuit out of the country.

Also, international performance in general can be quite bad at peak times (i.e 30% packet loss), I suspect due to Comcast-style management of international transit. But if you buy a transit circuit from Unicom, no problem!

Edit: to add to the grand parent, I've actually found ssh -D/-w0 (for a TUN device) quite reliable from China. What I really want to do is run multiple connections from different end points with a routing protocol to do fast-failover.

> Pay one of the telcos (i.e China Unicom) for an MPLS circuit out of the country.

Don't suppose you could explain to us network plebs how that would bypass the Great Firewall?

It's a private network/route with traffic containing nothing but corporate data. Most multinationals facing this situation route out through HK, with a secondary failover usually in Taiwan or Singapore. Works a treat, but is costly and latency can be subpar.

It also doesn't solve the problem of mobile access to Google Apps for Chinese workers (Google Play Store & apps are not bundled by many (any?) Chinese OEM handset makers or carriers. You can root & sideload, or you can purchase phones outside the country and ship them to your employees, but even if you do this, there is still no guarantee they'll be able to access Google's apps while on cellular networks.

Google Apps will drain your battery when they can't access Google's servers. Roaming with a China Unicom Hong Kong sim card, like the cross border king, will give you gfw free access.
> Google Apps will drain your battery

Google Apps will also drain your battery if you are in a region where Google has no network-location data yet, because then Google will turn on your GPS, and send to their servers the pair of GPS-coords and strength of networks.

If you live in a suburb in Germany where almost no networks are known to Google, this means if you enable location services your GPS will try to get a fix 24/7, eating your battery in about 2 hours.

This is probably going to be an issue in China, too, considering that Google doesn’t have location data there.

I think you can turn this off. My phone has a setting called 'Scanning always available', which says "Let Google's location service and other apps scan for networks, even when Wi-Fi is off.". If I turn off this setting, and turn off wi-fi, then the problem you point out should be avoided, right?
Yes.

But if you turn on WiFi and Location at the same time (which is not uncommon), then it will suck your battery dry in seconds. Turn any of those two off, and it works.

Oh. My phone has three options for 'Location mode':

- High accuracy (GPS, wi-fi, mobile)

- Battery saving (Wi-fi, mobile)

- Device only (GPS)

From what you say, it sounds like 'Device only' would save more battery than 'Battery saving'?

How do you setup a routing protocol to do fast failover? Is it easy?
For fast failover, you'd generally use BFD (bi-directional forwarding detection) in conjunction with a standard routing protocol like BGP, OSPF, or IS-IS. It's sufficiently complex to do on a proper networking platform, and even more difficult to do in a general purpose operating system. You can also just use aggressive timeout values with your routing protocol, but failover won't be quite as graceful.
I've heard that commercial DCs and high-end hotels are less censored.
I'm in the Sheraton in Qingdao atm, and it's definitely less censored, I can access YouTube and Google Apps just fine; where as earlier today from a business down the road these websites were all blocked.
We have colleagues in china and generally speaking, you find an alternative, and host it on premise.

I believe this is the reason why they use Atlassian[1] products, where rest of us would use trello, e.t.c.

[1] company that created jira

Aren't there a dozen of bugtrackers, intranet collaboration software, CI tools and git hostings that they could download and install? What's so special with the Atlassian products?
those sucks a little less than, say, bugtraq, offer enterprise support on premises which you'd never use but you need to do the purchasing when you go for a big company and kind of have a big recognized name for their customization support even if their whole stack sucks.
I think the "enterprise support on premisses" is the main deal, along with the fact that we have already used it for some of our big projects.
Register your VPN with the authorities. We are atm doing this for a office in Beijing.
Is the primary purpose of your VPN to bypass GFW, or to provide access to your corporate network? I guess the latter would be considered a good reason.
yes, mainly to access the corp network.
I'm curious, what is the risk of getting caught, and what is the penalty?
I am a native Chinese. I was threatened by the police because of publishing a unfair treatment from a decree of local magistrates. The police said that I had to delete all of them, otherwise I would be brought into jail and my parents would lose their job. At that time, I was only 16. I don't want to live in this country anymore but I have no choice. I love China but the government.
Spending on what you do, detainment, torture, death.
I have a good amount of recent experience with this. I found that it wasn't just a matter of your connection getting blocked; if you leave it up you'll experience some unreliable good periods (so, say, a torrent would download through the VPN overnight without a problem, but if I wanted to use the internet at any particular time, my connection was unlikely to be working). But yeah, I ended up signing up with Astrill.
Very interesting... I was just in China recently and was sshing into a box I had in the states for an impromptu SOCKS proxy. I did notice that things would work fine for up to an hour or so before things started bogging down. I would start seeing "channel x: open failed..." errors. However, closing the session and reconnecting would fix the problem... until it started lagging out again.

I thought it was just a consequence of being on spotty < 5mbps(ADSL?) connections. The internet situation was barely tolerable for a few weeks stay; I can't imagine what living in these conditions 24/7/365 is like.

Working in such network 24/7/365 means I have to spend about $90 per year on my vpn service, and keep vpn connection all the time when working. (otherwise google and SO will not come to save me from problems.)
Yea, in my most desperate I wrote a script that opened ~10 connections and kept restarting them and used HAproxy as a frontend. It was maybe helping, but honestly, I couldn't tell. Luckily I discovered shadowsocks soon after that.
I'm always brought up short when someone says/writes "24/7/365" because it really doesn't make sense.

"24/7" means 24 hours a day, seven days a week.

"24/365" means 24 hours a day, 365 days a year.

"24/7/365" means 24 hours a day, 7 days a week, 365 weeks a year?

I know, I know, it's become an idiom, and it's like "I could care less", and you can't try to understand it except as an atom that caries a meaning, but it just looks wrong to me.

