Normally they have to fight VPN issues anyway, but having a sovereign state inject your packets is certainly a fun new one.
It’s good to know the boss.
But there absolutely is also a non-negligible number of Chinese and Indian nationals, who have some type of visa status in the US (especially a green card) who spend many months in their original countries making $200,000 or more per year while living like royalty in their home countries :)
So much has happened since then...
If you get a green card and leave the us for any amount of time, on return the border agent makes a determination on the spot if you intended to live abroad.
Less than six months is simply less suspicious than more.
If the answer is yes, well then it is yet more proof that the US immigration system operates basically extrajudicially just like the IRS and ATF, and only occassionally do the courts pull them back in after much hardship for the plantiff.
Words and policies are supposed to have meaning, and I doubt we'll get any charts or graphs on border refusals per amount of time spent abroad for GC holders.
Green cards are for people who intend to continuously by resident in the united states.
If you go home for 3 months and get a job and rent a house then you no longer continuously reside in the united states.
It's that's simple, but there's no hard or fast rule on how many days.
Now, the people I work with know that I'm not really located in the same time zone, but I know people who don't bother to mention it. I rarely get phone calls, but I have a roaming connection active for banking/OTP/etc. Plenty of cheap cafes with great WiFi (500mbps+ almost everywhere), and several times cheaper too.
Not really. People like it in China, regardless of whether they're Chinese.
I took an English teaching certification course in Shanghai. The teachers for that course were used to rotating around the world as the company held courses in various random locations.
One day the teachers asked what was apparently a standard question for them, "are you planning to stay here after you get the certification?"
And they were flabbergasted when everyone answered yes. Apparently in most of the locations that offer CELTA courses, the majority of people come for the course and get out as soon as they can.
The teachers, incidentally, were British and New Zealander, and they were firm about instructing us in teaching British pronunciation. I assume most of the students went on to ignore that part of the curriculum.
Because they have some of the most beautiful scenery and buildings I've seen and I've been to dozens of countries.
Personally I wouldn't go there for remote work, because the internet interference is a pain but a holiday definitely.
The nature spans salt lakes and rainbow mountains akin to South America, to the Northern Lights in Mohe down to karst formations of Guilin shared with Vietnam's Halong Bay.
The cuisine is diverse and dishes popular in places like Xi'an reveal lasting influences dating back to the Silk Road.
If you can't find "somewhere really nice" amongst the myriad people and locations you haven't tried.
Visiting somewhere means submitting yourself to their laws. With China's, that's not an option for me. Having restricted communication with home is a dealbreaker too. I would not let that stand so I'd have to break their laws.
It may be a beautiful country but it's not a beautiful place to be. At least not for someone like me.
Though having said that there are many places I refuse to travel to. The US is currently one as well for obvious reasons.
If it wasn't literally 10x cheaper to live abroad than it is to live in Seattle/San Jose, it wouldn't be as prevalent. And not to mention, the quality of life is often better at the 10x cheaper price as well.
I can give you as much proof as you would like!
Example: https://www.justice.gov/opa/pr/justice-department-announces-...
I'll just say Microsoft is not the only company doing that, and there are also Chinese-owned SAASes which American companies pay for.
If you aren't aware: a Virtual Private Network creates a fully encrypted link between you and a remote node. So long as your encryption keys are secure, there's no way for anyone (even a global superpower) to listen to or intrude on that connection. There is no possible way to break into this connection, even with the entire planet's computing resources.
From the outside, all you can see is a stream of encrypted data between two nodes. You cannot tell where the traffic goes once it exits the VPN server or what it contains.
The only way to compromise a VPN connection is the most straightforward and pedestrian: compromise the VPN host and directly spy on their clients with their own hardware.
The GFW certainly can and has detected such encrypted streams and blocked them for being un-inspectable. With a VPN you can perfectly hide what you're doing and you can perfectly prevent intrusion. You cannot prevent someone noticing you're using a VPN. China can simply blanket ban connections that look like VPN traffic. But they cannot tell what you're doing with that VPN.
Besides that, when negotiating a secure connection through unencrypted channels you typically use Diffe-Hillman to establish the encryption keys. As far as I'm aware, this method cannot be broken. Both nodes compute their own private encryption key and do math to create unencrypted data that must be verified by the other node's key. Even if you had full control of the data stream, you can't determine those private keys and cannot break into the encrypted connection that follows.
Also VPNs are typically UDP, but there's no hard requirement as far as I know.
Based on that information, the theory for why a nation state would block https like this for a moment is either an accident, or to only block the low hanging fruit of people who don't use a VPN.
There are special virtual SIM cards that provide access to services from mainland China, as well as VPNs that function normally without issues. I used both while I was in China.
But GFW certainly had the capability to block all ports. So no one really knew.
