62 comments

[ 2.8 ms ] story [ 1416 ms ] thread
Censorship sounds like an inadequate term here.
Agree.

Digital embargo is more appropriate IMHO.

Great suggestion. I'm debating whether to actually change it, but it'd end up not matching the permalink. Hmm.
(comment deleted)
Isn't this to comply with US law? Why blame Docker for that?
From the article:

> You shouldn’t really hate them (Docker) because they are doing what they have to do.

I apologize. The article title has created a misunderstanding for a lot of people. I'm not blaming Docker in the article content (as quoted by others).
He didn't blame docker
The title is 'Docker's censorship', which is misleading. It's not Docker's censorship, it's US state censorship.
It boils my blood when a harmless fellow developer faces trouble due to political mess created by dumb people.
Have to piggy-back off this and wish the guy best of luck in his endeavors. It's moments like these you understand that most of your problems are meaningless compared to what other people face.
Isn't that so very true.

Thank you a lot for your well wishes.

I don't think it's that simple.

Let's perform a gedankenexperiment. There is a country A that "misbehaves" — e.g. threatens its neighbourhoods and promises to hit them with nuclear weapons ASAP (in other words, promises nuclear offense). Quick note: in this context "country A" means "government of country A". There is also a country (or an alliance) B that is overwhelmingly more wealthy than A, has more military might and political power. What do you think B should do? Here are the options:

1) ignore A until it directly threatens B;

2) use B's military, crush A's government, help A's people to rebuild the country;

3) apply political and economical pressure to A, which in practice means "make A citizens' life miserable so they deal with A's government themselves". It's sometimes possible to apply the pressure selectively (e.g. to A's elites).

I agree with you that it's a morally ambivalent situation. However, I strongly believe that an embargo (including "digital" one) causes less casualties than "boots on the ground". Moreover, democracies don't fight each other, so in this scenario A is (most likely) a dictatorship. Dictatorships are bad and I believe that wealthy countries should care about long-term wellbeing of citizens of other countries, at least for their own self-interest. Your opinions may differ, but it would be wrong to brush off the whole issue with "political mess created by dumb people".

I think the relevant question is whether embargoes accomplish the goal of making the citizens deal with their government. It could be that they're actually counterproductive (for example, it's often said that mutual trade increases the costs of a war, by making countries dependent on each other for resources).

If embargoes are pursued after decades with no evidence that they are beneficial, then calling them "dumb" is not so unjustified.

As someone growing up in a country that was under an embargo (born in '75 in Yugoslavia, spent my teenage years in 90's Serbia, under Milošević rule) and having seen it firsthand I can tell you that it never hits the ruling class and politicians - it only hits the common people - the more poorer you are the more you will feel it. Politicians and the rich people around them find the way to bypass it.

During those times my both parents were having small private firms and were trying to make end's meet which were difficult enough with the collapsing economy and inflation and having no political connections with the ruling class (they despised the serbian nationalism and were being active in the then-opposition parties) sure didn't help them.

The one occasion I will never forget is when my parents decided to go to Hungary to try to buy some glazes for my mother's pottery shop. They would've bought some 20-30 kilos, smuggled it in our car and that would've been enough for a next few months. When the shopkeeper in the Hungary heard they are from Serbia he decided that he wouldn't want to sell them anything because "embargo and war and stuff" and so my parents came home empty handed. They came to the shop as private individuals and must have mentioned briefly where they would be taking the merchandise (they both spoke hungarian) but the shopkeeper kept looking at them as if they were personally responsible for all the things that were going in the Bosnia at the time. We didn't have to close the shop, a few weeks later they found another supplier and bought from there but it really left a bitter taste in their mouths.

(shameless plug: this is now my brother's pottery shop who inherited it from our mother who passed away 6 years ago, this is a small promo video he did some time ago)

https://www.youtube.com/watch?v=hD-bREcrLEQ

Yeah, I see what you mean and I know the feeling [1]. However, I think in the end the suffering becomes associated with the government anyway, so in the long term the strategy works. Here is some anecdotal evidence: current sanctions against Russia are precisely targeting companies that belong to elites. However, the Russian government imposed embargo on European food producers, in effect imposing self-sanctions on a wide population (food became a lot more expensive and really crappy here). They also managed to associate raising food prices with Western actions in the public eye, the stunt that worked really well at least on my parents and my friends' parents. However, now (after a year and a half) the propaganda starts to wear off and people become really unhappy with the government itself, despite their "rational understanding" of who's responsible for their troubles (the West). So yeah, it's a long game, but I can see the point of it.

The video is great, I wish best luck to your brother and his business!

