Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ultrasurf Easily Blocked, But So What?

kdawson posted more than 4 years ago | from the counter-counter-workarounds dept.

Censorship 74

Frequent Slashdot contributor Bennett Haselton writes "A simple experiment shows that it's easy to find the IP addresses used by the UltraSurf anti-censorship program, and block traffic to all of those IP addresses, effectively stopping UltraSurf from working. But this is not a fault of UltraSurf; rather, it demonstrates that an anti-censorship software program can be successful even if it's relatively trivial to block it." Read on for Bennett's analysis.
UltraSurf is an enormously popular program used to circumvent Internet censorship in countries like China (as well as schools and workplaces in mostly-free countries like the US, with mixed success). When you run UltraSurf on your computer, it re-routes your outgoing Internet traffic to external IP addresses controlled by UltraSurf, so that it looks to observers (and network censors) as if you are connecting to UltraSurf's IP addresses, rather than a website like YouTube or Facebook that may be banned on your network.

UltraSurf uses a list of thousands of external IP addresses, to make it non-trivial for an adversary to locate all of their IP addresses and block them all. However, using a few steps that would be obvious to many programmers facing the same problem, I did find a way to detect all the IP addresses that UltraSurf connects to, and block all of them so that UltraSurf stopped working. It would not be hard for a government censor operating the filter in a country like China to do the same thing. But this does not mean that UltraSurf's network is likely to collapse any day now; on the contrary, it means that it and similar programs are likely to flourish for years to come, since the censors obviously have other priorities.

Some background information first. Most Internet censorship circumvention tools fall into one of two categories (whose names I have just invented for the purpose of this article):
(1) Self-bootstrapping. If a program is self-bootstrapping, then in a censored country you simply run a copy of the program and it will establish a connection to an IP address outside the country, one of many in a large "cloud" of IP addresses controlled by the software program's publisher. Thereafter, your Internet usage is routed through that connection in order to evade your country's filter. UltraSurf and Tor fall into this category.
(2) Non-self-bootstrapping. To use one of these programs from a censored country, first you have to get a friend in a non-censored country to install the software on their computer (or their webserver, if they have one). Then they give this location (normally in the form of a URL) to their friend in the censored country, and their friend types that URL into their browser to circumvent their country's filtering. Psiphon is the best-known program in this group.

In 2006 I wrote that even though the first category of programs was more convenient to use (not requiring you to rely on a friend in an uncensored country), any program in that category could be blocked by an adversary willing to make only a modest amount of effort: Install the program, see what IP addresses it connects to, block those, see if the program connects to any other backup IP addresses, block those, and so on, until the program runs out of IP addresses to use. There are a few simple countermeasures that designers of a program could take, but they can also be defeated easily.

(For example, if the program randomly chooses an IP address from a large internally stored list, then you just have to run the program over and over until you've found most of the IP address chosen by its random algorithm. A cleverly written program could try to evade this as follows: Pick a set of IP addresses at random from the list, and then "lock in" to that set of IP addresses, so that future runs of the program on that PC will always connect to those IP addresses, ignoring the other ones in the list. This makes it a little bit harder for the censor to pry out all of the IP addresses in the program's internal list. But then you, as the censor, can either (a) run the program repeatedly, but find where the program stores its "locked set" and erase that between each run, so that on future runs the program will keep selecting a different IP address set, or (b) if you can't figure out where the program is storing its "locked set" between each run, then just install the program repeatedly on different machines.)

One way or another, if the program knows what IP addresses to connect to when it bootstraps itself, the attacker can trick the program into revealing all of them. The attacker doesn't even need to reverse-engineer the software to see the set of instructions that it's executing internally; they only need to be able to see the IP addresses that the program is connecting to.

Much later, I was able to reduce this to practice in an experiment on my own machine, using a Perl script, the built-in Windows "netstat" tool to list connections from locally running programs to outside IP addresses, and the "ipseccmd" tool to add new firewall rules blocking those IP addresses. After the script was left running overnight, it had collected and blocked all the IP addresses that UltraSurf apparently used, and on future runs, UltraSurf would display an error message saying that it couldn't find any IPs to connect to.

(Interestingly, netstat also showed that UltraSurf frequently opened connections to www.google.com over SSL -- that is, accessing URLs that would begin with "https://www.google.com/" -- so that traffic between the program and the Google website would be encrypted, and the contents would be invisible to censors in China. When I saw it was doing that, I added an exception to the script so that the Google IP addresses would not be blocked. Perhaps it was submitting search terms to Google in order to find pages that give the location of the latest UltraSurf connection points, or perhaps it was checking a GMail account created by UltraReach that stores messages containing more IP addresses; I didn't reverse-engineer UltraSurf to find out. But even if this was UltraSurf's clever means of obtaining new IP addresses, the system still runs up against the same problem: Any IPs that can be connected to by the UltraSurf client, can also be ascertained by the attacker who watches UltraSurf to see where it connects to, and then blocks those IPs as well.)

Naturally I had mixed feelings about pointing this out publicly, since I agree with UltraReach's goal of providing unfiltered access to users in China and other censored countries. But this idea is sufficiently obvious, that I don't think anything is lost by demonstrating it. There may be programmers interested in creating even more programs to help users in censored countries, and it would be counterproductive for those programmers to believe that existing programs like UltraSurf "magically" evade the censors by using some complex algorithm to hide the IP addresses that they connect to. In fact, the program doesn't conceal the IP addresses that it connects to (how could it?), and it would be straightforward to design and build a new program that did roughly the same thing. We should give UltraReach credit for the right things: they made a tool that provides unfiltered access to millions of people, they made the tool small and easy to use, and they arranged with their partners to subsidize the unfiltered Internet connections at no expense to those end users (although see some caveats, which have been pointed out the Hal Roberts at the Berkman Center, about the price of this "free" access). But the one thing UltraReach did not do is find a way to get around the problem of an attacker installing the problem to see what IP addresses it connects to. That's not a criticism of UltraReach; this is presumably an impossible problem to solve.

