China has tightened the screws on its infamous web-filtering system, according to virtual private network providers. The Great Firewall of China has been enhanced to "learn, discover and block" encrypted VPN protocols. Machine learning algorithms have been applied to carry out encrypted traffic analysis, something advocated by …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Friday 21st December 2012 13:50 GMT Anonymous Coward

and they want to do business with the rest of the world?!

I can't see how China expects to do serious business with the rest of the world by blocking or attempting to block VPN connections.

The organisation I work for has presence in China and VPN is key to secure comms back to the UK, without this our clients just won't be interested in that market full stop.

19 0
1. Friday 21st December 2012 13:52 GMT Mike Brown
  
  Re: and they want to do business with the rest of the world?!
  
  its not really china that needs us tho, our decadent western way needs the chinese. this wont effect any business deals
  
  1 13
  1. Friday 21st December 2012 14:02 GMT Bumpy Cat
    
    Re: and they want to do business with the rest of the world?!
    
    Affect! Affect!! Using effect in this context means "this will not conclude any business deals", which actually results in you saying the opposite of what you meant!
    
    11 1
  2. Saturday 22nd December 2012 09:32 GMT Adam 1
    
    Re: and they want to do business with the rest of the world?!
    
    China and the west may not NEED each other but trade benefits both sides immensely.
    
    Not being able to securely communicate between regional offices is a major impediment to business. If the sovereign risk is too high then business will move elsewhere.
    
    1 0
  3. Monday 24th December 2012 18:21 GMT RICHTO
    
    Re: and they want to do business with the rest of the world?!
    
    But it will. No international company will want to open an office in China without secure communications back to HQ....And staff that visit wont be able to access their remote desktops / email / phone systems either. Big old mess....
    
    1 1
  4. Tuesday 25th December 2012 05:49 GMT Anonymous Coward
    
    Re: and they want to do business with the rest of the world?!
    
    And you know that how?
    
    If a visiting businessman can't get his porn, it is affecting business.
    
    I'm done with you,
    
    0 2
  5. Saturday 29th December 2012 10:25 GMT Anonymous Coward
    
    Re: and they want to do business with the rest of the world?!
    
    Europe GDP 14 TRILLION DOLLARS, U. S 14 TRILLION DOLLARS, AND CHINA 5 TRILLION DOLLARS. We need them do we? Hahahaha. Don't think so buddy. Try the other way around.
    
    By the way I live in China as an expat and the vpn embargo will probably see me leave sooner. I'm sick of the ignorance of the ruling elite here. They need to go back to common sense school. They are afraid, very afraid, and rightly so. Decisions like this will see their demise hastened and yet they feel they have so much power they could avoid it with draconian measures. History tells different stories. For instance, that new Chinese carrier, dead carrier floating if you ask me. It would be at the bottom of the sea before the western generals or Japanese generals could mutter "war".
    
    0 0
2. Friday 21st December 2012 17:01 GMT Electric Panda
  
  Re: and they want to do business with the rest of the world?!
  
  They really should look at a two-tiered system. Official businesses should be allowed heavily monitored access for large sums, end-users none at all.
  
  If China want to exercise serious censorship while allowing business operations to run unfettered, this is something they should look at.
  
  0 1
3. Saturday 22nd December 2012 12:57 GMT Volker Hett
  
  Re: and they want to do business with the rest of the world?!
  
  This does not effect businesses, you'll get your VPN from your premises.
  
  0 2
  1. Saturday 22nd December 2012 12:59 GMT Volker Hett
    
    Re: and they want to do business with the rest of the world?!
    
    s/effect/affect
    
    just learned the difference :)
    
    0 0
4. Sunday 23rd December 2012 00:41 GMT gollux
  
  Re: and they want to do business with the rest of the world?!
  
  It works in their interest to transparently proxy your VPN communications for a reason. You only thing you have free access through. They have your lunch.
  
  0 0
Friday 21st December 2012 13:52 GMT Anonymous Coward

I can confirm this.

Freegate does not seem to be able to pass through the GFWOC (which, in my opinion, is not so great at all!)

Oh, now it works!

Eh... now it doesn't...

Now I can Facebook...

And now I can't! AAAAGGGHHH!!!

There seem to be Angels fighting Demons as we speak!

0 0
Friday 21st December 2012 14:19 GMT Christian Berger

One should note...

The technology they are using down there is not home grown. It was sold to them by western countries. Often even specifically for those purposes.

Large scale DPI is not a dual-use technology. You don't need to look at multiple saturated 10gig links to monitor your network, you only need that to monitor your people.

5 0
Friday 21st December 2012 14:21 GMT K

Aside from the Scale

There is absolutely nothing impressive about this!