[1]: I'm Russian and there is a ton of shit going on [in/because of] my country and a lot of people are unhappy about it (Ukrainians in particular). The issue is morally complicated AF and is closely related to a concept of collective responsibility, which isn't a clear-cut either. Personally I decided that it's wrong to completely separate myself from the actions of my govt (I know I could do more to prevent its misdeeds), so I feel some guilt about it and acknowledge when people have prejudices about me. Fortunately, most people (even more amazing, most of Ukrainians, despite all the shit Russia did to them) are nice and friendly when they see I don't consider appropriate to snatch chunks of neighbour's land.

> democracies don't fight each other

The US & UK overthrew Iran's parliamentary democracy, and installed the Shah. (https://en.wikipedia.org/wiki/1953_Iranian_coup_d'%C3%A9tat)

The US is the world's most hyperviolent bully. (Just compare its capacity and use of violence to any other entity.) Bullies generally don't admit they're bullies, despite all evidence, and swear they're justified when smashing their victims.

I generally use VPN Gate [1] for all my IP-spoofing needs. The actual VPN servers are hosted by volunteers around the world.

The client and server software VPN Gate uses is the open source SoftEther VPN [2], which I also use to host and connect to my own VPN. It's pretty great.

[1] http://www.vpngate.net/en/

[2] http://www.softether.org/

Awesome, thanks! I'll definitely try these out!
If you're up for going the VPS route, there's an awesome project called Streisand on github that automates the entire process that sets up the server with multiple VPN protocols as well as TOR bridges:

https://github.com/jlund/streisand

Good luck!

> A few days ago I got a call from a lady that is studying her Masters degree in computer science (can you believe it?)

This comment is not ok.

Hi Dan,

If you're the person who contacted me through an email, I just replied to you! If not, I'll paste my response here:

----------

Hi Dan! You won’t believe how glad i am that you decided to contact me regarding this, rather than making a decision about me in your mind and not speaking about it. Thank you. Your email made me realize that I had made a mistake there that we developers often do, namely forgetting to explain the context and thinking that the reader already knows it. In Iran, we don’t have many women who go as far as a Masters degree in computer science. Even if they do, they don’t usually enter the workforce as a DevOps or software engineer. This was what I meant with “can you believe it?” — the fact that this lady had gotten so far is unbelievable. I know where you’re coming from, though. Whenever I reveal on the web that I’m a blind programmer, many people talk between themselves and say, “he’s a blind programmer! Can you believe it?” A lot of people in those circles raise an objection about this choice of words, saying that, “Why do you think it’s incredulous for him to code?” So, yes, I should have seen this misunderstanding coming. You’re awesome. I’ll go and change it immediately. Thanks again. Best, Parham

I guess he was probably surprised since ladies doing computer science masters in Iran must not be that common I guess. I understood it this way.
Exactly. I changed the article to better reflect these though. I'd personally get offended if someone actually meant to say something like this, and since I don't want people to think I'm making such a ridiculous statement, I edited the text to clarify.
Your are amazingly considerate and polite. It's very refreshing to see a civil replies like this. Thanks a lot!
And you're surprisingly smart, which you demonstrated through your gedankenexperiment. I'm glad that writing about my experiences has allowed me to read one paragraph of the thoughts of people so much smarter than me. These are brief glimpses, but they definitely humble me.
Why is it not ok?
Consider the ways in which this comment could be interpreted in a way that doesn't insult women, which is how I assume you read it.

There are ways.

IMO here we have again an example of how attempted PC actually makes lives worse.

Take notice.

In Iran, it's certainly surprising.
I've been using Freedome[0] for a few months now and I am really liking it. While I don't use it to escape censorship and digital embargos it's adequate for such purposes too. You can pick from exit IPs all over the world and easily switch it.

I run all my traffic through Finland usually because they have fairly strong data protection laws, especially compared to the UK where I live.

It's also a nice way to get around traffic shaping and other invasive measures from your ISP. During peak hours I have better speeds for Netflix and the likes through Finland than without VPN.

0: https://www.f-secure.com/en_GB/web/home_gb/freedome

Wow, so many awesome software. You'd think that as someone who has used VPNs since the day he first connected to the Internet, I'd know all about these things! :-)

Thanks a lot! I'll definitely try this one out!

> I am a completely blind back-end programmer

So not only does he have to deal with the ridiculously hostile environment being a programmer in Iran. He's also blind. That truly gives some perspective on things.

Haha yes. Though being a blind programmer is not that bad; being in Iran is why I am trying to find a job in another country and relocate.
I sincerely wish you the best of luck!
His blog is exceptionally clean.

I don't know if that should be expected (cruft would be harder for assistive devices to read) or unexpected (he can't see; how can he keep it clean?)

I had a colleague build my blog for me. I love his work because he created a clean theme, and it's very easy for me to navigate. I hadn't thought that it'd also be easier to read for sighted people. That's great to know!
I did this because I live in another country where the U.S. has sanctioned me from seeing a variety of things I could pay for if I lived in the U.S. - Australia. I'm just not under a regime that will kill you if they catch you...

