Swedish Researchers Expose China's Tor-Blocking Tricks

An anonymous reader writes "A pair of researchers at Karlstad University have been able to establish how the Great Firewall of China sets about blocking unpublished Tor bridges. The GFC inspects web traffic looking for potential bridges and then attempts 'to speak Tor' to the hosts. If they reply, they're deemed to be Tor bridges and blocked. While this looks like another example of the cat and mouse game between those wishing to surf the net anonymously and a government intent on curtailing online freedoms, the researchers suggest ways that the latest blocking techniques may be defeated."

Pedantic response ensues

[ojintoad]

While this looks like another example of the cat and mouse game between those wishing to surf the net anonymously and a government intent on curtailing online freedoms, the researchers suggest ways that the latest blocking techniques may be defeated."

I hatelove slashdot summaries, and here is another example of why. Yes, I haven't read TFA.

When you use the word "while" like this, it sounds like you're going to be contradicting the first point. Especially when you use the phrase "this looks like" immediately afterward.

Instead, the second part of the sentence goes on to directly corroborate what the scenario looks like. Surprise! While it looks like you're setting up a contradiction, you finish up with reinforcement.

So in fact it doesn't just "[look] like another example of the cat and mouse game", but in fact it literally is an example of the cat and mouse game, and the researches propose another way for the mouse to escape. And yet another awkward summary graces the Slashdot homepage, in the grand tradition.

Re:

[X0563511]

Kind of a pointless gripe? Oh noes, an apple looks like an apple!

That said, how do you know it is an apple? It merely looks and behaves like one.

Re:

[GmExtremacy]

Don't express your qualms as a query. Buttnude nakedom is here for you.

Re:

[girlintraining]

And yet another awkward summary graces the Slashdot homepage, in the grand tradition.

And yet another grammar troll graces the comments, also in the grand tradition. I know this may be hard to accept but the human mind can parse language that's full of errors, paradox, contradictions, and incomplete information; And does so often. As well, linguistic rules and content both can be mutated without warning based on prior communication, current context, or implication.

Now I can understand how a certain subset of the population could have an issue with this -- they were never invited to 'those'

Re:Pedantic response ensues

[Bromskloss]

or ever flirted with someone using innuendo so skillfully that anyone observing mid-conversation would be unable to tell any kind of flirting was going on

Breaking one of the rules of grammar, say, by using while the way the Slashdot summary does, might be the means by which one conveys precisely that innuendo. If the speaker overall cares very little about the rules, I'm afraid no one would perceive their intentions as that subtle signal would be drowned in the flood of noise.

Re:

[Anonymous Coward]

Meh, I agree that it is bad grammar. I agree that mistakes sometimes happen. I don't agree that said mistakes are somehow superior to proper grammar.

The person who wrote the summary, and any editors/moderators who reviewed it, should learn from the criticism.

Re:

[girlintraining]

Breaking one of the rules of grammar, say, by using while the way the Slashdot summary does, might be the means by which one conveys precisely that innuendo. If the speaker overall cares very little about the rules, I'm afraid no one would perceive their intentions as that subtle signal would be drowned in the flood of noise.

Yes, but that was an example, not the conclusion. I get tired of people spell-flaming on the internet. It's like... if you can't attack the argument, attack the grammar, and if you can't attack the grammar, attack the person. It's not like he wrote the summary in txt-speak or something... -_-

Re:

[Anonymous Coward]

Burma Shave.

Re:

[Threni]

I think as we approach the future promised by Idiocracy, we're going to see more and more apologists for either dumbing down or the acceptance of bad writing, poor grammar, faulty logic etc.

I wonder whether at some point in your lifetime you'll ever find yourself compelled to correct someone and then think `damn, maybe that other guy from 2012 on Slashdot had a point`?

Re:

[FatdogHaiku]

Now, I read that totally differently from you. I see:

While this looks like another example of the cat and mouse game between those wishing to surf the net anonymously and a government intent on curtailing online freedoms,

As saying: "This looks like another story about China censoring the web"

And then:

the researchers suggest ways that the latest blocking techniques may be defeated."