All "Next Generation" firewalls have the ability to analyse packets... but all they will achieve by this is people moving from PPTP and IPSec based firewalls to SSL VPNs using port 443.

2 0
1. Friday 21st December 2012 16:06 GMT Anonymous Coward
  
  Re: Aside from the Scale
  
  Actually, we use SSL vpn (openvpn based). Since a couple of months, depending on the region in China, users there can't connect anymore. FW on our side doesn't even see a connection attempt. There are workarounds of course.
  
  3 0
Friday 21st December 2012 14:40 GMT Anonymous Coward

Why block facebook?

it shows how the capitalist failed to monetise properly and what shite they think is worth billions.

A good way to promote communism if you ask me

5 1
1. Friday 21st December 2012 15:41 GMT geejayoh
  
  Re: Why block facebook?
  
  Because they have a clone site for every single western "innovation"
  
  ren ren wang = facebook
  
  sina weibo = twitter
  
  lashousifang = foursquare
  
  tuangou = groupon (admittedly probably copied from China)
  
  amongst others. They block it for two reasons:
  
  - Free sharing of information with westerners
  
  - All that advertising revenue would go to an american company, not to the state (which has fingers in most of the pies).
  
  Once the Chinese ones are big enough, that they know they won't lose market share....
  
  This is why I keep saying it's a fallacy for people to refer to China as a market. For Chinese companies it's a market. But a market by different rules. A market of face, relationships and how many cartons of cigarettes you can buy the politicians with.
  
  Interestingly, I can confirm anecdotally that China Unicom have started cutting VPNs as soon as they're detected. I quite enjoyed having Facebook access on my smart phone over mobile (China Unicom are the only provider that supports proper 3G and HSPA), but recently, I've been unable to connect, even using "stealth" IPs from my VPN provider. Here in Guangzhou (canton) at least.
  
  11 0
  1. Saturday 22nd December 2012 11:52 GMT Chris 3
    
    Re: Why block facebook?
    
    Get this man to write an article.
    
    0 0
Friday 21st December 2012 15:48 GMT Anonymous Coward

Not exactly business-friendly, is it?

Does Beijing expect multinational business people to use an unsecured network connection when trying to get back onto their corporate networks? That's not going to work.

6 0
1. Friday 21st December 2012 16:00 GMT BigFire
  
  Re: Not exactly business-friendly, is it?
  
  Rule #1 for dictators in running a country: Preserve Your Own Poser by any means necessary.
  
  There really isn't any other rules. So if it mess up people's ability to actually do business, so be it.
  
  3 0
2. Friday 21st December 2012 20:17 GMT h3
  
  Re: Not exactly business-friendly, is it?
  
  Probably they would expect anyone important to meet in Hong Kong. (Which is still completely unrestricted.)
  
  0 0
  1. Saturday 22nd December 2012 18:08 GMT Anonymous Coward
    
    Re: Not exactly business-friendly, is it?
    
    Unfortunately, the PRC likes to position Shanghai as a major global business hub, and probably Guangzhou, Beijing and other areas. Since China has a pretty poor reputation for protection of IP, I would think that the international business community would be incredibly hesitant to send network traffic "in the clear". They wouldn't do that in any Western nation, much less one with China's rep.
    
    1 0
3. Saturday 22nd December 2012 09:26 GMT dssf
  
  Re: Not exactly business-friendly, is it?
  
  Imagine pre-quarterly reports by big companies having to go out by briefcase.
  
  A response market, however, might involve the use of optical signaling. Microwave would require a local or national permit. Light signaling might not affect anyone, but the distance, and attempts to reach a satellite would be prohibitive. Even if feasible to transceive, the payload would probably be astonishingly low.
  
  During the summer, I was in Shanghai, and I could not without a VPN reach fb. I was, however, able to set up a google plus account, but it was spottty, laggy, and seemed as if someone was screwing around with it, delaying my posts for hours if not days.
  
  Countries expecting to be considered Tier One should not be allowed in the club if they behave this way.
  
  I was recently considering sublicensing to Chinese nationals for manufacture some product ideas i had. After experiencing inability to see word press, facebook, wikipedia, and a slew of other sites I could outside of China, i decided to remove China from my list of business planning. So long as they act this way, I will NOT return to that country even if it is an all-expenses-paid trip.
  
  They can spy on and inhibit their OWN people all they want, but, block me from getting useful info or distractive entertainment that is on the wrong side of they firewall.... Well, you do NOT deserve my money.
  
  Grow up, China. End the corruption. Either jail or execute the most corrupt. Replace them with the "untested", but show them the execution or early-retirement vids. Allow foreigners WHO AGREE TO BE ON THEIR BEST BEHAIVOR to go about surfing as usual. Spy on them if you must. But, only go after individual violators,.
  