Sorry - I'll now return you to your regular programming.

24/7/365 is dead. Long live 24/7/52!
24/7/365

  7 *days* per *week*
  24 *hours* per *day*
  365 *days* per... *year*
Why you'd read that as 365 weeks per year I'm not sure, because there's no pre-established convention that would lead you to interpret it that way (both 24 and 7 would have to be "per week"), and most people know there are 365 days in a year.

Just trying to help. ;-)

But it doesn't make sense to say:

  24 hours a day, 7 days a week, 365 days a year.
That just really doesn't make sense at all. I know that the numbers means, and are for, but if someone is saying every hour in the year, to say 24/7/365 is just nonsense.

Of course, this is a losing battle. People just don't care if what they say makes sense, they just say stuff and assume that people will understand. This is one of the things that makes language bizarre, miraculous, infuriating, and impossible to analyse. I note examples like this because they are caltrops on the road for NLP.

>what they say makes sense

I would argue that no single statement can make sense. Sense is made when multiple statements are combined.

It's really all just about appropriate cognitive load. Every statement must be processed and it's great to be as accurate as possible and as accurate as the consensus agrees to.

Anything higher quality than that falls under the category of "great writing," which only a handful of people cherish.

Hey, FWIW, you've completely convinced me to never use this phrase again.
They are all relative timeframes by which a store my be closed; certain hours during the day, certain days during the week, and certain days during the year. Your inability to make sense of it doesn't affect the rest of us. It's like a creationist saying evolution doesn't make sense to them: at some point it is the result of a willful ignorance that you are bragging about. It doesn't make for very interesting trolling.

  > They are all relative timeframes by which
  > a store my be closed; certain hours during
  > the day, certain days during the week, and
  > certain days during the year.
Huh. That's a way of interpreting it I'd never seen. Thank you.

  > Your inability to make sense of it doesn't
  > affect the rest of us.
No, except that it may help people see that what they think is obvious isn't always obvious to others.

  > ... it is the result of a willful ignorance
  > that you are bragging about.
Well, that's obviously your interpretation, but if others see it that way then it explains the hitherto mysterious yoyoing of points on my comments.

  > It doesn't make for very interesting trolling.
I find it disappointing that you think I'd troll.
So you read 24/7/365 as 7/24/365? That only makes sense to Americans, I guess.
As an expression of time, its origin is a relation to business hours. 24 hours is "we don't close overnight." 7 days is "we don't close on weekends." 365 days is "we don't close on holidays." Those are the standard periods of unavailability.

If the sole holiday were a single Golden Week sometime in the year, the idiom may indeed have been "24/7/52", but holidays are simply scattershot like that.

The slashes aren't maths operators, they're language/grammar/shorthand. The lexeme as a whole is merely a mnemonic for the linger phrase: "24 hours per day, 7 days per week, 365 days per year."

It's not that the individual segments relate to each other. Rather they answer three sets of questions:

What are your daily hours? All of them. 24 hours / day.

What weekdays are you open? Again, all of them. 7 days/week.

What holidays do you observe per year? None, we're open 365 days/year.

Since there's rarely a monthly cycle to business closings and there aren't a standard number of days per month, that's elided.

It also helps to realize that human timekeeping is really based on three independent phenomena which are utterly unrelated. There are day-based units: seconds, minutes, and hours are all subdivisions of the period of rotation of Earth about its axis.

The month is based on the Moons orbit about Earth. That it is roughly 30 days is a notional convenience, similarly its rough divisibility by 4 into 7 day periods. The week is entirely synthetic (though profoundly persistent).

And the year on Earth's orbit about the Sun. Again, relationship to days and months are entirely arbitrary.

That's why it often seems time units are arbitrary. They are.

There's a brief book which Kay's this ought and traces the calendar through time, The Seven Day Cycle.

24/7/52 does seem more logical...
365 means they don't close for holidays. I don't know what 52 would mean.
There's 52 weeks in a year.

24 hours in a day, 7 days in a week, 52 weeks in a year.

What business closes for a week out of a year? Are there businesses which are 24/7/50?
Well, where I work at is 24/7/51.
Interesting, are you in Europe?
UK. Last week of the year (Christmas celebrations and so, you know) this joint shuts down.
Gotcha, here in the US most people will take off that week, but no business would ever shut down entirely for a week. You'd piss off all of your customers and associates. (Which is why American workers hate dealing with ones in the EU, they're always on vacation!)

Whoever doesn't stay home during the Christmas period in the US gets accolades from management, so there's incentive to work if you're career-focused.

I agree with the understanding that each segment of 24/7/365 addresses a different possible shutdown condition.

And I'll add that "I could care less" derives from the earlier "I couldn't care less", which makes a lot more sense. See http://blog.dictionary.com/could-care-less/

> I thought it was just a consequence of being on spotty < 5mbps(ADSL?) connections.... I can't imagine what living in these conditions 24/7/365 is like.

In my experience splitting my time between North America and China, the difference is not terribly noticeable once you invest in a solid VPN -- which everyone does.

The network speeds here are generally far better than NA -- in tier 1 and tier 2 cities at least. If you're accessing site in China, i.e., not going through the GFW, the average is far better than you'd find in the US. However the GFW slows everything down. However, there are a handful of VPN providers that specialize in getting through the GFW: notably Astrill and ExpressVPN. This those on my phone, tablet, and laptop it's easy, you'd never know you were in China -- expect the odd day when you have to hunt for a different server. Most experienced developers here subscribe to one of them.

Also, a lot of tech companies subscribe to "international lines". Pretty much all the ISPs offer them to business customers. They are expensive but they work very well. Usually about US$1k/mo to US$3k/mo on contract. The international lines are just hard lines to Hong Kong.