Says to me:

However, this story actually suggests ways the censorship might be mitigated or defeated temporarily. S

Re:

[erroneus]

While this looks like an article simply explaining a specific detail, it turns out to be more than that.

"While" is not followed with a "contradiction." "While" is followed with a "difference," a "deviation" or even a "distinction."

"While you expect this, you get that." "While you expect a little, you get a lot." "While you expect a set of dishes, you get the dishes AND a free set of Ginsu steak knives!" "While expected X, received X + Y." "X + Y" is not a contradiction of "X" is it?

I get annoyed with b

Re:

[ojintoad]

I agree that contradiction and difference aren't the same thing. But I think I'm right in that it didn't really seem like they were pointing out a difference even. "While it looks like a cat and mouse game, the researches are participating in the cat and mouse game." Other people here disagree with me - that's cool, it's their prerogative. I can see it being read a different way.

I think there are a lot of fair critiques to my criticism (and one that was downright mean, though it got flagged as flamebait

Re:

[ojintoad]

Yeah, that's a bad habit of mine, I make that mistake a lot.

I meant it was literally an example of the figurative cat and mouse game, not just like it. I should heed the warnings of XKCD [xkcd.com] tho.

bandwith of flash drive or SDHC card

[Max_W]

What if a tourist saves forbidden website or reading material, packs it onto ZIP, RAR, or 7Z archive, then renames archive as JPG. At home he/she has to just rename .JPG back to .ZIP.

It is hardly possible to check every JPG file of every tourists. Tourists bring thousands of JPG files back home on flash drives and SDHC cards.

Re:bandwith of flash drive or SDHC card

[Anonymous Coward]

The throughput is reasonable, but the latency is pretty high.

Re:bandwith of flash drive or SDHC card

[Mattygfunk1]

The important part is that the information gets through.

Unfortunately spreading pro-freedom propaganda will get you sent to jail once you try to disseminate it further.

Revolution in China is inevitable (IMHO). Attempting to improve the current status technologically is a noble cause, by those who are free, for those who aren't.

Re:bandwith of flash drive or SDHC card

[Max_W]

Millions of Chinese tourists travel abroad each year. On a tiny SDHC camera card of 256 GB one can bring several movies in HD quality, plus about all texts of the humanity.

What is the point of this expensive firewall? The "iron curtain" is just not possible with the flash memory cards of high capacity. Any intelligent curious person can bring for himself a library to last for years.

Re:bandwith of flash drive or SDHC card

[Hatta]

If you have to wait for a compatriot to leave the country and return before you get uncensored news you'll miss the protests going on downtown. The point of the firewall is to prevent an Arab Spring from occuring in China.

Re:

[wanzeo]

I would venture a guess that most of those Chinese tourists are part of the privileged upper class who live (or reside) in one of the economic zones that the Great Firewall doesn't cover anyway. Their lives are relatively good, and they are not going to rock the boat.

The people behind the firewall are in no position to leave, even for a short while.

Re:

[timeOday]

The point isn't to keep secrets (what would they be?) It's not the existence of an idea that matters, but rather the perceived prevalence of the idea, which emboldens others to embrace it.

Re:

[Kalriath]

Well for a start, I've never met a Chinese person who didn't agree with the Great Firewall. So the reality is that the point of it is that people actually like it.

Re:

[Anonymous Coward]

What if you have a load of CP on your hard drive and no-one knows about it?

Nerds can be really fucking grating on this point.

Look: the law does not aim to stop everyone doing anything illegal. It merely aims to set a standard for "acceptable" behaviour and keep enough people in line.

Can we stop all these arguments about a law being silly because it cannot be perfectly enforced? It's typical ego-stroking nonsense. Yes, congratulations, you and any terrorist/freedom fighter (delete as inappropriate) can get p

Re:

[lightknight]

You come onto a website, filled with people, whose profession deals with exceptions on a daily basis, and want to complain that we should accept 'good enough for most people?' Would you build a 'fly-by-wire' aviation system that worked 'most of the time'? Would you allow a loved one to fly in a plane using it?