Works great for websites, but can SOCKS5 transparently redirect DNS traffic? In the end I setup an OpenVPN server and setup port redirecting for DNS.

Well, I'm not doing anything political, so no one will catch me and kill me. I'm using it for exactly the same reasons as you, namely that the United States won't let me view some content, listen to some music and stuff. Even though I have to pay illegally to access this content (which is when I use my Canadian IP), I still am paying for them and must be able to use them.
How do you pay? Credit cards are normally issued from a geographic region and you need ID to get one in another country due to AML measures...
I used another friend's credit card. There are some services here where some guy in another country who is originally Iranian will charge a fee to take your Iranian Rials and send them to a PayPal account, or go and pay for a service on another website on your behalf.

It costs extra money, but oh well. It's better than staying ignorant and not being able to improve and learn more.

So I need to convert AUD to USD to Rials and send them to an Iranian guy in the U.S. to pay for a Netflix account with a third party U.S. credit card and then figure out how to proxy my way through someone's U.S. Internet connection via a SOCKS5 proxy.

What could possibly go wrong? :-)

LOL!

When you put it like this, it seems very impossible. But I've been doing the second part of it for two years, so if you need any help with that, just let me know. Haha.

Australia has a policy of capturing all metadata from ISPs. I suspect I might actually be more at risk of getting a knock on the door from our security agencies than you would be. And if I'm suspected of terrorism I can be held in jail for seven days without charge on a continually renewing basis.

Don't think I'll risk it :-(

Australia is not going to arrest you for using a proxy, unless you're using it to do something else illegal. Let's be realistic about the relative threat level in Australia vs Iran.
Yeah, because government agencies haven't been worried about Iranian terrorism in Australia since Man Honis took hostages in Martin Place and a teenager of Iranian background shot and killed a police accountant in Parramatta last year.

For myself, I know I'm not a terrorist, but transferring money like that looks mighty suspicious and it wouldn't be hard for the security agencies to get the wrong idea. They don't have to prove anything. Just ask Muhamed Haneef whether they make errors. Mick Keelty refused to even acknowledge the AFP treated an innocent man very badly. If you think a guy like the head of the AFP is this incompetent, then you should watch your step if you live in Australia.

It's not like I can defend myself in a court of law now, is it? Terrorism gets an end run around due process in Australia. And we've already seen how it can turn out - pretty fucking badly.

(comment deleted)
'Censorship' is the wrong word: Docker isn't censoring information, but rather refusing to do business with Syria, Cuba, North Korea & Iran. I expected this article to be about Docker censoring items it serves.
Yes. I'm sorry for the confusing title. This has been pointed out to me and I agree. The reason it hasn't been changed is because it would change the permalink.

Sorry for not giving you the information you were looking for.

I have found using ShadowSocks [0] to work best for me here in China. VPNs create one connection for all traffic (which is easier for China's GFW to detect/block/slow down). ShadowSocks creates a new TCP/UDP connection for each connection that it proxies.

My setup:

Cheap VPS server in Hong Kong [1] (5USD/month, 512 RAM, 2Mbit port) running the ShadowSocks server (libev version). I have upgrade the port to 20Mbits for an extra 10USD/month. The port could be upgrade to 50Mbits for 25USD/month.

For DNS I use ChinaDNS [2] to automatically filter out bad DNS results from China's censorship. It works by sending DNS queries to all multiple DNS server at the same time (give it a few local DNS servers and foreign DNS servers). The foreign DNS connections are tunneled through ShadowSocks.

ShadowSocks can work as a Socks5 proxy, tunnel or transparent proxy [3]. Socks5 is the easiest to use and can even do DNS lookups on the server. I use the transparent proxy [3] option, since it allows selecting which traffic should go over the proxy.

The socks5 option will try to proxy localhost & lan conections to the proxy server.

An optimized list of subnets can be generated using bestroutetb [4]. I load the subnets for China (can private LAN) into an ipset hash and use iptables rules to exclude those subnets from going over the proxy.

ChinaDNS [2] and bestroutetb [4] could be used for VPNs too. This could be used when trying to access different services (US, UK, etc..) that don't allow access from outside their country. Use one VPN for US and another for UK, then use bestroutetb [4] to build subnet lists for each country route traffic over the correct VPN.

0. https://shadowsocks.org/

1. http://www.36cloud.com/

2. https://github.com/shadowsocks/ChinaDNS

3. https://github.com/shadowsocks/shadowsocks-libev/blob/master...

4. https://github.com/ashi009/bestroutetb

edit: fix formatting and port prices.

As someone who is pretty much oblivious to how the censorship works in China: Why do you use such a slow and expensive VPS, and why Hong Kong?
I'll take my best shot at guessing his answers. The Great Firewall employs many techniques for censorship. The simplest block sites and poison your dns cache. Http packets are inspected to deterministically decide whether are block a connection.