I've had almost the opposite experience. VPN sort of worked, but I could not open a single HTTPS connection. The VPN problems I had I could trace to a bad WiFi connection (I had to lower my MTU and it worked fine).

Now, on previous trips I experienced what you mentioned. It seemed really like there was some machine learning going on, and after using a VPN for a while the connection would get bad. But I guess it might not be machine learning, there might just be a huge number of humans watching your traffic - which would explain why it is so inconsistent.

The thing that worked best for me is just using ssh -D (on most days). Our workplace uses ssh a lot for secure communication with outside china, so that couldn't possibly be blocked without hindering our work (and I believe 'they' have no interest in that). So whenever I had to access something for work that was sillily blocked (argh gmail), I just used the ssh connection that was open anyway.

Actually this is classic daily life of a chinese netizen: you are never quite sure what the cause of your network woes is (not without spending time digging into it). Is it due to ISP QoS, or is it reset by GFW, or is it just mere network failure?

And what most ppl do when facing this? They choose a local service instead of Twitter, Facebook, Youtube, Google. See, censorship is only a part (though a vital part) of the grand scheme.

Back in 2006/2007 when I was doing web development, I knew a few people at F5 and Zeus Technology (developers of application firewalls at the time), and they said The Great Firewall was using loads of F5 tech with deep packet inspection for all data.

I assume 9 years later (don't know what the modern tech for web stuff is these day, but I assume encryption plays a key part) they're doing just as intrusive inspection and filtering of data.

This might sound a bit counter intuitive but they really hate OpenVPN and SSH tunnels - not to mention they are trivial to detect and the process is highly automated.

Traditional VPNs such as PPTP/IPsec as well as various forms of obfuscated proxies are generally not interfered with unless something major happens. A lot of the alleged "censorship" are actually symptoms of high latency and packet loss on home connections.

I suppose that means OpenVPN and SSH are too secure for the Chinese government to eavesdrop on. PPTP, on the other hand, has been known to be insecure for ages.

So... could you avoid detection by passing an SSH tunnel through a PPTP VPN? Add enough layers, and the censors might not bother to unwrap all of them.

Yes you can. Shadowsocks was intended for the similar purpose of tunnelling traffic and it is a bit more flexible than GRE-based VPNs
Given that most US websites are now over HTTPS, breaking PPTP won't actually give Chinese government much information to eavesdrop on. They may know that someone is accessing Google or Twitter, but they cannot know the actual keywords or tweets they are reading.

Note that Chinese government does not have backdoor access to those US websites, nor do they control a significant fraction of Internet infrastructure.

What about Chinese signed root certs?
That is why it is recommended to untrust every Chinese CA from your system. It won't affect daily browsing even for most Chinese users. The super majority of Chinese websites, even state owned ones, buy certificates from US companies.
(comment deleted)
IPsec is blocked now.
Blocked for a few established VPN providers e.g.Astrill. The protocol itself is not blocked per se.
You won't get a stable site2site ipsec tunnel for long. That's why you have to Register your vpn vor go mpls.
I currently use a mixture of PPTP and Shadowsocks. Shadowsocks (even to the same servers) seems to successfully connect a little more often, and drop a little less often. Otherwise, performance seems similar, and goes up and down.
"Thanks" to the Great FireWall by one of the evilest governments, I might have to finally give up Gmail after many years struggling using it with the help of a wide variety of GFW-fighting tools. My deepest respect to all the authors.
Spoofing GGP tends to work very well in these situations.
> Encryption is not enough.

I use an unencrypted PPTP VPN and the connection is really fast and stable here (Shenzhen, China Telecom). I have tried OpenVPN and ssh but both were much slower. FWIW, I don't believe using a VPN is illegal in China (though operating a VPN service without a license most likely is) and pretty much every single foreigner I know uses one.

(comment deleted)
Per the other comment, MS-CHAP2 is crackable. The PRC govt is probably happy to encourage people to think they're secure using it.
Yes, that was my point. They are happy to let people circumvent the firewall as long as they're still able to read the traffic.
PPTP is not secure. You need to open another, more secure, tunnel within your PPTP session.
According to a recent file. Using a VPN isn't illegal. But hosting an unregistered VPN service in China is illegal. And the right of using an unregistered VPN service is not guaranteed.
I am in Iran , you cannot believe it , same here , They use deep packet inspection too, they will shut every package down. every open vpn , cisco vpn , etc connection will lose connection every 2-3 min . Connection to outside web is almost impossible.

I have noticed they have multiple situation, for example when everything's quiet internet is not so bad (despite the fact bandwidth is extremely low for huge amount of people), but when some news came out about government corruption, guess what ? some vpn does not work . In 2009 green movement they closed every https connection.(maybe that was red alert situation)

p.s : https://en.wikipedia.org/wiki/Deep_packet_inspection

p.s. : I use vps from netherlands for bypassing firewall. but It takes huge amount of time and a little money.but the point is 99.999% people don't have this option (I use shadowsocks, sometimes another tunnels) so they use internet the way is or some software like freegate and other but with extremely low speed unbearable lag.

p.s. : pptp, l2ps and others are closed right now. even president rohani couldn't manage the situation . I have heard he did want to do something but supreme leader and his people stopped him.

I heard rumors that that before Halal Internet was launched the censorship of Iran was relegated to Huawei, the same company that builds and maintains the Great Firewall...
Yes , I have heard it too . halal internet not going to launch , because Rohani is not believe in it and tries to postpone it every year(maybe they have technical issues too , I don't have information) . all military site's have ethernet and connect to each other with it.
wish you all the best. I pay 5$ for a digitalocean droplet to provide my family in Iran with an OpenVPN connection. This works quite well, we do not have any issues so far.
I'm not sure but I suspect that they got the technology (hardware and software) from China too.