You are such a contrast with the people who originally framed the laws (at one time) governing this country; they took the approach of letting some of the (possibly) guilty go if it meant ensuring that

Re:

[b4dc0d3r]

Engineering standards for safety are a completely different domain from laws, so you're not making sense. here.

Also, letting some guilty people go in lieu of innocents suffering is exactly what gp was talking about. The laws will catch people too stupid to bypass the laws. And yet people complain that there are ways around it and therefore it shouldn't even be a law. How can you not see that you are the contrast?

And bailouts... now you're just bringing up random things you don't like and ignoring the con

Re:

[lightknight]

"Engineering standards for safety are a completely different domain from laws, so you're not making sense." -> How so? In either case, if you f*ck up, someone can die. Perhaps the problem you are faced with here: you don't take the codification of your laws seriously enough.

"Also, letting some guilty people go in lieu of innocents suffering is exactly what gp was talking about. The laws will catch people too stupid to bypass the laws. And yet people complain that there are ways around it and therefore it

Re:bandwith of flash drive or SDHC card

[X0563511]

It's called steganography [wikipedia.org], and don't get caught. You shall be in a world of shit if you do, because you'll likely be treated as a foreign intelligence operative.

Re:

[X0563511]

Because it is specific. "Spy" is a very broad term.

Re:

[X0563511]

I don't believe you have any idea what I was inferring. ... and it is a (primitive) form of steganography - hiding something in plain sight. His primitive form of it would be trivial to detect, however.

Re:

[renoX]

Really, really poor steganography.

Modifying the low bit of images/movies seems much more safe to me, of course the issue is that this is only possible with a computer and the program.
Having a steganography program on your computer isn't very stealthy when you go through the customs.

Re:

[X0563511]

I did say it was primitive, did I not?

Re:

[Anonymous Coward]

I think their government is too pragmatic to be concerned with small things like this.

The primary concern seems to be the stability of the country, which, if you imagine the USA with 4x the population density, makes sense.

If someone goes abroad and gets a banned website and brings it back, who cares?

But if they start organizing a political revolt or something like it, I would imagine that the record of their text messages would give them away.

In the same sense, the great firewall seems to be concerned with

Re:

[SgtChaireBourne]

It's kind of pointless to try to do that with web forums. All you get is a static snapshot and no ability to interact. In the Old Days back when each student had a Usenet account, things were much different. Then it really was possible to smuggle in and out communication on removable media.

Re:

[The MAZZTer]

Sorry, all the file types you mentioned have a file header that clearly identifies the file type even if they're renamed. Anyone who knows this will figure out what you did pretty quickly.

And of course it's stupid simple to automatically scan for such files, you don't even have to look at the whole file so it'll scan pretty quickly.

Re:

[hawkinspeter]

A neat trick is to concatenate the ZIP archive onto a JPG image. It'lll look like a picture, but will unzip fine. The only giveaway is the file size.

Public v. Private

[girlintraining]

The fundamental problem here is that Tor is accessible to the public. No, you read that right. As long as anyone can download a Tor client and connect, that person will have the IP address of at least one other Tor user. There is very little that can be done to prevent this without limiting access to the Tor network by some kind of handshake/authentication model. At the very least, the network is vulnerable to a denial of service attack; Since it can't tell a legitimate user from an illegitimate one: By design, the traffic is encrypted and the source obfusciated.

Tor can't ever fully succeed in its objective -- it can only maintain network integrity so long as the ratios between different types of users, client accesses, etc., remain in the green. Should the balance ever tilt, the network will become unusable.

A real solution is end to end encryption network-wide, which is what IPv6 was supposed to do, but as I'm sure you've all realized; the capitalist owners of the routers, switches, ISPs, etc., have decided artificial scarcity of IP address space could be profitable to them, so IPv6 is sort of dead on arrival. But even if it weren't, the notion that the ISP can't control what connections are made based on content is not something any of them want to give up; again, in the name of profits.

