23 comments

[ 3.2 ms ] story [ 43.6 ms ] thread
Some analysis and discussion here:

https://github.com/net4people/bbs/issues/519

> After its founding in 2018, one of Geedge's first clients was the government of Kazakhstan, to whom the company sold its flagship Tiangou Secure Gateway (TSG), which provides functions similar to China's own Great Firewall, monitoring and filtering all web traffic that passes through it, as well as attempts to bypass such censorship.

> The same tool has been rolled out in Ethiopia and Myanmar, where it has been instrumental in enabling that country's military junta to enforce a ban on VPNs. In many cases, Geedge works with other private companies, including internet service providers (ISPs) such as Safaricom in Ethiopia, or Frontiir and Ooredoo in Myanmar, to enact government censorship, the documents show. No ISPs that have partnered with Geedge responded to a request for comment.

> The leaks show employees at the company working to reverse-engineer many popular tools and find means of blocking them. One set of documents lists nine commercial VPNs as "resolved," and provides various means of identifying and filtering traffic to them. Similar capabilities have long been demonstrated by the Great Firewall, with most commercial VPNs inaccessible from within China and many dedicated anti-censorship tools also hard to access.

> At least one Jira support ticket shows evidence of plaintext capture of email

Russia tests it all in Belarus first. In 2020 they blocked almost all Internet, including VPNs, Tor etc (but left some areas connected, like banking). It's somewhat easier in Belarus, as they have a legal monopoly on cross-border Internet.
My first thought was unfortunately whether the UK and other Western nations would copy this to build their own Firewalls. To be honest i still don't think it's a goal anyone is actively working towards and that's a bit of an hyperbolic take. But the truth is that we are moving more towards such a system then we are moving away.

My second thought is how badly Chinese communism must be doing that they need such a massive effort in order to prevent their citizens from accessing information and voicing dissent. We are lucky to be living in such a free society. Internet seems to be losing the battle against government interference and censorship and that is more of a bad thing then a good thing.

AFAIK QUIC traffic is impossible to attack using MITM techniques. So I wonder how the GFW handles it. Do they block it entirely or still filter it somehow?
Typically they rely on metadata like the IP you're connecting to, or downgrade attacks. Until every server supports QUIC they can just pretend the server doesn't support QUIC.

You might think IP checks are safe because everything's on Cloudflare and they can't block Cloudflare, but you'd be wrong. Even Spain blocks Cloudflare (yes, entirely) during football games.

I used to live in a country who is also a customer of GFW. Before v2ray came out, I had figured out devising any random protocol would defeat it. I would pass my SSH connecting used for socks5 through ROT13 or any ROTn, then the firewall won't gradually slow it down towards total stall after a few kilobytes. OpenSSH yells its name and version in plain text upon connection.

A few years later (still before v2ray) they got more aggressive: Unknown protocols were stalled after a few kilobytes. I then learned if I pretend I'm doing something legitimate (!) such as downloading favicon.ico within a proper HTTP channel, they won't touch my "packets" (the favicon content was my packet). I think there was also a Iodine project doing the same with ping packets but it was slower than favicon-as-packets for me. Today I see v2ray has taken it to the maximum extent, suggesting valid web page front for an IP, valid https certificates, etc.

When I started making money I was thinking about renting many IPs and send my traffic as round-robin to them as the detection relied heavily on IP consistency. That is, connections were fingerprinted by IP.

I don't live there anymore and don't get to verify this hypothesis, but given the leaked source codes it's an intersting weekend project.

What else is also interesting, I looked at traffic decoders in the list of leaked source files: TCP, HTTP, QUIC, ... but no mention of UDP, which made no difference in bypassing GFW. I guess the same IP rate limiter was at work with UDP at a lower level.

I wonder who's the Chinese Snowden behind the leak.
Probably some guy called (C)hen (I)ao (A)n
This whole discussion is full of devil's advocates. The society is fucked
there is a controlled effort for this type of apparatus to exist everywhere
When a government feels the need to implement technical control measures against ordinary citizens, the tight leash that the people had on their government's authority is broken.

Mass censorship, surviellence, and erosion of privacy are incompatible with human dignity. Purely utilitarian stances advocating online censorship "for the greater good", exploiting the causes of "terrorism" and "child safety" fail to consider anything more than the first order consequences.

Once a government taste the powerful liquor of censorship, there's no way that bottle's ever getting corked again. You bet your ass when anything happens that threatens those in power, that they'll be using that censorship on more than just the evil porn websites and terrorists.

I hope that this GFW leak helps researchers and hobbyists alike find more ways to fight against government erosion of personal dignity.

> I hope that this GFW leak helps researchers and hobbyists alike find more ways to fight against government erosion of personal dignity.

Dream on. Remember Germany ?

You fundamentally misunderstand the battlefield.
Gotta wonder what kind of failed excuse for a human being you have to be to devote your talents to building stuff like that...
If you can make money from it, there will always be someone willing to do it. And/or there is always someone you can compel to do it. It sucks but you pretty much have to operate with that assumption for most things.
There's a sort of mirror world of academic research happening, where on one side of the mirror, you have people building the tools to censor the internet (typically but not always in Asian venues), and on the other, the tools to circumvent that censorship (typically but not always in Western venues). I know far more people on the latter half of the equation, but have enough exposure to the other side of the mirror to know that most of them earnestly believe they're doing something good. They see massive megacorportaions pushing American interests as an unfair lever in a fight for national sovereignty, and what they do as simply leveling the playing field, and combating misinformation. While I would wholeheartedly agree that they are mistaken in their analysis (reifying systems for people, "The institution I'm supporting may sometimes do bad things, but what I do is supporting the good parts!") and should immediately stop, I wouldn't want to dehumanize them any more than I would someone who works for Palantir, or even Google, Amazon, etc.
"Failed", hah. If you fail, you never even touch stuff like that: https://en.wikipedia.org/wiki/Gaokao

As fucked up as it is, the virtue of individualism is often studied as a capitalist/western phenomenon that causes crime and internal conflict. Many of the people building this likely genuinely believe that they are working for the greater good and repressing a harmful social underclass.

One man's "affront to fundamental individual freedoms" is another's "essential for the collective good".
I doubt we disagree on ethics here, but I am empathetic to the influences at play for a developer in that situation. I would not demonize them without first knowing more.
The excuse is you are good at tech and there's a gun to your head.
All i need is a simple firewall to block advertisements