As a Chinese netizen I don't know if I should be proud that we have world-class advanced technology or be ashamed. Possibly ashamed.

I propose proud of the technologists, ashamed of the political system :)
Allegedly it's mostly or at least originally Cisco's technology: https://insidersurveillance.com/cisco-huawei-and-semptian-a-... .
And let's not forget BlueCoat.

These are our colleagues designing and implementing these tools of oppression. We should ask them why they exercise their talents in this way.

They probably appreciate having their family alive...or something. It'd be better if our colleagues who don't have their hands and relatives tied to create and proliferate liberating software.
Are you saying that Blue Coat (based in Sunnyvale, California) develops censorship tools in order to keep their family alive? Who is threatening them?
It doesn't take much to motivate someone to do it. A paycheck is enough 99.99% of the time.
"Of the ten conflicts in human history with the highest death tolls, five were civil wars in China.

Chief among these was the Three Kingdoms War when up to 40 million are reckoned to have perished in military operations and from the destructive consequences of warfare. This is an enormous number, considering that the global population at that time is unlikely to have exceeded 400 million. More recently, the Taiping Rebellion claimed more than 20 million lives while the civil war that brought the Communist Party to power resulted in 7.5 million deaths, over and above the 20 million estimated to have been killed in the roughly contemporary Japanese invasion.

This is not the history we were taught at school but Chinese leaders are well aware of these facts.

When disorder breaks out in China, things turn very nasty indeed.

It is best, therefore, to avoid disorder at almost any cost."

That is why.

Or would you prefer to have China descend into the chaos of Rwanda or Sudan ?

Oppression causes civil wars.

If they are using oppression to avoid disorder, they better have long term plan. Otherwise they are digging their own grave.

Not many people fear of chaos in the USA and not because they have the best firewall.

Millions of doomsday preppers may disagree.
> Millions

There are not millions of doomsday preppers in the US. And their obsession is not representative of public will or sentiment.

The comment you're replying to said: >Not many people fear of chaos in the USA and not because they have the best firewall

So you seem to be saying that if the US had a Great Firewall the nutjobs who spend half their salary on underground bunkers and armament wouldn't. That's a pretty silly argument.

Historically, I believe it would be much more accurate to say that opportunity creates civil wars. People start wars because they think they can win.

Incidentally, in most of those Chinese conflicts (4 out of 5 I believe), they were right. Many other wars were similar : starts with "immigration", numbers increasing, conflict, open conflict (and mass death), repression (of the losing side). Extermination is often tried but rarely succeeds. Well it succeeds in causing mass death, but it doesn't succeed in the sense that extermination is the result.

Wait, I may be misunderstanding your comment, but are you saying you support censorship by the Chinese government on the basis of some paternalistic "those dang Chinese can't handle themselves and start a-killin' if they get to know too much, so it's better to keep them in the dark"?

Also, when quoting large blocks of text it is usually helpful to source that quote.

Good statement so far. But wait... do you assume that censorship could cause another civil war or could avoid another civil war? And where is your reasoning or evidence?
At first China also used Cisco's stuff, but soon they could't keep up with the requirements of the Chinese govt. After that a man usually criticized to be "the father of GFW", FANG Binxing, came up and built more powerful censorship hardware and software for the govt at Beihang U. It is said that they now use supercomputers to parse, analyse and block (and even inject, remember GitHub?) all packages going through the Chinese network boundary.

Oh I just gave away so much secret. I'm so doomed. Everything above are just made up stories. Don't believe me. Don't track me down. Please.

There's one mistake on your statements. It's at Beiyou U that Fang Binxing get all those things dones.
It is not a secret at all....
be sure soon the dev will be cordially invited to write the deep inspector for that vpn if it ever leaves the ground.

and i wonder if filling the apple form helped them finding him or it was just bad timing

IPsec and OpenVPN are open in Iran. Obviously you don't know what deep packet inspection is, or never tried to implement it, otherwise you wouldn't say that.
A few years ago I had a friend visiting Iran who wanted unrestricted access to sites. I didn't have any personal Linux servers on the internet at the time, but I did have a Windows one with Remote Desktop licenses.

It turned out that RDP actually worked pretty well. I did hesitate to post this in case it's seen by the wrong people(!), though given it's a while since it was necessary to use, it may be blocked by now anyway.

I wonder if it was available because it was relatively little known and, if so, what other little known protocols might be available.

sadly with RDP you cannot have same experience.it is not about 1 or 2 site , for example for me , my vpn connection is always on because there is not internet without it.but with RDP loging into another machine , with all lag you see , is almost impossible at least for power user like me which most of the time have 50+ tab open in chrome in site's like youtube , android dev doc's, etc.
You can RDP into a machine and use the browser there.
But you have to send a packet every time the remote screen changes. It is much more demanding on network resources than a VPN and thus will be more difficult to use on a daily basis.
Why nos havig a local cache like wwwoffle (someone has to reimplement such a thing) or squid? that way you won't need a connection just to browse a bunch of (mostly static?) html pages... just sayin'.
You can get arrested for hosting illegal web content. All public facing servers in China must be registered at the government, or they can get raided.
I have a friend in Iran and I let him use one of my servers as a proxy using the ssh -D flag. This has been working well so far as I know.
When I was in China last year I had no problems using OpenVPN on my Holland based server.
Hotel WiFi may not be as restricted as the average citizen's connection. Local 3G/4G service may be more restricted than your home provider's roaming service. It's a bit of a crapshoot, but the GFW is definitely targeted more towards locals than visitors.
Sounds like an overseas vendor needs to drop a blanket of satellite internet coverage over mainland China.
Sounds like you live in a world where you didn't notice that China became the second most powerful economy, and which will become the most powerful economy within a decade or so. Of course they're going to have the military to go with that:

https://en.m.wikipedia.org/wiki/2007_Chinese_anti-satellite_...

