-----BEGIN PGP SIGNED MESSAGE----- In article <199602130139.RAA11162@mage.qualcomm.com>, Peter Monta <pmonta@qualcomm.com> wrote:
[ Jim Clark, "Firewall China" ]
A: A lot of people think that's not possible. It's difficult to enforce, but it's certainly possible. A corporation has a so-called fire wall -- a single point of entry into the corporate net. You can have a country that has a single point of entry into its "country net." It's doable. All you need, though, is one breach of security, and there's a leak.
A fire wall is a filter -- it filters and doesn't let certain people come in. You can only come in if you have the right permission. So you could easily set that up so that it would filter out your objectionable material.
He seems to be confusing network security with the propagation of content. A firewall is going to have a lot more trouble filtering dangerous thoughts than UDP port 1234, unless there are humans in the loop.
Hmm, I'd argue that firewall technology would indeed let China filter out many "subversive" thoughts on the Internet. The firewall is not going to be able to stop the two-rogue problem: two technically knowledgeable rogue agents, one on each side of the firewall, *will* succeed in communicating dangerous thoughts if they try hard enough. But that's not so important to solve perfectly, in practice. No, in reality, China could set up a few simple application proxies and only allow world -> China traffic on a few closely controlled ports, such as http, smtp, nntp, ftp, etc. The proxies could * filter out "naughty" and "seditious" sites (e.g. www.playboy.com), * filter out email, news, etc. which has traversed a "known dangerous site" (e.g. a remailer or ftp.hacktic.nl), * daily update their lists of subversive sites (e.g. by reading Raph's remailer list), * filter out indecent newsgroups, * do simple keyword searches (e.g. fuck, revolution, protest, crypto), and/or * do simple content analysis (e.g. maybe filter out .gifs, to stop nude pics). This would hose 93% of the subversive stuff on the 'net. "Social solutions" (read: men with guns) can eliminate the last 7%. And so it goes. Sure, someone in the "free world" (e.g. not China or the USA) could run a remailer / http-proxy at a new site each day, enabling someone knowledgeable in China to find dangerous material. But the fact remains that this requires technical knowledge and the willingness to go to the trouble of actively accessing the remailer site. Again, someone in the China could run a remailer / reposter / http-proxy themselves inside the firewall; that's where the "social solutions" come in. Kick down the door (see, jackboots are good for something after all!), beat up the children, and you can kiss that remailer goodbye. Technically, you're right in saying that you can't filter all the content perfectly; it's the classic covert channel problem. But practically, the Chinese gov't can probably wreak havoc with 'net freedom in China. - -- Dave Wagner Fuck the CDA. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMSEPwyoZzwIn1bdtAQEFDAF9GXWLz9beaciHbY3mo3Reaom7K5IK0k2I pVz5NrHqa80eDtC8Rr0w/kSzkKtq4GCL =k93A -----END PGP SIGNATURE-----