| 作者 | 消息 |
  Joined: 2005-04-24 Points: 648 | This post inspired by some questions I saw on a mailing list and this time magazine article. I'll share my personal experience with the chinese firewall as I've experienced it on my own DSL line in Yunnan. These are just my personal opinions, so I wouldn't rely on them as advice of any sort. Quote: the government has also deployed tens of thousands of Internet police to investigate online crimesPeople I talk to in the bar always seem surprised by this fact. Personally I don't see how else they could do it. Automated filtering is limited by the state of the art in Computer Science, which is still not all that great when it comes to figuring out what a piece of writing is actually talking about. The blocking as I've seen it implemented is multi-fold:
What kinds of thresholds are considered significant when accessing foreign or "prohibited" sites from within China.The restrictions, as far as I can tell, are pretty arbitrary. But that's mainly a technical problem. Even if the government has thousands of people adding and removing sites to the list all the time, it's really a losing battle, considering the number of webpages that get added to the internet every day and the number of times that content changes on pages. One improvement the govt could make (if they can purchase enough compute power to do it) would be to start filtering based on keywords instead of sites. I've seen the start of this with the transient filters mentioned above. I think they're moving toward that, but it will still be a "dumb" filter. i.e. a block on the word "Zhengzhou", the captial city of Henan, will be overly broad even when they're only trying to block news of some regional and recent event. Quote: How are such "transgressions" by foreigners considered, relative to, say, a Chinese journalist? I've only heard of Chinese getting into trouble, for their own actions.If they can be tracked, I think the foreigners can still get in trouble. I met someone in Oakland, CA who claimed to have been detained for 6 months for posting an article on a Duke University school newspaper website critical of the Chinese government while he was living in Beijing. If you post something (or especially if you're just reading a site) from an internet cafe, you're pretty small peanuts. The government is better served by focusing their efforts on the people that produce the content, rather than the ones that read it. There are far fewer of the former. Quote: Would there be blowback to one's hotel, internet cafe, or friends whose private connections were used?You'd have to post enough "objectionable" content to make it worthwhile going after you. And if websites need to keep logs (as claimed by the time article) it would be easy to combine those logs with China Telecom logs to figure out exactly the phone account (and thus the identity) of the location where the post came from. Quote: Or are all of these concerns like many others in China - it depends on who's offended, when and how they're offended, etc.? Were one to write an email or travelogue saying "Guess what I learned that Chinese aren't allowed to read..." or "I visited another historical site of the Cultural Revolution. Let me tell you what I learned about Mao...", I wonder what the ramifications could be.I think it all comes down to the practicalities. Even with 10,000 internet police to investigate posts, there's no way they can keep up with everything, especially English language content. I'm sure they'd like to filter everything (and there are a lot things going in China's favor for succeeding at this), but right now, there's just way more stuff on the Internet than any censorship ministry could keep up with. They'll go after the more important targets first, and probably add a few random people into the mix. Kind of like how the music industry is fighting piracy -- Go after the big pirate organizations, and sue a few random people here and there to instill fear. Quote: The majority of Chinese go online at cybercafés, and in order to rent computer time users must register with their national ID numbers. Cybercafé employees watch what their customers are viewing, keep logs of sites visited and share that information with local Internet police departments, which have been set up in more than 700 cities and provinces.This, like so many things in China, seems to be enforced differently from place to place. I've had to register my passport number once since this policy started up a few years ago. Then the cafe that took my passport number stopped taking IDs down a few weeks later. |
| Back to top |
Posted:由
Points: 748
Thanks for the very interesting comments, wtanaka
Points: 179
Great article!
I have reposted that in the following sites:
419eater
TheRanter
I have include links to your site and you as the author.
Points: 748
Guess what?
This link 419eater works from Chong Qing
I'll also see if I can successfully access this site
when I return to Chengdu.
......
I have just posted mention of it on another site
Points: 179
Wocca, welcome to Eater. Do read the guidlines, FAQs and Sticky. We have a mentor system for you to sign up and is free! Oh, BTW kiss you free time goodbye....
*wait*
Hang on.. this is the Treehouse Cityguide!
Well, you should also post a link back to here and I think Wesley will be happen. I think we have a couple of Eater members are from Asia and China.
P.S. Can you access theRanter?
Points: 648
today, I tried visiting http://www.i2p.net/, which someone pointed out to me as a potential proxy solution. I downloaded about half of the page (till the point that it says "People should not use I2P prior to the 1.0 release without", and then the connection stopped working. Trying to hit reload gave me "transient block" behavior like described above. Perhaps this means that China's started also doing transient blocks based on the data that comes back from the webserver, in addition to the data that gets sent in the request.