... usage of which would be detected, and the users arrested and hauled off for "questioning" about spying and/or being a terrorist.
And using a VPN doesn't have these risks?
Of course it does, but they have a less expensive and more effective means of enforcement, which is just to shut it down. That's effective because the actions they take at a single location apply to a large number of infringements.

But if they can't shut it down via technology, they'll most likely shift to individual enforcement and harassment. In that case they have to chase people one at a time, so to get widespread effectiveness they have to make sure that each individual case frightens as many people as possible. That means that the individuals targeted will be punished more severely.

Enforcement 101.

Escalating the issue could be a good thing, even if people suffer. The problem with technological oppression like censoring or pervasively surveilling the Internet is that it's invisible and there's very little organised outcry. Just look at Snowden revelations. Nothing has changed, and most people simply don't care. Effectively once the requirements for bypassing the GFW become harder to deploy than a few clicks, from an easy to follow guide, the majority of the population will just accept this oppression.
My point was not whether this would be a good thing or bad, but to point out a likely consequence.
More likely they'd just buy up all the satco's and run the thing out of business.
Weird, was just there a month ago for two weeks and used https://www.expressvpn.com/ with no issue. I mostly cruised reddit / the internet so maybe there wasn't enough volume.
It depends. I am a bit surprised that reddit is not blocked. Neither is hackernews. Apart from classic Google, Facebook, Twitter, AWS is targeted intensely for its role in "affiliated freedom", to the point releases on github are blocked, others not as much.
(comment deleted)
Why go through Internet access providers in first place? Just get a radio transmitter and start broadcasting on short waves with encrypted digital modes... at least for short, critical transmissions.
At 1.2kbps?
Q: "Would you like a free, uncensored system to talk to anyone in the world? On top of that you could also send data at 1.2 kpbs, again free and uncensored. You just need to swich frequencies quite often and randomly, in order to avoid that the bad guys will track you down..."

A: "No, 1.2kpbs is not enough, thanks but I prefer censorship."

Is that what you're saying?

Sorry, I've already had my fill of stupid arguments on the internet for the next couple days. Maybe some other time we can get together and do our best to misunderstand eachother.
Haha. Ok. And sorry.
In my experience ... spending a lot of time working in China ... most people use Astrill or ExpressVPN. I'm surprised no one has mentioned them here yet. They own the VPN market in China. Almost every senior developer I've met here subscribes to one or the other -- with Astrill being far ahead in terms of user base. They both champion their "stealth" options and other than the odd day you don't really notice the GFW.

Pretty much all the ISPs sell "international lines" as well. But only as part of their business packages. Usually it will run for about US$1k/mo - US$3k/mo with minimum 1-2 year contract for their "starter" package. Most tech companies in my area have them; they work very well. Essentially they are a hardline to Hong Kong and they ration out to subscribers.

They key thing to understand about the GFW is that it's not about general censorship of the population. Frankly the government doesn't care if someone who is middle class, i.e., invested in the status quo, gets around the GFW. They are more concerned about conservatives in lower classes trying to organize to stop the move towards capitalism. And it's mostly about protecting the market now so local companies can get access to these lower classes as their position improves and they join the middle class.

I don't understand, who can afford US$1000 per month? I'm assuming only medium-large businesses, so do they divide up these "international lines" among their employees or something? Can these employees also use these lines at home, or only in the office?
It's for business of course, mainly international companies I guess. Local companies don't need to cross the firewall. Employees can only use these lines in the office. Actually most Chinese are not aware of the existence of the Great Firewall (GFW), really bad.
In the tech field, everyone is very very aware. I can't speak about other fields though. In my experience, pretty much anyone who is middle class or above knows about it. Granted middle class and above is only about 300 million of the almost 1.4 billion people -- so very much a minority. Granted China is huge and I mainly move in tech circles so YMMV.

It's not just international companies. Chinese companies are all about going overseas now. China is now a next exporter of investment. Plus it seems every company with an app that has a moderate amount of success wants to reach Chinese outside of the China -- they have more money -- and so need to integrate with blocked services like FB. And exporting Chinese online games to other developing nations is really taking off.

Thanks for your info. As a graduate student major in civil engineering in China, people around me come across the firewall when they need Google Scholar, which is rare also. Sometimes they come to me for help to get access to sites like Google Scholar. But, believe me, they don't care about what is GFW or anything about the censorship. yes, the big brother is watching and they want to be good netizens. Traditional industries like CE don't depend on internet much, so GFW does not have much influences on them. Even to programmers in internet companies, I doubt the proportion of people accessible to the free internet. Above is based on personal experiences and may not be that precise. Things are complicated in China anyway.
As an undergraduate student majoring in software engineering in China, I'm interning for a foreign company and we have access to free internet through proxies. And in my experience, most programmers regard free network as a necessity. And for people in large cities, it is true that they don't actually care about GFW, but I think many of them are at least aware of the existence of it, and sometimes break through it out of curiosity.
Yes, Astrill and Express VPN has been popular in China. But probably because they are too well-known, their services are not totally reliable. Instead, some smaller VPN providers now offer better services. Check out this test result: http://www.vpndada.com/best-vpns-for-china/
I visited your page expecting to see details of a testing methodology, along with results for a number of providers. However, the information you provide is no better than that provided by friends' anecdotes.

"Reason for Recommending: Reliable connection, fast speed. Fast customer support."

What do you mean by 'reliable'? What do you mean by 'fast'? Are you talking about latency or throughput?

"Reason for not recommending: sometimes hard to connect"

How many times out of ten? Using which VPN protocol(s)? Was this using PPTP, or OpenVPN over stunnel?