(Side note about counter- and counter-counter-measures: If UltraReach does think that censoring countries might try harder to block UltraSurf at some point in the future, they should start releasing different versions of the product every month that use different sets of IP addresses. Release one version for September 2009 that uses one set of IP addresses, then another version in October 2009 that uses another set, and so on. Then if the censors decide in December 2009 to start seriously trying to block all UltraSurf IP addresses, they'll be able to find and block all the IP addresses used by the Dec09 version, just by installing a copy of the program and observing it. But, users who downloaded previous months' versions of the program will be able to continue using their copies. If the Chinese censors wanted to find and block the IP addresses used by preivous months' copies of UltraSurf, they would have to either (a) figure out how to distinguish UltraSurf traffic from other Internet traffic, not an easy thing since UltraSurf uses encrypted traffic on port 443, the same port used for encrypted Web traffic, or (b) obtain copies of the program that users had downloaded in previous months, which is no longer as trivial as simply observing the current version of the program. The more often UltraReach swaps out a new version of UltraSurf that connects to a new set of IP addresses, the harder it will be for the Chinese censors to find all the sets of IPs used by previously released versions. However, once the Chinese censors start trying seriously to block UltraSurf, even though the trick just described will allow previous downloaders of the program to continue surfing freely, all new users who download the program after that point, can be easily blocked -- because the Chinese censors can just watch how often a new version of UltraSurf is made available for download, and block the IPs used by that copy.)

But I think the fact that the Chinese have not done this reveals something usually overlooked about the nature of the anti-censorship arms race. The situation is frequently cast as a battle between the evil geniuses who run the government filters and the good geniuses who write the software to get around the filters, while the grateful citizens of the censored country are the beneficiaries. But if the government censors haven't even done some simple experiments like this in order to block UltraSurf, they must not think it's a high priority to stop the program from working. This in turn suggests that the number of people using UltraSurf in a country like China, while large in absolute numbers, don't constitute a large enough proportion of the population to worry the government. Presumably either the ideas leaking in through an unfiltered Internet are not reaching a large enough proportion of the population, or the ideas are not expected to take hold in enough people's minds to reach a tipping point that causes a problem for the ruling party.

It's not that the Chinese censors don't care about controlling the Internet and the effect that it has on their citizens' thinking. The Chinese have reported fielded a droid army of about 50,000 cubicle drones to help fight Internet propaganda battles, such as drowning out anti-government posts on public forums. Why would they spend such enormous efforts to generate forum posts, but not make the effort to find and block all UltraSurf IP addresses? Because the battlefront is about defaults. If the user tries to access a site and it's blocked, then only a tiny proportion will make a significant effort to circumvent the block. (The exception would be when an extremely popular site like YouTube is blocked; operators of Web proxy sites report that during these periods, they get so much traffic from Chinese users trying to view YouTube videos, that the servers often crash.) Similarly, if users see that 90% of the posts on a given forum are on one side of the issue, then they're more likely to think that's the majority viewpoint (whether they agree with it or not). Hence the usefulness of the army of 50,000 to invade forum threads. Defaults matter; would Internet Explorer have ever displaced Netscape's browser (kids, ask your parents) if it hadn't been the default browser in all versions of Windows?

So the moral for any would-be designers of new anti-Internet-censorship tools, is not to worry too much about whether there's a theoretical way (or even a practical way) that the censors could shut the tool down. UltraSurf became enormously popular without solving that problem, and perhaps another tool could as well.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered


Blahblahblah (2, Interesting)

Anonymous Coward | more than 4 years ago | (#29873423)

It can also automatically sign you up for a government trojan horse upgrade or a special observation list. If you have nothing to hide, why use it? Anything that does not look like random noise or latest pop mp3s via p2p, will land you on said lists in countries with no human rights, so why bother?

Re:Blahblahblah (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#29873553)

Wow AC, you're usually an idiot, but now you're a fucking communist sympathizer asshole idiot as well. Tell you what: why don't you go and emigrate to China, become a citizen, and live under their oppressive rule for a while and see how you like it? Maybe then you'll understand what it means to be devalued as a human being, to be treated like cattle (or worse), and how good you've got it here in the West, ok? Fucking moron..

Re:Blahblahblah (2, Interesting)

eleuthero (812560) | more than 4 years ago | (#29874219)

While the above has been modded flamebait, the poster does have somewhat of a point. If one is part of the crowd of "normal" internet users simply looking at "acceptable" news for the filter-happy country of choice, and if the user is participating in nominally "criminal" activities like downloading bootlegs, the country is not likely to care nor will it matter if the individual user has a means to block detection. The government might well start to care if everything from John Doe's IP address suddenly becomes unreadable nonsense. When this happens, the individual could be added to an extra watchlist regardless. Hiding in the crowd often works best. In fact, it would not surprise me in the least if the Chinese government (or others) have a set level of "appropriate" seditious activity (a la 1984 - some seditious activity is expected and consistent with normal individuals but when it becomes more than ordinary, it gets flagged for attention).