Points: 748
I can NOT access theRanter
wilson888 wrote:
I'm already well-occupied with a number of sites, so
don't have much (if any) more free time available.
Occasionally, I work as well :-}}*
Points: 179
Wocca, try www.anonymouse.org ! A bit slow but will get you there. You really need to invest in a proxy software.
Points: 748
Full points for persistence, wilson888
I don't need access to any more sites, thanks
...
Points: 4
Interesting observations regarding the great wall. I'll add what I've seen in the Shenzhen area... In this area, a location of ours used an IPSec tunnel to maintain a VPN with other locations in the US and Taiwan. When in the area, I used to be able to open IPSec and ssh links to these other locations from my hotel room, as well as use Skype, Jabber and other IM systems.
About 8 months ago, it was no longer possible to establish IPSec, PPTP, ssh, Skype or Jabber connections to the locations outside China. It was however, possible to connect to the Shenzhen office via PPTP and IPSec. The implication seems to be that the local ISP is selectively blocking ESP, GRE, etc. at the connection/fixed address level. The hotel is not doing so, because when I complained and drew blank looks, I pursuaded the hotel staff to let me help check/configure their routers. There was nothing the matter with the routers, the blocks were not at the hotel level.
In the past, IMAP traffic between the Shenzhen location and the outside world travelled via IMAPS (port 993), this is no longer possible.
I'm guessing that there are active attempts to block encrypted traffic between China and the rest of the world.
Points: 748
Points: 648
Nomad, I would guess that the government wouldn't cut off encrypted traffic access, because that would prevent people from maintaining websites and prevent multinational companies with offices in China from accessing their corporate VPNs.
What happened in the end? Did complaining to the authorities have any effect, or did your China office just need to shut down?
Points: 4
We have enough trouble with every single government official in customs, utilities, etc.
I edited this post by mistake. Sorry.
--wtanaka
Points: 648
Like you say, VPNs are essential to international companies being able to operate in China. I can't imagine them shutting down VPN access without a huge uproar. For example, I don't think they could ever shut down access in Beijing (with Microsoft and IBM having big research labs there)
I'm curious, can you tell if they're just blocking traffic on the SSH port, or are they somehow detecting that it's SSH traffic (searching for the unencrypted SSH handshake perhaps?) If you run the ssh server on a different port, are you able to use it?
If they're actually detecting SSH traffic, the switch to port number 80 probably won't help you, but the fact that OpenVPN is more obscure and less used probably will.
Quote:
There's no obvert corruption here, but I know how these things can sometimes turn into a big "mafan."
Points: 4
I'm not sure what they are doing yet. It isn't just a simple port block, because we don't run ssh on the standard port. I think it is more likely to be protocol detection since the first part of the handshake takes place, but then the rest is blocked.
As for overt corruption... I guess it depends on whether the things you are doing require approval of one authority or another. If it does, they will use their power to extract something from you.
Points: 748
Berkman Center for Internet & Society,
Harvard Law School has collected data
on the methods, scope, and depth of
selective barriers to Internet access ...
...
Points: 4
Update from China... Just flew into China, so I thought I would post what I find.
On checking into hotel, for the first 12 hours or so I was able to use IPSec, IMAPS and ssh, as well as a Jabber server. Now, IPSec, IMAPS, Jabber and ssh are blocked. I do know that the hotel is not doing this because I have personally seen their router/firewall hardware and configuration.
Skype however, is unaffected on this trip. I suppose their p2p architecture helps harden it to blocks. Not always true though, since on other trips, it has been blocked.
ssh is to a non-standard port. On it fails with the error message: ssh_exchange_identification: read: Connection reset by peer
Similar error messages are given for IMAPS, etc.
On switching to IMAP for the same servers, connections are made as normal.
Blocking therefore seems to be on a protocol level, not port based.
However---and this is the thing that puzzles me---connections are possible on the odd occasion, almost as if the blocking isn't consistently applied, or that it only works when the hotel's traffic is routed to different routers in the Shenzhen area.
Traceroutes to identify the paths out of the country do not work, the intermediate routers return nothing.
This is all quite frustrating since it stops legitimate business-related activity. But I guess the authorities don't exactly care.
Points: 748
Nomad wrote:
Consistency could be the operative word
Points: 0
Hi, I faced the same thing(can't access pop, smtp, ssh, ipsec) occasionally, I feel very troublesome about this problem. This post really solves my curiosity, my office in DongGuan TangXia access two servers in HK, one PCCW and one HGC, the former have this problem while the latter not. I checked out using tracert the former one has hops that the latter one do not pass, and I think that is where the filters are!
Points: 179
^^^ This is interesting... consider the owner of the above two companies.
Points: 748
Try this suggestion
http://www.thechinazone.com/showthread.php?t=990
Points: 648
link