If I understand right, a good next step would would be with eBPF or some type of proxy ignore the forged RST+ACK at the beginning.
Then it would come testing to see if sending a bunch of ACK packets, perhaps with sequence numbers that would when reconstructed could complete the handshake. Trying to send them alongside the SYN+ACK or even before if it can be predicted. Maybe try sending some packets with sequence id 0 as well to see what happens.
See <Ignoring the Great Firewall of China> in 2006. That won't work if RST/ACK was injected to both sides.
> Then it would come testing to see if sending a bunch of ACK packets, perhaps with sequence numbers that would when reconstructed could complete the handshake. Trying to send them alongside the SYN+ACK or even before if it can be predicted. Maybe try sending some packets with sequence id 0 as well to see what happens.
This is an interesting approach already being utilized, namely TCB desync. But currently most people tend to buy VPN/proxy services rather than studying this.
So what's blocked differs by region
Unknown. I haven't seen any injected fake DNS or reset packets so far to domestic hosts. But there are rumors that Google's servers in Beijing (AS24424) was once black holed.
> Is GFW a central hub for all traffic between all hosts?
It's supposed to has centralized management system, but not a single hub.
> Or between residential ASNs and commercial ones only?
Yes, the injecting devices are deployed in IXPs, the AS borders. See <Internet censorship in China: Where does the filtering occur?>.
> In the UK and Iran a lot of censorship was implemented by leaning on ISPs at IP level (eg BT Cleanfeed) and with DNS blocks but I haven’t kept up to date with how networks might handle residential hosting.
I believe Iran has more centralized system like China controlled by Tehran.
> Maybe internal traffic is just all banned?
No, internal HTTPS traffic is not banned in that hour.
Right now liberal people mostly sit back and wait for things to get better, it's not enough. (Also going and walking up and down is not really effective.)
First they came for the socialists, and I did not speak out because I was not a socialist.
Then they came for the trade unionists, and I did not speak out because I was not a trade unionist.
Then they came for the Jews, and I did not speak out because I was not a Jew.
Then they came for me and there was no one left to speak for me.
And if you talk back? Why, you must be a pedophile or a terrorist, otherwise why would you have anything to hide?
It's gotten bad enough that people here on HN - Hacker News! - non-ironically make more or less this argument.
https://danglingpointer.fun/posts/GFWHistory
Posted 6 days ago (https://news.ycombinator.com/item?id=44898892)
kotri•5mo ago
hackernewsdhsu•5mo ago
phantomathkg•5mo ago
wkat4242•5mo ago
elevation•5mo ago
There's no authentication so anyone can pretend to be you. Traditional methods of verifying the sender (HMAC) would take so many hours to transmit that the physical propagation paths you're communicating through will probably collapse before you deliver the smallest verified message.
If you need to communicate information, FT-8 is not for you.
wkat4242•5mo ago
You do need a time source though. GPS is generally used for that but it doesn't need to be extremely accurate with FT-8 like with some other protocols.
I would imagine using it for a regular "I'm ok" message for the home front in such a situation using pre-arranged contents.
cedws•5mo ago
Gigachad•5mo ago
int_19h•5mo ago
Gigachad•5mo ago
I tried it while staying in a high rise hotel and the experience was great. Instant acknowledgement and super reliable communication
int_19h•5mo ago
downrightmike•5mo ago
kotri•5mo ago
eastbound•5mo ago
vintermann•5mo ago
woooooo•5mo ago
If it's on purpose, I think you have the most likely motivation.
account42•5mo ago
A mistake that also weirdly increments some TCP fields for the three subsequent RST packets when that's not how the existing GFW devices behave would need some explanation before you could conclude it to be the most likely explanation.
woooooo•5mo ago
mschuster91•5mo ago
[1] https://en.wikipedia.org/wiki/Cherbourg_Project
cibyr•5mo ago
wkat4242•5mo ago
methou•5mo ago
NitpickLawyer•5mo ago
andrewinardeer•5mo ago
NitpickLawyer•5mo ago
andrewinardeer•5mo ago
Helmut10001•5mo ago
Zacharias030•5mo ago
4gotunameagain•5mo ago
Every major power has polluted near Earth space as a show of power.
cyberax•5mo ago
therein•5mo ago
perihelions•5mo ago
[0] https://planet4589.org/space/con/star/planes.html
(On general principles, you could argue you'd need 1:1 launch vehicle parity (number, not payload) to defeat a satellite constellation this way. For each satellite launch, you'd need one corresponding anti-satellite launch into that same, newly-defined orbit).
rtkwe•5mo ago
wkat4242•5mo ago
rtkwe•5mo ago
LargoLasskhyfv•5mo ago
kortilla•5mo ago
cyberax•5mo ago
Starlink satellites are pretty low and experience a lot of drag, with square-cube law working against you. Your shrapnel's orbit will likely decay pretty rapidly.