Re:Blahblahblah (1)

HungryHobo (1314109) | more than 4 years ago | (#29878623)

if the program randomly chooses an IP address from a large internally stored list, then you just have to run the program over and over until you've found most of the IP address chosen by its random algorithm.

Fun until I as the app programmer include the 1000 highest traffic IP's like googles servers, Microsoft servers, and pretty much any random server I imagine people would want to access in glorious republic and set my app to keep trying until it gets a valid connection.
They try to blacklist every server my app tries to connect to and ... hey... where's the internet gone!

FROST PISS (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29873425)

marco de luca rules the world

bruno o ciccon v'accir

How do you solve the problem... (2, Insightful)

zonker (1158) | more than 4 years ago | (#29873519)

How do you solve the problem where the jackbooted thugs come to your door because they now know you are using this software? Seems the only real advantage Chinese citizens have over the censors is the ratio of censors to users is very low.

Re:How do you solve the problem... (4, Funny)

Zerth (26112) | more than 4 years ago | (#29873835)

Easy, live next door.

When the jackbooted thugs drag off the elderly lady in the house with the oddly configured wifi, you know to leave town before she tells them who "helpfully" set it up for her.

Re:How do you solve the problem... (1)

Philip K Dickhead (906971) | more than 4 years ago | (#29874333)

Er ... I assure you Mrs Buttle, the Ministry is always very scrupulous about following up and eradicating error. If you have any complaints which you'd like to make, I'd be more than happy to send you the appropriate forms. Look, I'm very sorry, but I'm afraid I don't know anything about it... I'm really just delivering the cheque. If you wouldn't mind signing these receipts, I'll go and leave you in peace.

Re:How do you solve the problem... (1)

TheCarp (96830) | more than 4 years ago | (#29875423)

Could you please sign here to acknowledge this receipt, and here, for my receipt for your receipt.

Thank you!

Do you really want to know? (4, Insightful)

MikeRT (947531) | more than 4 years ago | (#29873973)

And how we burned in the camps later, thinking: What would things have been like if every Security operative, when he went out at night to make an arrest, had been uncertain whether he would return alive and had to say goodbye to his family? Or if, during periods of mass arrests, as for example in Leningrad, when they arrested a quarter of the entire city, people had not simply sat there in their lairs, paling in terror at every bang of the downstairs door and at every step on the staircase, but had understood they had nothing left to lose and had boldly set up in the downstairs hall an ambush of half a dozen people with axes, hammers, pokers, or whatever else was at hand. The Organs would very quickly have suffered a shortage of officers and transport and, notwithstanding all of Stalin’s thirst; the cursed machine would have ground to a halt!

–Alexander Solzhenitsyn

Re:Do you really want to know? (0)

Anonymous Coward | more than 4 years ago | (#29875929)

Then they would have used heavy artillery and there would be a lot of dead people. End of story.

Re:Do you really want to know? (1)

Buelldozer (713671) | more than 4 years ago | (#29876331)

So go quietly into that good night, dragged away by jackbooted thugs, or fight and end with a BANG.

I know which I would choose.

Re:Do you really want to know? (3, Insightful)

Mister Whirly (964219) | more than 4 years ago | (#29877001)

No, you know in theory which one you think you would choose, but until it actually happened, all you can do is guess about what you would do. In life or death situations, your rationale may change.

Changing your rationale as a sub-optimal strategy. (1)

Behrooz (302401) | more than 4 years ago | (#29879679)

No, you know in theory which one you think you would choose, but until it actually happened, all you can do is guess about what you would do. In life or death situations, your rationale may change.

That's the point of coming to a decision beforehand under conditions where your judgement is not impaired, and then sticking to it. Game theory provides a rational framework for evaluating the interactions of two parties, and under many circumstances an advantage can be gained by pre-committing to a non-optimal course of action as your chosen response to a given set of circumstances... because the knowledge that your decision has already been made influences the decision of your counterpart.

As an individual in a life or death situation, attacking jackbooted thugs who are coming to arrest you a'la Solzhenitzyn is not a good idea-- under most circumstances, cooperating would give a better chance of survival, so the rational choice is to not resist violently.

However, this entire equation changes if you have made it known that you have strongly pre-committed yourself to a course of action regardless of the outcome. In this case, your opponent can no longer assume that you will follow the rational course of non-violence, and the decision to send out the jackbooted thugs becomes more expensive given the likelihood of resistance at all costs... and it becomes much more likely that you will never find yourself in that situation.

That's why I make no secret that I have set limits beyond which the utter destruction of those attacking me would become my only goal. May God have mercy upon anything that triggers that, for they will receive no mercy from me.

Re:Do you really want to know? (0)

Anonymous Coward | more than 4 years ago | (#29879383)


Re:Do you really want to know? (1)

couchslug (175151) | more than 4 years ago | (#29881957)

That's why the US has a Second Amendment, and why embedding the capability for armed violence has been well worth the cost. There can be no real personal security without the autonomous power to kill an attacker (even in Iraq, the Coalition allow one Kalashnikov per householder), and dispersion of weapons means that the people can always post a threat to government if they are willing to sacrifice.

Sure, going heads up against an army is difficult, but the Viet Cong and Taliban prove that if you have the balls for it and are willing to die that can take you a long way (and co-opt a good bit of the opposing armed force while you are at it).