  One coup for China is that businesses that cannot dare sent financial or competitive or HR or privacy info vial plain traffic will simply pack up and leave, leaving China with a little more than infrastructure-- it will get nearly full ownership of left-behind assets. Carrier pigeons cannot carry cases of papers nor relay optical traffic, and optical messaging just won't carry the bandwidth. The WTO and WIPO should slam China for these and a handful of reasons alone. It is oppressive, anti-competitive, and tantamount to government-sanctioned data theft beyone crime reduction.
  
  Sigh. Maybe the world SHOULD have ended...
  
  0 0
4. Tuesday 25th December 2012 05:50 GMT Anonymous Coward
  
  Re: Not exactly business-friendly, is it?
  
  In typical fascist fashion, business users will have to register with the government.
  
  Or they'll motivate (by randomly dropping packets destined to TCP/22 and 1194, etc) people to use Governemnt-approved VPN providers who can intercept their traffic.
  
  The scum.
  
  0 0
  1. Thursday 27th December 2012 09:22 GMT MacGyver
    
    Re: Not exactly business-friendly, is it?
    
    Yep, They'll connect securely to Big Brother, and then Big Brother will secure them to their approved business destination. All the while allowing Big Brother to monitor the in-between. It sure is a good thing that all those Chinese have their government there to protect them from themselves, not like the rest of the world where adults have to make their own choices (well some of the rest of the world).
    
    1 0
Friday 21st December 2012 16:44 GMT Kevin McMurtrie

Only spam works at China Unicom

There hasn't been even a slight glitch in postscan, spam, and intrusion attempts coming from China Unicom to my firewall. The official contact "abuse@cnc-noc.net" still doesn't work. Its a surprise that outgoing packet rejection still needs to be done on China's side.

0 0
Friday 21st December 2012 17:29 GMT Anonymous Coward

HTTPS anyone ?

It's possible to tunnel anything over pretty much anything. HTTPS used for a secure website isn't going to look much different from HTTPS used to tunnel some other VPN protocol. I don't think they are going to switch off HTTPS somehow.

I used HTTPTUNNEL for this job once a long time ago, when an employer I won't name blocked SSH, but having 2 TCP layers fight each other isn't a smooth experience. Pretty jerky and a bit slow, but it worked well enough.

0 1
Saturday 22nd December 2012 00:36 GMT Anonymous Coward

This is already impacting our fledgling Chinese branch office in Shenzhen.

All calls are made over a Cisco CUCM system, connected via a VPN. We can't make internal calls anymore, and their phones can't report back to the main base unit, so they're offline. The staff there are stuck using their personal mobile phones.

Also, the branch email system runs over the VPN too. Staff in China currently can't use that either.

I'm not in a mood to create technical workarounds. I've told the Directors that it is impossible to fix, and they should rethink the idea of having a Chinese branch office. They are now considering other options, such as establishing an office in Hong Kong and working with partners in the mainland from there. They've spent a pretty big sum on the Shenzhen office, and getting local partners, but the current situation is pretty much untenable. The VPN is up and down like a yo-yo.

5 0
1. Saturday 22nd December 2012 02:21 GMT Ammaross Danan
  
  try this
  
  My corp firewall does SSLVPN. Should try using it sometime. Might just fix your problem. Unless you deployed a substandard device....
  
  0 0
  1. Saturday 22nd December 2012 05:31 GMT Anonymous Coward
    
    Re: try this
    
    It's not just PPTP and L2TP VPNs experiencing these issues. We use IPSec via a mix of Cisco devices and strongSwan, and are having issues.
    
    In fact, the problems are even more widespread than that. I'm having trouble SSH-ing into our Internet-facing Linux server in China right now. The connection just keeps dropping out and we're getting errors with key-based authentication regularly.
    
    It's like the Government there basically decided that anything other than plaintext is banned.
    
    2 0
    1. Saturday 22nd December 2012 20:13 GMT Charles 9
      
      Re: try this
      
      Surprised they haven't forbidden all encryption already and used DPI to make sure other formats/protocols aren't being used for stegonography.
      
      0 0
    2. Tuesday 25th December 2012 05:50 GMT Anonymous Coward
      
      Re: try this
      
      Yessir, that's what I just said above, that's what's already happening.
      
      By 2020 the EU fascists will have the same rules and "best practices".
      
      0 0
2. Saturday 22nd December 2012 13:07 GMT Volker Hett
  
  Up to yesterday a VPN to a facility in Shanghai did work, have to check on monday.
  