Https is an improvement, but they still use machine learning to make estimates on encrypted contents of packets. If packets going to and from a location (i.e. Your vpn server) meet some criteria with some confidence, they perform attacks on that connection and subsequent connections To the same endpoint. I'm not sure on the specifics, but these attacks will cause ~90% of that connection's traffic to drop. The system is dynamic, so your countermeasures have to be as well.

I'm guessing HK because it's physically and politically close. It's considered Chinese territory, but not under China's GFW. I've heard from friends that GFW censorship is more aggressive around sensitive times (i.e. Tiananmen square anniversary) and news.

If any of this is wrong or inaccurate, someone please correct me. I'd love to have a better mental model of the GFW so that I could better work remotely from there.

I have read that the GFW will also try to fingerprint a server if packet analysis shows that it might be a VPN.

VyperVPN has a stealth protocol (Chameleon) which tries to obfuscate the VPN connection to make it look like other types of connections. Other VPN providers might be doing the same thing.

When I first came to China about 3 years ago, I tried using a VPN service but it wasn't reliable and connecting was always slow. So I tried running my own OpenVPN server on a VPS in HK (different provider [0]).

What I found at that time was that the GFW seemed to detect the VPNS's TLS connection and delay some packets which caused the connection setup to timeout. I even created my own obfuscating TCP tunnel (written in Lua) and tunneled OpenVPN through that. The obfuscation made OpenVPN work much better.

I still had latency issue when doing a long download. I later found out that the latency issue was caused by my VPS provider having a 2Mbit bandwidth cap on traffic to China from the server (they don't say anything about this limit or how much it would cost raise the limit on their website [0]). Also I found that if I apply the 2Mbit rate limit on the VPS server, then latency didn't go sky high (slowly growing to 10 or 12 second ping times before dropping again). It has only been in the last 3-4 months that I have known about this issue and moved to a new provider.

I started using ShadowSocks because it uses a protocol that doesn't have any easy to detect fingerprints (all of the data in the protocol is encrypted), so it doesn't really need obfuscation to hide the connection from the GFW. Also ShadowSocks creates many connections (one for each proxied connection), so even if the GFW delays some of the packets, it will not cause a stall of all connections.

But I think the biggest thing that I like about ShadowSocks is that it doesn't need time to setup a VPN connection, the tun0 device and routing rules. So when my laptop connects to a different WiFi network, everything just works (except I sometimes need to reset the DNS tunnels, but I could automate the reset).

0. http://www.vpshosting.com.hk/

I don't need a lot of server resources for the proxy. So the cheapest server is more then enough. The real issue is getting good latency & bandwidth to sites outside of China.

What I am paying for good latency & bandwidth on that server is cheap compared to other providers.

Hong Kong is very close to me (Guangzhou), so latency is low (around 9-10ms).

Here is the latency I am seeing right now:

1. Ping to DigitalOcean VPS server in San Franciso: 270ms

2. Ping to 36cloud.com VPS server: 10ms

3. Ping from 36cloud VPS to DigitalOcean VPS: 160ms

4. Proxy running on DigitalOcean VPS server in San Franciso: 274ms, DL: 3Mbits, UL: 4Mbits

5. Proxy running on 36cloud.com VPS server: 178ms, DL: 8Mbits, UL: 5Mbits

The last two are from using speedtest.net with the same speedtest server in SF. So the VPS in HK save me almost 100ms of latency. which greatly improves browsing speed.

Can someone not get in touch with this gentleman and just offer him a job already? Beyond his obvious technical knowledge and analytical approach to things, read through the comments here and you'll see a person who is levelheaded, humble, and seems genuinely happy to foster discussion with likeminded people. I wish I were a hiring manager at my company, but someone out there has to be. Snap this guy up before someone else does.
Erm, "someone out there has to be" in a position to hire him. I realize that it sounds like I meant that someone on HN was a hiring manager at my company. More coffee before commenting next time.
Sure, but does he want to emigrate and do you want to go to the trouble of getting him a visa?
> Sure, but does he want to emigrate?

I'd love to. This is a dream that I'm striving for.

> do you want to go to the trouble of getting him a visa?

Now, that'd be a tough one for anyone to answer.

Yeah, I very carefully didn't assume that he wanted to emigrate to the west to "enrich his life" or rescue him from blah blah White Man's Burden. He mentioned that (paraphrasing) he was trying to better himself in emerging technologies so he could get a job abroad.

And as someone in Austin who has seen how insanely hard it is to find a good culture fit despite a large pool of "talent," yes, I'd jump through hoops to find someone as humble and self-motivated. Unfortunately, I'm just not in a position to do so at my current place.

And then the company that does hire him will be vilified here for hiring H1B workers.