The point of censorship is not to stop the geeks. (5, Insightful)

Kenja (541830) | more than 4 years ago | (#29873529)

Stopping the geeks with the ability to use a proxy was never the point. I cant get my grandparents to hold the mouse the right way around, no way would they be able to understand something like Ultrasurf. If it works on 90% of the people, it's working very well.

Re:The point of censorship is not to stop the geek (0)

Anonymous Coward | more than 4 years ago | (#29873861)

90% of the time, it works every time.

More than that (0)

Anonymous Coward | more than 4 years ago | (#29874967)

Every cruel dictator faces the same problem: He leads a country full of good men who want to do good things. It is slightly more difficult to oppose him than it is to follow orders but most of the people don't want to be cruel and do bad things to give someone else more power. There are always power hungry sociopaths that enjoy the chance to be violent but those people are a tiny minority and a small enough minority can never oppress a large one for long periods of time. So, good people need to make bad things or at least be able to watch them happen and not do anything to stop them.

Propaganda comes to play here. Perhaps the oppressed groups are lesser humans who shouldn't be given the same rights as you have. Perhaps there is a religion saying that the other group is evil and needs to be stopped. The excuse doesn't really matter, there just needs to be one. Then good people can convince themselves "Perhaps this isn't bad and just needs to happen...". And they will do everything they can to make themselves believe that claim because that helps them sleep at night and go on with their daily lives. The government can say "Those demonstrators we killed were violent anarchists" and they don't need to provide evidence, quite the opposite. People who read that from the news *want* to believe that the government tells the truth because otherwise their conscience would be too painful.

Then there comes the free press. Just like there are people who enjoy violence, there are people who just can't close their eyes. Those people will do the best they can to spread the information about what is happening. They will do their best to force the large, good population to see what is happening. To prevent them from looking away.

Censorship comes to play here. It isn't to prevent the people from seeking out information. It is to prevent people from being forced to see what is happening. To let them read the newspapers and live a normal life without seeing the truth.

Re:The point of censorship is not to stop the geek (0)

Anonymous Coward | more than 4 years ago | (#29885091)

Well, that is the procedure of censorship, but not the purpose of it. The end goal, as always, is to facilitate the expansion of government in terms of both power and revenue.

small issue (4, Insightful)

Anonymous Coward | more than 4 years ago | (#29873689)

The author does not seem to account for onion routing - which is what TOR essentially is.

There is no way to lookup all of the nodes in a TOR network using the methods described - since they are using tunnels to reach secondary (and further) nodes, this only accounts for the first node you lookup.
You can block the server that provides the first node, yes.
The one you know about. How many are there that you don't know about ?
How about the one that's not behind your great firewall, but in some kinds bedroom ?

Looks to me like you would most likely block stuff thats on your network anyway.

Re:small issue (3, Insightful)

Golddess (1361003) | more than 4 years ago | (#29874239)

What does it matter if they cannot block nodes 2-n, if all they need to do is block the first node that the program connects to? Once you block all nodes which could be first nodes, all subsequent nodes are useless to users behind the blocking.

Re:small issue (2, Insightful)

TubeSteak (669689) | more than 4 years ago | (#29874327)

There is no way to lookup all of the nodes in a TOR network using the methods described - since they are using tunnels to reach secondary (and further) nodes, this only accounts for the first node you lookup.

You don't need to.
The bad actor just sets up fast Tor nodes (or nodes that look fast) and traffic will come flooding in.

Never forget that we're talking about State actors here.
They have the resources to do things at a scale we'd normally write off as unlikely or implausible.

Re:small issue (1)

bsdaemonaut (1482047) | more than 4 years ago | (#29875255)

Actually TOR is pretty easy to block. There are a pretty finite amount of servers that are available as an entry node. TOR caches all of these servers in flat text file and it is much more then just the one you are using. All you have to do is write a simple script to pull out those IP addresses and insert then into your blacklist. You have to disconnect and reconnect a couple of times to get all of them (it took my maybe three times), but the process is relatively quick and can be pretty easily automated. The kids don't even bother trying to use TOR here anymore.

Re:small issue (3, Informative)

TheCarp (96830) | more than 4 years ago | (#29875529)

There is only one flaw here: Bridge servers.

Bridge servers are ORs that are not in the main directory lists. They are setup to be useful first contact nodes, and often run on port 443 or some other well used port. Since they use SSL, they make it very hard to distinguish them from every day web connections.

You have to manually find bridge nodes. They can be passed around manually, or you can go to websites that list them, though, they take steps to make it hard to get more than a few at a time.

Since anyone can setup a bridge node, its very easy for the network to continue despite blocks.

Re:small issue (1)

bsdaemonaut (1482047) | more than 4 years ago | (#29876415)

You are saying that these nodes aren't publicly accessible and must be entered manually to use? That's the only way I could see it being helpful.

In this line of work you find there is never a 100% solution on either side. Typically if you make something a big enough pain in the butt to use, end users will start looking elsewhere. The method above effectively blocks TOR for the vast majority of users. Sure, there will always be more servers, the job is never completely done, but the same goes for any other proxy-type solution.

Re:small issue (1)

TheCarp (96830) | more than 4 years ago | (#29876811)

Yes and no. That is... the full list isn't public. Anyone can put one up and choose to manually publish it somewhere or not. There are publicly available lists. However, those lists are simply the lists of bridges that someone chose to publish. Many of them are restricted such that you can only download a small portion of the list at a time, and with IP restrictions to make it more difficult to get the whole list.

Its entirely possible that many ORs exist that are not published anywhere, or are published only to a select group of people.