  0 0
3. Monday 24th December 2012 18:27 GMT RICHTO
  
  Switch to Lync - no VPN is required for secure internet access (plus a much better end user experience)
  
  0 2
Saturday 22nd December 2012 03:29 GMT Long Fei

Yah

I'm with Astrill, and they keep sending me update notices on this.

*Currently* OpenWeb works still, for websites, but Astrill's OpenVPN fails nine times out of ten. Ah well, I generally only use my VPN for surfing the net to get to blocked sites, but if that goes under it will be a *major* pain.

0 0
Sunday 23rd December 2012 10:29 GMT Robert E A Harvey

Company security

That's an end to company email whilst in China, then. More opportunity to break $MEGACORP rules by using gmail.

0 0
Monday 24th December 2012 05:07 GMT Cheshire Cat

Tunnelling over 443 wont work...

They most likely kill tcp/443 connections after a few seconds, on the grounds that anything generating a large amount of data on that port is most likely a VPN. SImilarly, all other SSL service ports can also be limited. Known VPN ports blocked, other ports checked for VPN protocols in the initial packets on connection. As long as you have the resources available to you that the PRC do then this would be feasible...

Actually, I had wondered how long it would take for them to start blocking VPNs.

1 0
1. Saturday 29th December 2012 02:43 GMT Jamie Jones
  
  Re: Tunnelling over 443 wont work...
  
  Feel free to call me an idiot..... But why won't this work?
  
  Firstly, VPN to a non-standard port on your own non-China-based server. Use some standard vpn encryption algorithm, but enclose it in something simple - like an XOR using a pre-agreed value on each byte.
  
  Lots of simple wrappers could be used, e.g. XOR 8 minus 15 etc,
  
  Wouldn't this be enough to stop the DPI recognising a known vpn protocol? Would it have to get to the stage where the only way to stop vpn is simply to block all traffic the DPI doesn't recognise?
  
  0 0
  1. Saturday 29th December 2012 12:40 GMT Charles 9
    
    Re: Tunnelling over 443 wont work...
    
    Like I said, I'm surprised it hasn't reached that point already. Even stego has limitations against a determined adversary with enough DPI tools to recognize potential carrier streams. They could alter those streams while still presenting acceptable non-secret data: random loss of bits of data, resizing, quality reduction, etc. With these techniques, you could reduce the potential stego flow to impractical levels.
    
    0 0
Monday 24th December 2012 11:07 GMT Flashy Red

Steganography

Don't know how, bound to be slow, but gotta be possible.

0 1
1. Tuesday 25th December 2012 07:20 GMT silent_count
  
  Re: Steganography
  
  You want something which is hard for them to filter easily (ie. using software) but painful to block outright.
  
  So send videos back and forth by email. A few hundred megs a pop, who cares what they are: corporate promo material, safety or training videos, staff doing touristy things, whatever. Replace the video data, for a few seconds in each video file with the encrypted file(s) you actually want to send.
  
  The idea being that to selectively filter videos, they'd have to employ real people to watch them which, even in China, is more expensive than software filtering. And outright blocking any video sent to/from China would hurt their tourism industry.
  
  Not as convenient as, for example HTTPS which is all but invisible to the end user, but I imagine it'd work.
  
  0 1
  1. Friday 28th December 2012 00:50 GMT Charles 9
    
    Re: Steganography
    
    If I were China and I had a good enough nest of computers, I'd intercept graphic and video transmissions and mangle them just a bit: resize them some, alter their brightnesses and so on, IOW find a way to mangle stegonography in various ways while still presenting pictures and videos of acceptable quality. If they're not robust, this mangling will ruin the stego, making it useless. If they're robust, they're more likely to be detected through some signal analysis.
    
    1 0
Tuesday 25th December 2012 00:27 GMT Anonymous Coward

Dictatorships in information control shocker

If you want to do business with corrupt regimes, like China, Israel and the US, then you get all you do deserve

0 2
1. Tuesday 25th December 2012 05:50 GMT Anonymous Coward
  
  Re: Dictatorships in information control shocker
  
  Which regime is not corrupt?
  
  And where is the EU on that list?
  
  0 0
This post has been deleted by its author
Thursday 27th December 2012 17:40 GMT Nifty

The pressure vessel will explode

Many repressive systems continue for a long time ONLY because a pressure relief valve does exist for those that really value it.

If China really closed down all VPNs this is going to head into a really interesting phase.

0 0
Thursday 27th December 2012 22:56 GMT dssf

Hmmm... I wonder what enterprising hack groups

Will expose the non-indigenous companies selling the code and switches to China are these days. Hurt their investor relatioons a bit, and they might cut off or reduce support of such a regime. But, we know that that has not crimped Cisco enough.

But, imagine the government in cahoots with spammers.... Yikes!

0 0