I run my own VPN servers (for myself and friends) but of course there is some ongoing maintenance effort to add new servers to replace those for which latency and/or throughput have declined. If there were a site with specific data about different companies' performance (over time), that would help me to decide whether it's still worth the effort.

Encryption is not enough. You need to disguise your VPN traffic to make it look like standard HTTPS sessions (since they don't block HTTPS).

In other words, steganography.

using ssh tunnel works just fine in china but they detect it and start blocking the ips. You can usually get a few weeks before they block the ip address. It works better if the server is from a legitimate source like an edu.

Most of the detection is focused on blocking vpns and they are very good and disrupting vpn traffic

This was exactly what I experienced in summer at China this year, no openvpn(not even commercial one or Linode self-hosted one), no ssh-tunnel, no other used-to-work vpn solutions.

For ssh it sometimes work for a few days then the whole IP/host is blocked.

I did not have to time try obfsproxy, shadowsock or whatever, but it really really sucked, to make things worse, my Nexus phone could not get any updates etc either, as Google is also _fully_ blocked, I felt I was back to Stone age there.

This is a great talk about some of the methods China and other governments use to block the Tor network: https://www.youtube.com/watch?v=GwMr8Xl7JMQ

It's a pretty sophisticated arms race that's lead to some cool stuff, notably pluggable transports (like the obfsproxy you mentioned): https://www.torproject.org/docs/pluggable-transports.html.en

Unfortunately the companies that enable this deep packet inspection are often American companies working overseas. My friend who used to work at Cisco said they had internal slide decks about the improvements they could make to the Chinese firewall. Then there's Bluecoat in Sunnyvale (https://www.bluecoat.com/) building the censorship systems for the middle east.

Why do American companies sell this kind of stuff to China and non-democracies in the middle east? They must rationalize it in someway, but I think it's wrong.

> Why do American companies sell this kind of stuff to China and non-democracies in the middle east? They must rationalize it in someway, but I think it's wrong.

Pursuit of the almighty Free Market without regard for scruples or morality. Basically, public corporations base success only on money. If you as an executive refuse to bow down before Mammon[1,2] then you are replaced by someone who will. Seealso Charles Stross' excellent Invaders From Mars[3]. The Chinese government and other regimes pay big money for these tools.

[1] https://en.wikipedia.org/wiki/Mammon [2] https://en.wikipedia.org/wiki/Mammon_%28Dungeons_%26_Dragons... [3] http://www.antipope.org/charlie/blog-static/2010/12/invaders...

Note: that video is from 2011, and in my experience China's VPN blocking has changed significantly over that time. In 2011, I could use OpenVPN over UDP reliably, as long as I didn't use the same port for every connection. That is no longer the case, and I'm grateful for Shadowsocks as it's easy to set up (both server-side and Android client) than OpenVPN over stunnel.
which leads me to two questions:

1. if you need custom vpn, why even have apple devices?!

2. why focus on vpn over their network instead of mesh?

Some of my friends have had success with VPNGate.

http://www.vpngate.net/en/

It's based on SoftEther VPN, which happens to be open-source and cross platform.

http://www.softether.org/

I'm using it for most of my VPN setups and I've generally found it to be superior to OpenVPN in every aspect (performance, usability, protocol support, obfuscation, etc).

The Chinese authorities neither understand how FOSS works nor the Streisand Effect.
Not having to worry about != not understanding
"you will quickly find out your VPN works fine for about 5 minutes, but then latency increases to 5sec, 10sec, 30sec(!), and then everything times out"

I recall the same thing occurring in Shanghai with many of the popular webmail services, they'd work briefly, usually just long enough to log in and get a glimpse at an inbox, then it would time out endlessly and that'd be it.

Based on my experience, if you set up a VPN server (such as OpenVPN) by yourself and use it in China, you will see strange behaviours and the VPN server might stop working after some time. As a result, I've given up using my VPN but been using third party VPN service, which works better. Here's a list of VPNs that currently works in China: http://www.vpndada.com/best-vpns-for-china/
How do foreign organizations with email and internal applications inside the firewall do business in China? Do they simply have to make an exception to their security policies for employees based in China? Put them on Baidu email accounts instead? Or are IT departments of big lumbering fortune-500s also dependent on these tools?
No. Big foreign corporations, like in all countries, VPN back to their home country. The same all over the world.

Internal policy dictates this, all over the world.

Email is usually on self-hosted Exchange.

Corporate firewall blocks stuff like Youtube and Facebook - also the same over the world, but some users with the business need can access whatever the business need dictates.

Some large companies just bypass the national firewall for speed reasons - this is negotiated with the government on an individual basis - pragmatically this makes sense, as the traffic is 100% encrypted back between fixed sources and destinations, and inspecting it just wastes resources for all parties. Some corporations may also have their websites for the public access bypass any filtering, also for speed reasons (for example, internet banking).

So exemptions from the VPN detection/shutdown mechanism can simply be negotiated by those with the political clout to do so?
Indeed. The point of the GFW is to prevent political unrest. MNC's workers are unlikely to be fermenting dissent at work. Deploying the GFW on their connections doesn't really aid the government as a whole in terms of staying in power, but it does mean that MNCs will get pissed off and may reduce their presence in China.
https://github.com/Long-live-shadowsocks/shadowsocks

The original repositories have been/are being reset. (Some branches were not removed.)

Non-obvious ways to search for forks as the network graph is unavailable for larger projects.

https://github.com/search?utf8=&q=shadowsocks+language%3APyt...

I don't think it's suitable to distribute the backups until shadowsocks is fade from the gov's memory.
Oh dear, I hope the clones of this repo on Github don't cause the GFW to block Github altogether.
On the other hand, the more they fall behind the more money and power for us in the west :)
Government used to block Github in past few years. Then lots of programmer strongly disagreed with it.

however,browse github has been harder in 2015.