Re:small issue (1)

bsdaemonaut (1482047) | more than 4 years ago | (#29882285)

"Many of them are restricted such that you can only download a small portion of the list at a time, and with IP restrictions to make it more difficult to get the whole list."

Whether I block all entry nodes or just the portions my IP address is given seems irrelevant. I'm aware that I don't get all entry nodes at once, that's why in the past I kept reconnecting until I didn't receive any new nodes. If I never get the entire list, because the servers are intelligent enough not to disclose any more entries, it doesn't really matter, my users are using the same IP address. A cron job is run to constantly keep me up to date. New proxies pop up every day, theoretically this sort of thing is pointless I'll admit, but in practice it most definitely is not.

Even if users were able to get ahold of a node that wasn't published, typically the behavior of most users is to overuse that node and possibly even share it. It's discovered soon enough and the cycle goes on.

Re:small issue (0)

Anonymous Coward | more than 4 years ago | (#29877611)

The author addressed Ultrasurf as it is vastly easier to use, thus presumably used more that Tor. For the considerations of the article, however, the two are identical products.
(The attack is on the program's initial connection point. Each time either tries to connect the target IP is blocked. You do not need to know about any of the Tor servers at all, you will learn about all of the ones the Tor client knows by running it as per the article. Blocking those IP addresses blocks access to the rest of the Tor network.)

Hint (0)

Anonymous Coward | more than 4 years ago | (#29873733)

Partion the IP addresses, and then finger print the PC and use these based on the hash value

Why block? Monitor... (5, Insightful)

tlhIngan (30335) | more than 4 years ago | (#29873749)

The obvious solution is to block the IPs to keep it from working. But then another one will pop up and you'll have to block that, lather, rinse, repeat.

No, I'm sure places like China already know about it. Instead of preventing the access, it's probably easier to monitor who's using them when they connect to those addresses. People work around blocks easily enough. But if you let a circumvention tool work, especially one that results in easily tracable activity, why block it? Monitor, find the user, and do some "re-education".

Blocking is an arms race. People will make better blocks and others make better workarounds and it escalates rapidly. But if you keep the current workaround keep working, more people will be using it, making it easy to monitor and track. And evolution won't happen as fast. It'll evolve so the monitoring programs will have to be adjusted, but when it works, the movement to evolve is far lower than if it was blocked and now you have a bunch of people trying to find a way to evade it.

Re:Why block? Monitor... (5, Interesting)

eyv (636790) | more than 4 years ago | (#29874399)

This is shameless self-promotion, but my colleagues and I have a paper at this year's ACM CCS that addresses just this problem. It's called "Membership-concealing overlay networks," and discusses a network with the explicit security goal of hiding the participants. Since we consider IP addresses to be sufficient to break this concealment, this makes the system also difficult to block at the IP layer. You can find the paper here here [google.com] , and I would love to get some feedback.

Re:Why block? Monitor... (0)

Anonymous Coward | more than 4 years ago | (#29875317)

Interesting paper.

Now - what can you do with obsolete protocols? Would the black hats even be looking for something like IPX? I've been wondering about that. Spoof the MAC address, encrypt all IPX addressing (non-trivial in direct relationship to the number of users: 48-bit node addresses + 32-bit network addresses), and use IPX tunneling in something like DOSBox.

Re:Why block? Monitor... (1)

renoX (11677) | more than 4 years ago | (#29882011)

The paper was a bit over my head, I find the subject very interesting..
I was thinking that it would perhaps be possible to use a MMO game as a way to hide communications, using the MMO's servers to bypass the filter.
The company hosting the MMO game wouldn't even necessarily be upset by this if the CPU&bandwith used are payed by the monthly subscription fee .. except of course in the case where the country choose to filter access to the MMO game when it becomes known that you can use the MMO like this.

Re:Why block? Monitor... (1)

clone53421 (1310749) | more than 4 years ago | (#29874825)

It's all encrypted. You could detect it, but not really "monitor" the activity.

Re:Why block? Monitor... (1)

Pentium100 (1240090) | more than 4 years ago | (#29875541)

Launch a MITM attack on the encryption. Sure, if they are using certificates for authentication then the program will warn about insecure connection, but, what are you going to do?

1) Not use the program - the State wins, they just blocked the program
2) Use the program anyway - the State wins, they can monitor your connection.

Re:Why block? Monitor... (1)

tlhIngan (30335) | more than 4 years ago | (#29875825)

It's all encrypted. You could detect it, but not really "monitor" the activity.

No, but knowing both parties (one end is this thing, which you detect, and the other end is someone using it), it's often "good enough".

Think of it as a pen recorder for the destination - you'll know who's using the service and where it's coming from inside the network. Trace that IP back to an address.

This is assuming that all uses for such a service are "illegal" in China (with the thinking of if it was legal, why use it?). Now you can bounce it through proxies inside China, but then those admins would probably get pressure to identify those using their services...

More complete block (5, Funny)

SnarfQuest (469614) | more than 4 years ago | (#29873763)

If you really want to block out all the bad web sites, just install Norton Antivirus. It pretty much bricks the system. It also has the effect of blocking all the good sites too, but you can't have everything.

Re:More complete block (3, Funny)

swanzilla (1458281) | more than 4 years ago | (#29873881)

If you really want to block out all the bad web sites, just install Norton Antivirus.

Antivirus 2009 is far superior. I didn't even know my girlfriend's system was at risk until she installed it.

Re:More complete block (1, Funny)

Anonymous Coward | more than 4 years ago | (#29874039)

All computers are "at risk" ... what the hell are you trying to say anyways?