So basically, we need a whole new internet, built by the people, from the ground up. And it will probably have to be wireless. The problems of wireless high speed internet between buildings is hard enough; Try between cities. :\ But that's the only way I see of re-establishing a free and democratic digital communications medium.

Re:

[Greyfox]

Currently there's no reason you couldn't set up an encrypted virtual network on top of the existing network. Hell you could probably do encrypted UUCP over the current network and accomplish a lot of what you'd want to get done. You can even do E-Mail over UUCP, though I seem to recall that it was somewhat nasty.

Re:

[slashdotresearch_mj]

I've learned a little about Tor from some comp. sci friends who work with it but I don't really know anything about hte IPv6 you brought up and it sounds interesting. Do you have any links that a social scientist and not a computer scientist, could make sense of? I like to actually hear/learn this sort of thing from a human being rather than just searching away myself in the beginning if you wouldn't mind. I end up getting better information that way it seems.

Re:

[FireFury03]

A real solution is end to end encryption network-wide, which is what IPv6 was supposed to do

No it isn't. You can set up ad-hoc ipsec with keys hosted in DNS if you like - this is irrespective of whether you're using v4 or v6. The problem here is that it's a bit of effort to set it up and practically no one running a server actually does it (making setting up a client reasonably pointless). And no, this won't magically start happening if you switch to IPv6 - you still need to jump through all the same hoops to set up ipsec and practically no one does.

Re:

[Hatta]

A real solution is end to end encryption network-wide, which is what IPv6 was supposed to do

LOLWUT?

Re:

[wanzeo]

I don't really see how IPv6 could help this problem, the government can still just operate a bunch of nodes, and then block anyone who tries to connect using tor. And nothing will ever ease the risk of operating an exit node, where you can get slammed for other people's traffic. The only reason Tor works in other countries is because of legal arguments about Tor operators not being liable for Tor traffic. Outside of a local network or a darknet where all peers know each other personally, there is no such th

Re:

[The MAZZTer]

My college managed to completely block tor (thankfully it was about two weeks before graduation). Tor may have improved since then though. Investigating, it looked like my college had identified and blocked all of tor's "dictionary servers", the hard coded servers it looks for to supply it with IP addresses of tor nodes. No dictionary servers, no tor nodes. No tor nodes, no onion routing.

Re:

[kevmeister]

Ahh...No. and no.

First, end-to-end encryption was never required by IPv6. IPv6 did include all of the hooks required to encryption which were lacking in IPv4 but there was never any idea that all IPv6 traffic would be encrypted. In the years that have passed since IPv6 specs were written that some capability has been grafted onto IPv4. It's called IPSec and is used almost universally for VPNs. You too can use it if you feel so inclined, but the key exchange part makes it rather impractical for general, le

Wasn't this already explained in January?

[Anonymous Coward]

In this Slashdot story?
http://yro.slashdot.org/story/12/01/09/2320201/inside-the-great-firewall-of-chinas-tor-blocking

I thought the last link in that story explained everything mentioned above already.

Glad the tor project has a solution.

[hrimfaxi]

I live in China. The obfsproxy tor bridge works for me. The GFW staff now have to find the address of tor obfsproxy bridge manually to block it. As long as so far as they didn't find out the unpublished bridge address yet Tor works fine for me.

In China people are seeking different ways to breach GFW. We mainly use SSH tunnel, OpenVPN, or some sorts of HTTPS proxy (with some obfuscation needed by both sides or it doesn't work for GFW has capacity to probe SSL/TLS proxy).

I am glad tor now is functioning again in China. Just began to spread the obfsorxy tor browser to the others who need it.

Re:

[account_deleted]

Comment removed based on user account deletion

*shrugs*

[lightknight]

Perhaps they should implement some level of port knocking to the nodes.

Listen closely

[Opportunist]

We might soon need the information ourselves.