I love my motherland but i really hate what the government has done.

sorry for my poor english

How did/does this tool compare with obfsproxy?
On this note, we've been trying to upload gigabytes of data via rsync from Europe to China (we are software company who are trying to deliver tools to our Chinese customers..). Connection used to be fast when it was night time in China, but lately the connection has been really slow or unusable. Is there any alternative way to get lots of packages from Western countries to China?
Ship it on an usb drive. (use encryption)
The latency with that method is going to suck, though.
If this happens day to day, you may consider opening a subsidiary in China, with applying for special network. Foreign company in China can have network without GFW.
There's no "special network", it's just plan old VPN.
setup a server with aliyun. the cloud service provider from alibaba. And relay the traffic from there.
aliyun sucks when connect to github
Funny you mention it, we are actually uploading to the server in Aliyun cloud services. Completely unusable :(
lol.. I would have thought they have the fastest data center.
It probably is _inside_ China. :)
Somewhat anecdotal, but try IPv6.
Copy it to an AWS EC2 Japan server, and copy it to China from Japan. I have transferred 1T data from Europe to China with this method.
Why Japan (as a location) is special? GFW does not affect traffic from Japan that much?
It's also effected by GFW. Some Japanese IDCs connect China through CN2 cable which is not so busy right now.
Use Chinese CDN (such as Upyun, Baidu CDN, Qiniu and Aliyun) for http file downloading (with a subdomain provided by the CDN or you'll need to apply permissions at MIIT as ICP) instead of rsync or ssh tunnel. Or rsync your data to Japanese Servers (Linode, GMO, etc) and ask your customers to download through http or https.
The problem is to upload data to China, we are not downloading anything from there.

"Or rsync your data to Japanese Servers (Linode, GMO, etc) and ask your customers to download through http or https."

We've used Amazon CDN before even for Chinese customers and they have closest node in Hong Kong - they still(Chinese) have difficulties to download our packages. I doubt using Japanese server would solve our problem. Thanks anyway.

Due to political reason, I think Chinese gov seriously and actively censor package from Hong Kong
CloudFront, the CDN from Amazon, have already been blocked by the GFW. But you can use CloudFlare or Baidu's CDN, etc.
The recent congestion is caused by the price reducing of ISPs demanded by the government. A lot of customers upgraded their bandwidth without paying additional money. This makes the already busy cables out of bandwidth.

Back to your question, the answer is YES, use a proxy, which is less expensive, or buy a dedicated private virtual line from a Chinese ISP, which is more stable.

You can setup a fast proxy by carefully selecting the routing path. Nowadays, the CN2 cable (http://www.ctamericas.com/content.asp?pl=627&sl=637&contenti...) is a good choice.

So, isn't the real question how to get you into a more liberal country so you can continue your work?
That's true. But immigration for Chinese is much more harder than you think. Even in China, it is not completely free to move from one province to another.
I can imagine that this is not easy. I'd like to hear some ideas to that though, as I lack all the details on what's going on there (just been there once on a business trip - and I know they treat foreigners with money much different)
I'm from there, I think the 'difficult' part is, that there might be tons of success stories on getting out of the country but none will give you a definite route on how, especially if you are already high profile. The things move around inside china are mostly per incident based, rules and regulation means almost nothing because every step of the way is dependent on the interpretation (and of course, mood) of the officer who can stamp on your paper.

I guess the most low profile thing for clowwindy to do is do as police have instructed and lay low for at least 1 year. If after that he is allowed to travel abroad then he can apply to big co like Google/Facebook and apply visa with work permit.

In this case, it seems like there's a reasonable argument for asylum.
As a Chinese developer, I got more and more disappointed to my country.

I'd read a book written by LinYutang, called My Country and My People. All my understandings of my country after reading this book are not same as nowaday China.

What's wrong? I don't know. I just wanna have freedom for Googleing. I just wanna the people in this country be happy not only because they get enough to eat.

Don't worry, western leaders have figured out one doesn't need democracy or free speech for capitalism to function, China set an example. So with all the spying , ban of encryption , limits on freedom of the press with laws such as "the right to be forgotten" or making illegal to criticize cops or politicians in Spain , we have already entered in a post democratic era . And people in Europe take their freedom for granted forgetting they had to fight to death to win their freedom at first place.
The right to be forgotten is actually a powerful mechanism to protect individuals. Though, the law should possibly revised such that it only applies to individuals that are not a public figure, who can prove to have little or no range of responsibilities.
The right to be forgotten flies in the face of capitalism. You cannot assume you act in perfect self-interest without total and perfect information. The first can be easy to acquire, the second harder.

The right to be forgotten impedes on total information awareness and the desire to make the perfect rational decision with your money.

This is a good thing. Total information is not perfect information because of bias and context. Someone seeking such information will process it through a biased lens and never attain perfection. In that case, the individual under the lens will lose out.

Can't agree more..(same as a Chinese developer)
In what way has that book changed your way of thinking?
+1 for Lin Yutang, he is an amazing writer who sparked my interest in China. I lived there two years and met my wife. Xie xie Lin Xiansheng!
As the author of tun2socks (which is currently used under the hood in shadowsocks-android and Psiphon3 for system-wide proxying), I wasn't even aware this effort was in progress. Very sad to see it stop.
But censorship when the citizens can travel in and out of the country carrying USB,SSD and hard drives will not work.
Do you honestly think you can carry USB and SSD to China without border officers confiscating it?
Maybe I'm lucky but I've done that many times and so far the customs never bothered
> I have no choice but to obey.