Did you mean "I didn't know my girlfriend's system was infected until she installed" Norton 2009?

Dear product shill, if you want to advertise on slashdot, please use intelligent statements. Additionally, claiming to have a girlfriend doesn't help your cause, being as most of this demographic does not have a girlfriend ;o

Re:More complete block (1)

swanzilla (1458281) | more than 4 years ago | (#29874529)

Apparently you didn't have anyone recruit you to wipe AV2009 off of their Windows machine...I thought that joke was fairly obvious.

Re:More complete block (0)

Anonymous Coward | more than 4 years ago | (#29874573)

you come back in 40 seconds to hear the whoosh

Re:More complete block (1)

geminidomino (614729) | more than 4 years ago | (#29878921)

Is it bad that I actually took the 10 seconds to calculate that the joke was ~44500 feet over his head? (naively assuming constant speed of sound 9 miles above sea level...)

Re:More complete block (1)

The Archon V2.0 (782634) | more than 4 years ago | (#29875061)

Antivirus 2009 is far superior. I didn't even know my girlfriend's system was at risk until she installed it.

And give them your credit card and it magically all goes away. Along with your credit card. :)

As someone who kills spyware infections for clients on a regular basis, I got the joke (good god, I hope you're joking). But I imagine a few people here won't, so I'll explain. In short: Google it. In slightly longer, Wikipedia it [wikipedia.org] . In even longer: It's not a real antivirus program. It pretends to be, finds an assload of nonexistent problems, then tells you the "full version" fixes them, only $x9.95! Where X is any profitable positive integer.

It's the PC world equivalent a conman putting on a lab coat and opening a doctor's office, then telling every patient they have AIDS, three kinds of cancer, swine flu, diabetes, some more cancer, a prolapsed uterus (often accidentally telling even the men this), and a collapsed lung, and it will only take $200 in pills to fix, only available from him.

Re:More complete block (1)

Xtifr (1323) | more than 4 years ago | (#29874901)

In my experience, not installing Norton Antivirus can be just as bad! In fact, simply installing a system that can actually run Norton Antivirus seems to be a pretty high-risk activity, whether or not you actually do install it. This risk can be somewhat mitigated by using a VM or an emulator or an "...Is Not an Emulator" hosted on a system that can't use NAV--but only somewhat. :)

Of course (to bring this slightly back towards on-topic), if you can get the authorities to believe you installed their (real) censorware (along with NAV, at your option), when it's really just running on a VM or emulator or WINE, that might very slightly increase your chance of safely bypassing their censorship.

Re:More complete block (0)

Anonymous Coward | more than 4 years ago | (#29875041)

Seedy porn sites are like trampy prostitutes... avoid them if you don't want to get infected by something. Between a decent firewall, a safe suite of software (VLC, MPC, Firefox), a good ad-blocker (either by plugin or by proxy), and safe practices (show extensions), you can keep yourself quite well protected, though.

Limewire, of course, is the deep-freeze where the good, the bad, and the ugly are all thrown in together. You have to know what each of them look like, or you're in for a world of pain. Wear gloves, and don't mind the odor. This is why Limewire essentially equals virus in the hands of most users.

I, however, have used both Windows and Limewire for years without incident. (Yes, AV scans have evidenced this fact.) Well, except for that one time, but I knew that skank looked filthy and regretted it immediately. Scrubbed meticulously afterward... regedit + show hidden/system files FTW.

Also, when it comes to actually purchasing an AV product, I'm pretty confident that NOD32 is about as good as they come.

Bad logic (1)

Culture20 (968837) | more than 4 years ago | (#29873767)

It would not be hard for a government censor operating the filter in a country like China to do the same thing. But this does not mean that UltraSurf's network is likely to collapse any day now; on the contrary, it means that it and similar programs are likely to flourish for years to come, since the censors obviously have other priorities.

Other priorities? That's a new assumption, not stated before the final assessment was made. It seems like all the Chinese Gov't needs to do is give one person the task of keeping the Great Firewall up to date for UltraSurf's range of IPs, so to any user in China: "UltraSurf's network is likely to collapse any day now"

China proably doesn't care. (2, Interesting)

Jartan (219704) | more than 4 years ago | (#29873825)

I get the feeling that the Chinese govt's attitude towards censorship has been changing. In a way you could say they are becoming more skilled with it and choosing to be a lot more subtle here and there. This is actually probably a lot more dangerous. Instead of hiding the truth they are using the censorship along with propaganda to make the people accept the truth and support it.

Probably in the future they'll model their whole system on the way the Western world uses the media to alter public perception. Of course they won't be stupid and hand over the reigns to people like Rupert Murdoch. They'll keep that power for themselves.

Re:China proably doesn't care. (4, Insightful)

ObsessiveMathsFreak (773371) | more than 4 years ago | (#29874149)

The reality is that the Chinese government's censorship policy and implementation has been the most successful and comprehensive one ever applied. The Chinese population remains both connected to the internet, yet blissfully ignorant of any and all controversial politics in their country. By adopting a strategy of simply making it a nuisance to access prohibited information, the chinese communist party has achieved what no other government before it ever could; Control over mindshare. Searching for information online, in a seemingly open way, will lead most citizens to pro-government sites and information. it is effectively impossible to be a dissident in such an environment without the equivalent of an undergraduate degree in computer science.

