Re: Firewall USA to Firewall China
-----BEGIN PGP SIGNED MESSAGE----- In article <199602130139.RAA11162@mage.qualcomm.com>, Peter Monta <pmonta@qualcomm.com> wrote:
[ Jim Clark, "Firewall China" ]
A: A lot of people think that's not possible. It's difficult to enforce, but it's certainly possible. A corporation has a so-called fire wall -- a single point of entry into the corporate net. You can have a country that has a single point of entry into its "country net." It's doable. All you need, though, is one breach of security, and there's a leak.
A fire wall is a filter -- it filters and doesn't let certain people come in. You can only come in if you have the right permission. So you could easily set that up so that it would filter out your objectionable material.
He seems to be confusing network security with the propagation of content. A firewall is going to have a lot more trouble filtering dangerous thoughts than UDP port 1234, unless there are humans in the loop.
Hmm, I'd argue that firewall technology would indeed let China filter out many "subversive" thoughts on the Internet. The firewall is not going to be able to stop the two-rogue problem: two technically knowledgeable rogue agents, one on each side of the firewall, *will* succeed in communicating dangerous thoughts if they try hard enough. But that's not so important to solve perfectly, in practice. No, in reality, China could set up a few simple application proxies and only allow world -> China traffic on a few closely controlled ports, such as http, smtp, nntp, ftp, etc. The proxies could * filter out "naughty" and "seditious" sites (e.g. www.playboy.com), * filter out email, news, etc. which has traversed a "known dangerous site" (e.g. a remailer or ftp.hacktic.nl), * daily update their lists of subversive sites (e.g. by reading Raph's remailer list), * filter out indecent newsgroups, * do simple keyword searches (e.g. fuck, revolution, protest, crypto), and/or * do simple content analysis (e.g. maybe filter out .gifs, to stop nude pics). This would hose 93% of the subversive stuff on the 'net. "Social solutions" (read: men with guns) can eliminate the last 7%. And so it goes. Sure, someone in the "free world" (e.g. not China or the USA) could run a remailer / http-proxy at a new site each day, enabling someone knowledgeable in China to find dangerous material. But the fact remains that this requires technical knowledge and the willingness to go to the trouble of actively accessing the remailer site. Again, someone in the China could run a remailer / reposter / http-proxy themselves inside the firewall; that's where the "social solutions" come in. Kick down the door (see, jackboots are good for something after all!), beat up the children, and you can kiss that remailer goodbye. Technically, you're right in saying that you can't filter all the content perfectly; it's the classic covert channel problem. But practically, the Chinese gov't can probably wreak havoc with 'net freedom in China. - -- Dave Wagner Fuck the CDA. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMSEPwyoZzwIn1bdtAQEFDAF9GXWLz9beaciHbY3mo3Reaom7K5IK0k2I pVz5NrHqa80eDtC8Rr0w/kSzkKtq4GCL =k93A -----END PGP SIGNATURE-----
Hmm, I'd argue that firewall technology would indeed let China filter out many "subversive" thoughts on the Internet.
All it needs is for someone to broadcast Usenet via satellite over Asia, as Pagesat does in the US, or use radio. No firewall can keep that out. Arun Mehta, B-69 Lajpat Nagar-I, New Delhi-24, India. Phone 6841172,6849103 amehta@doe.ernet.in a.mehta@axcess.net.in amehta@cerf.net http://mahavir.doe.ernet.in/~pinaward/arun.htm "I do not want my house to be walled in on all sides and my windows to be stuffed. I want the cultures of all the lands to be blown about my house as freely as possible. But I refuse to be blown off my feet by any."--Gandhi
This would hose 93% of the subversive stuff on the 'net.
I guess I've gotten turned around on this -- last week I was arguing your position. But: China's problem is internal, not external, and it's political, not sexual. Let's assume that they can build a successful firewall -- despite the fact that the people here on this list who design and install such firewalls for a living don't believe that the Chineese plan is feasible. Let's assume that they can prevent people from grabbing photos from playboy.com. So what? Who's in a position to formulate devastating criticisms of China's government? Americans? Or people who live under the system and understand it? And what's subversive, anyway? Breasts enhanced with silicon and airbrushing, or plain honest talk about liberty and government? Any net that lets the Chineese people publish and talk to one another is going to create problems for the government. On top of that, the firewall isn't even going to keep out foreign traffic. The firewall model doesn't work for internal security -- it assumes that the people on the inside are trustworthy, and it focuses on protecting the internal net from people on the outside. The Chineese have to deal with people on the inside trying to subvert the wall by building illicit links via telephone lines or satellite channels. Let's put it another way. Suppose a company has a strong firewall installed by a first rate security consultant. If an employee who has access to the internal net puts a modem on his machine and lets anyone who wants to dial in and connect to the internal net, what good does the firewall do? You can't come in over the Internet, but you can come in over a pots line. Either way, you've got your access. For what it's worth, I have a friend who just got a job with Apple's operation in China. According to him, Hong Kong is fully wired, but mainland China only has about 5,000 net accounts outside of government or acadamia. All 5,000 of those accounts seem to be served by a single 64kbs connection to the outside world, which suggests that they're email only.
Alex Strasheim writes:
For what it's worth, I have a friend who just got a job with Apple's operation in China. According to him, Hong Kong is fully wired, but mainland China only has about 5,000 net accounts outside of government or acadamia. All 5,000 of those accounts seem to be served by a single 64kbs connection to the outside world, which suggests that they're email only.
In that case, I expect it will be fascinating to see what happens to *.hk when it gets swallowed by China. Presumably the Chinese govt. will at least try to enforce the regulations (registration etc.) it has announced so far. What is the Hong Kong part of the net doing in anticipation of the transition ? Depending upon what happens in the next couple of years, it seems to me that *.hk could be an impressive Trojan horse for the mainland authorities to handle. I suggest that anyone who wants to deploy crypto tools behind the Great Firewall should seriously consider outfitting the Hong Kong populace with them. -Lewis "You're always disappointed, nothing seems to keep you high -- drive your bargains, push your papers, win your medals, fuck your strangers; don't it leave you on the empty side ?" (Joni Mitchell, 1972)
participants (4)
-
Alex Strasheim -
Arun Mehta -
daw@dawn7.CS.Berkeley.EDU -
lmccarth@cs.umass.edu