Did he ask a lawyer? Because it looks to me there are two possibilities. One, he was not doing anything illegal in which case the police had no authority to stop his activities. Two, he was indeed doing something illegal in which case he can be glad he got out of it with what appears to be only a warning.

I didn't get where he/she is from.If I were him and I was in US I would fight back with legal system, but if I were in china and Iran I would run away (sadly because there is no reliable legal system in these countries)
(comment deleted)
can't agree more, law in china is a laugh
In China, the rule of man above the rule of law...the man who accuse the ISP for cannot access google in China has been arrested..(sorry for my poor english..)
It's of no use. If he's lucky, he would "receive" a fabricated charge; if he's not, he would simply disappear.
In China, the legal system works like this:

you are innocent, you have done nothing illegal, but the big brothers think differently.

So they first lock you up, if you are popular and the world is watching while they are locking you up, they will conjure up a charge like tax-evasions or conducting business scams [see AiWeiWei's charges] and make you suffer jail time chance fighting back. But in case you are not popular and the world didn't know you before incident happens, you will simply disappear. [see 'countless' dissidents' disappearing since 2013]

China is not ruled by law.
This is the end of a century. People in China had used 4 kinds of tools to skip the GFW: freegate, openvpn, goagnet, shadowsocks.

freegate is a traditional http proxy or socks proxy built by Falun Gong (https://en.wikipedia.org/wiki/Falun_Gong). They built lots of software with the same technology: freegate gpass freeu dynapass... People share this kind of banned software sending to each others just like teenagers share adult videos. After update of GFW, it become un-available and un-usable.

openvpn turns break GFW as a business, people sells openvpn account at $1.66 a month regularly. They sell this kind of services package including pptp l2tp ssh openvpn to those who need a free network.

goagent is a free software written by Phus Lu. It use Google's application engine as server so you can use it without paying money.So it replaced openvpn since it cost $0. After China banned Google, this way become more and more hard.

shadowsock is a protocol designed by clowwindy. It become a environment. People use python, C, nodejs, golang, rust, obj-c, java to write their own client and server. Some organization share their server for free, some people sell account and provide high speed. shadowvpn works as a VPN while shadowsocks works as a socks5 proxy, but share the same technology.

This is the end of shadowsocks. I means recently more and more evidence shows that GFW has finally find a way to recognize shadowsocks's packets. Then they stopped the development of shadowsocks.

That's all. The winter of China's network comes.

It already comes a few years ago when Xi got the power..(I mean the hole country is in winter, including movie Animation..)
> That's all. The winter of China's network comes.

Is there technical reason to believe that shadowsocks or similar technology is the last stand against automated censorship?

I would just say this is just yet another stage in the censorship/anti-censorship cycle.

I think that is what he meant. Winter is seasonal after all.
I think maybe he meant it as a Russian winter
You may not be seeing the big picture here. Censorship is about rulers cementing their rule, and may well ultimately lead to complete tyranny.

There's no guarantee that "the censorship arms race" will continue, even in your specific nation-state.

For example, I bet there's not much anti-censorship software being developed in North-Korea, because people don't want themselves and their entire families tortured to death.

The real problem here is not that we might be lagging behind governments with our anti-censorship tools. The real problem is the existence of governments to begin with, because as long as they do, they will want to control their subjects as closely as possible.

Policitians and the real rulers behind the scenes are all psychopaths.

They see us as human livestock, and any one of them would be perfectly happy with a global North-Korea, as long as they personally would be in the tiny ruling elite, with all the riches and power a psycho could ever dream of.

> I means recently more and more evidence shows that GFW has finally find a way to recognize shadowsocks's packets.

Hmm... okay, so they defeat shadowsocks by recognizing the packets.

> Then they stopped the development of shadowsocks.

But if they already had shadowsocks beat, why do they make a public show of shutting it down?

Sounds more like they recognize that they don't have the GFW technology to defeat shadowsocks on-going development over time. Which suggests all you need is a new developer.

I don't know if this is the case, but I think it's entirely possible to know that shadowsocks is being used widely without being able to do anything about it at the network level. I think that's plausibly how shadowsocks is designed to avoid the GFW in the first place.

For example, if their capabilities to identify shadowsocks traffic is not particularly specific, filtering would result in undesirable impact on other traffic. They can also have other out-of-band estimates for the extent of shadowsocks use (presence of the software on seized or searched equiment, observed chatter, informants, etc).

There's no such thing as overkill.
actually doing both makes a lot of sense.

a: build a method of detection and prevention and

b: find and coerce developer to stop improving software,

#b is required assuming the developer(s) is considered to be an above average adversary. When there is no silver bullet solution a cat+mouse game is inevitable. That further increases the value of this action.

#a being done at same time as #b has an effect on the collective behavior of the adversary. I'm sure various members for the RIAA and MPAA are wondering how they could have dealt with "filesharing" in a similar manner during the Napster days. But in the end it only buys you time in a cat+mouse games. meh, im sure there is some sun tzu art of war blah blah somewhere saying the same. more poetically of course.

A lot of people set up shadowsocks on their VPS and then spread it to their circles. It's the growing community and that more people are communicating with each other via means the party can not control that upsets the party. This will not stop, it's our fight for freedom.
I've been using this anti-censorship software for about 2 or 3 years. It's the most stable one of all anti-censorship softwares I've ever used. For those who's not in China mainland, you can not imagine how many breaking-wall softwares we've ever used.From ssh -D,pptp,L2tp/ipsec,to OpenVpn. In order to access twitter,someone even create twitter api proxy such as Twip,btw,the creator was ever forced to "drink tea" with the police ,too. The Chinese gov just blocks any sites they want and frighten anyone who is "troublemaker". Best wishes for the gov,and for the heroes who is creative and brave to develop all these anti-censorship softwares.