This model has been successful and we are beginning to see being implemented in western world. Organisations like the Internet Watch Foundation, who privately and silently block access to swathes of websites are essentially doppelgängers of Chinese censorship boards, behaving and oeprating in precisely the same way. They make information difficult to find, but in a covert way. Technologies like deep packet inspection, pioneered by western companies for the great firewall, are now being sold to western governments and ISPs. The internet genies is not being put back in the bottle, but instead the cap is being screwed down so that only the odd puff can escape, and this is all that is needed.

The Chinese model works. It works well. It is going to be implemented in the Western world, and indeed the first steps have already been taken. What is needed is a method of mass circumvention so absurdly easy to use and transparent that it is actually easier to use that than it is to silently acquiesce to censorship. Something like a one click install firefox extension which creates a Tor or eDonkey like network hosting censored websites, and that operates completely silently, offering automatic access for people that don't have it.

We need such a system soon, because if the Chinese model goes unchallenged it will become the default model for countries around the world and there will be no more exit nodes, and no more free internet.

Re:China proably doesn't care. (1)

Jartan (219704) | more than 4 years ago | (#29876325)

The Chinese population remains both connected to the internet, yet blissfully ignorant of any and all controversial politics in their country.The Chinese population remains both connected to the internet, yet blissfully ignorant of any and all controversial politics in their country.

That's a bold statement and does not match with what I know of the situation. From everything I've heard the situation is well understood by China's middle class. They just don't seem to care like we do.

Re:China proably doesn't care. (1)

Logic Worshipper (1518487) | more than 4 years ago | (#29881045)

The US population remains both connected to the internet, yet blissfully ignorant of any and all controversial politics in their country.

Stupid User Syndrome. Or is that Stupid Human Syndrome? Or apathy? I don't know, but too many people buy everything they're fed by a certain propaganda station. If we have internet access, yet remain blissfully ignorant, how can we expect the Chinese to do any better?

Re:China proably doesn't care. (0)

Anonymous Coward | more than 4 years ago | (#29881295)

The internet would be much better off if each and every one had at least two ISP connections and some router software.
That would let us route around problems on a different scale.

Fear and self-censorship (4, Insightful)

bzzfzz (1542813) | more than 4 years ago | (#29873855)

Chinese internet filtering is justified publicly by stating that it is done to help Chinese people avoid inadvertent violations of the law, and that is how it is seen by most Chinese. The real purpose of the censorship there is to facilitate prosecution of dissidents by making it impossible to violate laws against anti-government speech and unlawful assembly inadvertently.

YHGMTPO the Great Firewall (0, Redundant)

nsayer (86181) | more than 4 years ago | (#29873899)

The purpose of the Great Firewall is to simply keep people from accidentally surfing to the "wrong" sites. If you are pure in heart, you wouldn't want to go places where Big Brother says you oughtn't to go.

If you're not pure in heart, then you get to go visit room 101. You'll get to go there when you manage to get your hands on the firewall evasion software written by Emmanuel Goldstein (and here I'm specifically referring to the character in the book, not Eric Corley).

Even more dynamic (1)

davidwr (791652) | more than 4 years ago | (#29873913)

Have every copy include a few dozen or hundred random addresses out of the larger pool. Add and "retire" addresses to the pool daily, so it won't be possible to see "retired" addresses by repeatedly downloading the program.

"Retired" doesn't mean no longer in use, just no longer included with new downloads.

Re:Even more dynamic (1)

vlm (69642) | more than 4 years ago | (#29874325)

Have every copy include a few dozen or hundred random addresses out of the larger pool. Add and "retire" addresses to the pool daily, so it won't be possible to see "retired" addresses by repeatedly downloading the program.

Wouldn't it be better to generate the exe file (or zip or rar or whatever) that is downloaded by means of a CGI script that compiles each and every copy with a random selected starter set and randomly selected file name?

Solution? (2, Insightful)

dascandy (869781) | more than 4 years ago | (#29874199)

Make it target-dependant which IP addresses you send to whom. I've thought about this for copy-protection (but haven't told anybody). You can give every downloader his/her own copy of your executable with a fresh MD5. Make the executable contents (the IP address list) IP address dependant. Better yet, get 128 of them and give out a set of 64, based on the IP address and some awkward hash of the IP address. That way, every user has half of the targets (making the chance of finding a working host really big) but no country can get the full list (since they lack a few bits in the IP address range they use).

An idea?

Of course, you can keep swapping the IP addresses monthly/weekly or so to add to this.

Re:Solution? (0)

Anonymous Coward | more than 4 years ago | (#29874819)

If not all of the nodes are seen by any single individual in the country, wouldnt it still be possible to block the known nodes available to that country (even if you arent blocking them all) because neither the user or the blocker are able to identify the remaining nodes.

Re:Solution? (1)

clone53421 (1310749) | more than 4 years ago | (#29874895)

no country can get the full list (since they lack a few bits in the IP address range they use).

What about open proxies in other countries...

Re:Solution? (0)

Anonymous Coward | more than 4 years ago | (#29876885)

Interesting idea, but I think you're assuming that there's some central server (or set of servers) from which users download the program. Any evil government will have blocked your servers long before they bother trying to block the program's communications.

And if the Chinese government has no way of finding out the IP addresses of the proxies that Iranian users are using... so what?