perihelions•5mo ago
Relevant, Chinese domestic media reporting on China's own perspective:
https://www.scmp.com/news/china/science/article/3178939/chin... ("China military must be able to destroy Elon Musk’s Starlink satellites if they threaten national security: scientists" (2022))
> "Researchers call for development of anti-satellite capabilities including ability to track, monitor and disable each craft / The Starlink platform with its thousands of satellites is believed to be indestructible"
"Easy to bring down" vs. "believed to be indestructible"—some tension there!
ceejayoz•5mo ago
perihelions•5mo ago
lazide•5mo ago
progbits•5mo ago
senectus1•5mo ago
audunw•5mo ago
And I doubt China would want to make LEO impossible to move through anyway. It’d affect China badly as well
baq•5mo ago
esseph•5mo ago
Also, fairly easy to find from the air.
maxglute•5mo ago
stevage•5mo ago
spwa4•5mo ago
The only thing that could bypass is GPS + laser links (meaning physically aiming a laser both on the ground AND on a satellite). You cannot detect that without being in the direct path of the laser (though of course you can still see the equipment aiming the laser, so it doesn't just need to work it needs to be properly disguised). That requires coherent beams (not easy, but well studied), aimed to within 2 wavelengths of distance at 160km (so your direction needs to be accurate to 2 billionths of a degree, obviously you'll need stabilization), at a moving target, using camouflaged equipment.
This is not truly beyond current technology, but you can be pretty confident even the military doesn't have this yet.
threeducks•5mo ago
The moon is 700 times farther away than the starlink satellites (or twice that, if you consider the bounce), so I find it hard to imagine that it would be impossible to communicate with much closer satellites over laser when both sides can have an active transmitter.
spwa4•5mo ago
mnw21cam•5mo ago
However, this solution is going to stop working when a cloud drifts past.
spwa4•5mo ago
Not really, because you'd be using a frequency that passes through clouds. A snow storm or hail is impenetrable, and there are weather events that cause a 1-2 second blackout, as well as cause refraction (which is mostly a challenge in reaiming the beam fast enough to compensate), but anything in the air is fine. Clouds, mist, ... But is aiming at a 1 arcsecond target moving across the sky at at least 1 degree per second from a normal (ie. moving) building really doable with "standard hobbyist telescope mounts" ?
I know 5 years ago we were still doing this with lasers on rockets toward planes, because planes can just keep their angle to a rocket essentially constant. I know there's experiments doing direct laser to satellite, no idea how well that works.
mnw21cam•5mo ago
The clouds are however much more of a problem than you're suggesting. One promising infrared band is around 10 microns, but a thick cloud will still scatter that. You'd need a 20cm wide laser beam at that wavelength for it to diverge to a beam width of around 10 arcseconds. Which is basically a reasonably-sized telescope, working in reverse.
Alternatively, you could go for millimeter waves, which would pass through the clouds reasonably well, but then you're well outside the realms of "laser" and into the standard directional dish antenna. And it'd have to be a very large dish to give you a narrow beam. For instance, a rather unsubtle 2 metre wide dish with a 1mm wavelength will give a beam that diverges by 100 arcseconds. And there will probably be omnidirectional leakage which the dastardly authorities are likely to be able to detect. At least visible and infra-red leakage can be easily blocked and concealed, but radio is much harder.
mryall•5mo ago
Tuna-Fish•5mo ago
Not true anymore.
> and the antenna will also only operate in an approved zone (depending on your country and account type). You cannot use it in China.
This is still correct.
rtkwe•5mo ago
wkat4242•5mo ago
Though India doesn't have a great firewall so it's much less of an issue for foreigners visiting there.
rtkwe•5mo ago
a012•5mo ago
It’s still true because in order to be operating in a country Starlink has to get approval from the Gov and if the Gov requires Starlink to have to connect through a ground station then they’ll either comply or not operate in that country
preisschild•5mo ago
patrakov•5mo ago
lazide•5mo ago
veunes•5mo ago
outworlder•5mo ago
If you think this is bad...
You can't even have a blog in China without authorization. It doesn't matter if you pay "AWS" for a machine. It won't open port 80 or 443 until you get an ICP recordal. Which you can only do if you are in China, and get the approval. It should also be displayed in the site, like a license plate. The reason "AWS" is in quotes is because it isn't AWS, they got kicked out. In Beijing, it is actually Sinnet, in Nginxia it's NWCD
You can only point to IPs in China from DNS servers in China - if you try to use, say, Route53 in the US and add an A record there, you'll get a nasty email (fail to comply, and your ports get blocked again, possibly for good).
In a nutshell, they not only can shutdown cross border traffic (and that can happen randomly if the Great Firewall gets annoyed at your packets, and it also gets overloaded during China business hours), but they can easily shutdown any website they want.