A Bigger Worry (4, Interesting)

starfarer42 (682198) | more than 4 years ago | (#29874259)

Never assume your adversary is incompetent. If they can easily find and block all IP addresses used by this program, then why would they choose not to? I can think of one possibility, and it doesn't bode well for people who are using this program under the belief that it will protect their anonymity. We all know that monitoring *all* Internet traffic into and out of a country (especially one as populous as China) is a futile task. But suppose you could identify which fraction of those connections are specifically trying to evade government controls? Wouldn't it make sense to focus your attention on those connections? And instead of blocking them out right, why not trace them back to their source? Even if you can't decrypt the traffic, you can at least identify those "subversives" that could be in need of "reeducation". And remember that just because you choose to block those connections *right now* doesn't mean you can't start blocking them at some point in the future.

Re:A Bigger Worry (3, Insightful)

marnues (906739) | more than 4 years ago | (#29875311)

Sorry, but you've missed the point of Chinese censorship, just like most people on Slashdot. Yes, the Chinese themselves are generally A-OK with such censorship. They have a very different culture than ours. Sure, if someone was bypassing the firewall to organize a rally, then absolutely that would be used against them. But the vast majority of people bypassing aren't doing anything of interest to their government and so will be happily ignored. The CCP is very intelligent and knows that letting some Chinese break the rules is the best policy both for China and for the Party.

Meanwhile, in an office Bejing... (1)

Jawn98685 (687784) | more than 4 years ago | (#29874739)

"Presumably either the ideas leaking in through an unfiltered Internet are not reaching a large enough proportion of the population, or the ideas are not expected to take hold in enough people's minds to reach a tipping point that causes a problem for the ruling party."

Comrade Minister of People's Internet Service Provider: "Comrade Minister of Enforcement of Proper Thinking, I am pleased to announce that Great Firewall 3.0 is now in place and operational. "

Comrade Minister of Enforcement of Proper Thinking: Comrade Minister of People's Internet Service Provider, this is a glorious accomplishment. We can now prevent all manner of dangerous information from reaching the people and disrupting our peace and prosperity. But..., you have blocked my access to RedTube. I can no longer perform my research into the disgusting sex practices of the Western Imperialist dogs.

Comrade Minister of People's Internet Service Provider: "Dude, have you never heard of UltraSurf?"

IPv6 (3, Insightful)

NotBornYesterday (1093817) | more than 4 years ago | (#29875177)

Having a near-inexhaustable list of IPs for Ultrasurf would make tracking and filtering them all virtually impossible. That, combined with IPsec (required by IPv6) could either punch vast holes in the Great Firewall of China, or force them to step up their game considerably.

If it does prove to be a factor in fighting Chinese censorship, is interesting that the massive growth of the internet in Asia has been one of the driving factors behind the need for IPv6 migration.

Re:IPv6... and mesh topology (2, Interesting)

TakeyMcTaker (963277) | more than 4 years ago | (#29875457)

The problem isn't only IP count but the fact that all the traffic ends up over a handful of trunk lines between any given set of countries. I once calculated that a single 64-bit subnet of IPv6 addresses would give you enough IPs to cover roughly every square centimeter of the Earth with IPv6 addressable devices, including uninhabited areas and oceans. We could allocate such a IPv6 subnet to use by a new short-link mesh topology network, set up completely between immediate neighbors and outside the control of any government. Longish range directed links could be set up along any border between a free/democratic nation and an authoritarian/censored nation. Any great-firewall would have to be augmented with a great-Faraday-wall as well. IPv6-to-IPv4 could be used at any sufficiently close neighbor node as an "escape route" both to balance connection loads and avoid censor tracking, in a manner similar but superior to I2P. The key is getting mesh topology routing technology cheap and in the hands of common people.

Posting from China here. (1)

poity (465672) | more than 4 years ago | (#29881765)

My usual favorite, FreeGate, stopped working around August of this year. There are sporadic times where the client software will find 1 server with >1000ms pings, which makes it effectively useless.

I tried every other free proxy client out there to no avail and gave up soon after. Apparently they're all blocked now.

I've got nothing now. No more youtube, no more boobs in gis along with 90% of other perfectly legitimate pictures (not to say that boobs are never legitimate), certain word searches in google will give me a reset connection error right after giving me a millisecond flash of the rendered page.

What really bugs me is sometimes when I'm googling I'll be hit by that connection reset error (like if my finger slips and out comes "constitstution" or something), and on top of that my connection to all google servers is cut for a few minutes (I guess timeout as punishment?).

I rarely curse back in the US, but I let the "fuck you"s fly freely here, and quite often.

(ctrl+a ctrl+c just in case something happens to this message...)

Blocking IP has cost (0)

Anonymous Coward | more than 4 years ago | (#29887579)

It seems trivial enough to detect all the IP's ultrasurf is connecting to when it's running in your computer.

For smaller sites, it's too expensive to block 1000+ IP's. For each user trying to connect to the site, his IP has to be matched against a table of size > 1000.

It's feasible for larger sites if their life depends on it, for example, Wikipedia. They block all the public listed TOR nodes.

For all ISP's in the nation to block some outgoing websites, it's a big task. It's not like running a clever little program in your PC.

Actually, the Chinese are crazy-like-a-fox. (1)

Dr. Crash (237179) | more than 4 years ago | (#29897145)

Consider this: if you make it just harder than trivial to circumvent the block, then you get three categories of people.

    1) The ones who don't circumvent the block. These are sheep. You can ignore them.

    2) The ones who circumvent the block. These are opposition ringleaders. Watch them carefully.

    3) The ones who circumvent it but only after a known associate already circumvents it. These are motivated followers. Subvert and enlist them.

As Yogi Berra said, "You can observe a lot just by watching". In this case, UltraSurf provides a way for the Great Wall operators to _automatically_ find your enemies of the state- and prime followers.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account