UltraSane•5mo ago
I added an A record for subdomain and pointed it at Chinese IP addresses. I wonder if I will get that angry email?
bawolff•5mo ago
I think the real paranoid people use cloudHSM.
UltraSane•5mo ago
nijave•5mo ago
UltraSane•5mo ago
https://www.marvell.com/products/security-solutions/liquidse...
nijave•5mo ago
That's my take as well reading about how they handle firmware (sounds like they're using their own chips, presumably similar to how they use other hardware acceleration and offload)
Faaak•5mo ago
kotri•5mo ago
But yeah, they can shutdown anything unless proxy server is widely used. as <Nearly 90% of Iranians now use a VPN to bypass internet censorship>.
darrenf•5mo ago
kotri•5mo ago
lazide•5mo ago
So using DNS hosted outside won’t matter, because the destination Chinese IP will get blocked. Or if using outside hosting, it won’t matter, because anyone in China trying to access it will get blocked. Or anyone trying to publish anything to it the CCP doesn’t like. Presumably also with some follow up in-person ‘check-ins’.
The GFW is a pretty massive and actually impressively effective piece of technology, even if we don’t agree with it’s purpose.
gopher_space•5mo ago
AnthonyMouse•5mo ago
If you allow connections to random websites outside of your jurisdiction then you're de facto allowing everything, because people can proxy arbitrary traffic that way. If you don't, you're effectively disconnecting your country from the global internet, which is not an impressive technological feat. Anybody with a backhoe can do a fiber cut.
lazide•5mo ago
It really isn’t dumb at all, and is quite difficult to get past.
It also auto detects ‘problematic’ content in near realtime for a huge swath of things. It does deep packet and content inspection, including of a bunch of encrypted traffic that it really shouldn’t be able to.
At massive (national) level scale.
Don’t get me wrong. It’s evil. But it’s an impressive bit of evil kit.
AnthonyMouse•5mo ago
They made a list of tunnel systems that don't attempt to disguise themselves and then blocked them. That's not really that hard, and it meanwhile causes lots of innocuous things to be blocked. There are uses for a tunnel other than bypassing censorship.
The hard thing is to block the ones that actively attempt to look like something they're not, and release updates to change their profile whenever the authors notice it being blocked, while still allowing the thing they're attempting to look like.
> It also auto detects ‘problematic’ content in near realtime for a huge swath of things. It does deep packet and content inspection, including of a bunch of encrypted traffic that it really shouldn’t be able to.
All of this is assuming the content is being distributed unencrypted or is otherwise leaking its contents through e.g. having a specific data length, none of which an encapsulation method is required to expose.
lazide•5mo ago
The GFW is run by the definition of a Nation State Actor/NPT. They’re not perfect, or omniscient, but they aren’t fools or incompetent either.
And knowing all the people taking the ‘totally secret’ backdoor is not even a complex trick.
Folks like the NSA in the US have to stay in the shadows, and have a tiny budget and population to draw experts from. What do you think happens when they get to be direct, obnoxious, AND somewhat public in a national pride kind of way?
AnthonyMouse•5mo ago
You're describing something that seems like an urban legend/coincidence. What technical means are you suggesting they're using to determine the contents of a voice chat over an encrypted connection?
> And knowing all the people taking the ‘totally secret’ backdoor is not even a complex trick.
That's assuming it can be distinguished from ordinary traffic.
If your device goes direct when you want to read the Wikipedia article on the Streisand Effect but you also have a browser that proxies traffic through a random AWS VPS in Virginia when you want to read about something they don't want you to know, how are they supposed to tell that the latter is that and not just a regular arbitrary third party webserver?
> Folks like the NSA in the US have to stay in the shadows, and have a tiny budget and population to draw experts from. What do you think happens when they get to be direct, obnoxious, AND somewhat public in a national pride kind of way?
It becomes easier to find way to thwart what they're doing because any random device can be used to determine if or how something is being blocked instead of only the devices of high-risk people who can't afford to test the fences.
lazide•5mo ago
leroyrandolph•5mo ago
seeknotfind•5mo ago
Hizonner•5mo ago
Wait what? So I can DoS any Web site in China by creating a rogue DNS record that points to its IP address, even under a completely unrelated domain? How would they even find those records?
hunter2_•5mo ago
Seems like a very minor speed bump in your plan, though: presumably something like https://www.chinafirewalltest.com would achieve that, or send a few emails for folks to click.
Hizonner•5mo ago
fc417fc802•5mo ago
fulafel•5mo ago
LargoLasskhyfv•5mo ago
https://de.wikipedia.org/wiki/Impressumspflicht (Mandatory real name & address, not only for business, but private persons with web presence, too.
Same for Domain/DNS(which applies to everything in the European Union))