> After its founding in 2018, one of Geedge's first clients was the government of Kazakhstan, to whom the company sold its flagship Tiangou Secure Gateway (TSG), which provides functions similar to China's own Great Firewall, monitoring and filtering all web traffic that passes through it, as well as attempts to bypass such censorship.
> The same tool has been rolled out in Ethiopia and Myanmar, where it has been instrumental in enabling that country's military junta to enforce a ban on VPNs. In many cases, Geedge works with other private companies, including internet service providers (ISPs) such as Safaricom in Ethiopia, or Frontiir and Ooredoo in Myanmar, to enact government censorship, the documents show. No ISPs that have partnered with Geedge responded to a request for comment.
> The leaks show employees at the company working to reverse-engineer many popular tools and find means of blocking them. One set of documents lists nine commercial VPNs as "resolved," and provides various means of identifying and filtering traffic to them. Similar capabilities have long been demonstrated by the Great Firewall, with most commercial VPNs inaccessible from within China and many dedicated anti-censorship tools also hard to access.
> At least one Jira support ticket shows evidence of plaintext capture of email
miohtama 16 hours ago [-]
[dead]
academicfish 25 minutes ago [-]
I wonder who's the Chinese Snowden behind the leak.
hks0 3 hours ago [-]
I used to live in a country who is also a customer of GFW. Before v2ray came out, I had figured out devising any random protocol would defeat it. I would pass my SSH connecting used for socks5 through ROT13 or any ROTn, then the firewall won't gradually slow it down towards total stall after a few kilobytes. OpenSSH yells its name and version in plain text upon connection.
A few years later (still before v2ray) they got more aggressive: Unknown protocols were stalled after a few kilobytes. I then learned if I pretend I'm doing something legitimate (!) such as downloading favicon.ico within a proper HTTP channel, they won't touch my "packets" (the favicon content was my packet). I think there was also a Iodine project doing the same with ping packets but it was slower than favicon-as-packets for me. Today I see v2ray has taken it to the maximum extent, suggesting valid web page front for an IP, valid https certificates, etc.
When I started making money I was thinking about renting many IPs and send my traffic as round-robin to them as the detection relied heavily on IP consistency. That is, connections were fingerprinted by IP.
I don't live there anymore and don't get to verify this hypothesis, but given the leaked source codes it's an intersting weekend project.
What else is also interesting, I looked at traffic decoders in the list of leaked source files: TCP, HTTP, QUIC, ... but no mention of UDP, which made no difference in bypassing GFW. I guess the same IP rate limiter was at work with UDP at a lower level.
hiddendoom45 4 minutes ago [-]
From my own personal experience with an outline server running on the same IP over 3 years, the GFW consistently ends up blocking it around 3 days after I first connect. Outline does use shadowsocks to obfuscate but I suspect the traffic detection is what triggers it after 3 days of observations. Running multiple servers and repeatedly cycling through them is an experiment I want to try the next time I'm there.
I've also observed similar behavior with the vpn I'm using as backup where the server I'm using tends to get blocked in around the same timeframe. It's using openvpn/wireguard as the underlying protocol which doesn't try to obfuscate itself so I suspect traffic pattern analysis plays a larger role in what gets blocked than the protocol itself. The exception was my recent trip week-long trip where I was mostly cycling between two servers without noticing either being blocked.
nromiun 5 hours ago [-]
AFAIK QUIC traffic is impossible to attack using MITM techniques. So I wonder how the GFW handles it. Do they block it entirely or still filter it somehow?
Why would QUIC be any more or less MITM attackable than say HTTP1.1 or 2?
AFAIK, the only thing that stops an MITM attack (where they respond as if they’re the remote server and then relay to the real remote server) are certificates.
If an authority requires you trust their root certificate so they can spy on you, QUIC will not make any difference.
nabla9 2 hours ago [-]
That's not true. QUIC's encrypted traffic does not protect against MITM.
FridayoLeary 9 hours ago [-]
My first thought was unfortunately whether the UK and other Western nations would copy this to build their own Firewalls. To be honest i still don't think it's a goal anyone is actively working towards and that's a bit of an hyperbolic take. But the truth is that we are moving more towards such a system then
we are moving away.
My second thought is how badly Chinese communism must be doing that they need such a massive effort in order to prevent their citizens from accessing information and voicing dissent. We are lucky to be living in such a free society. Internet seems to be losing the battle against government interference and censorship and that is more of a bad
thing then a good thing.
xyzzy123 4 hours ago [-]
As I understand it the idea is not necessarily to stop all dissent / awareness, but that it's useful to be able to slow the spread of "rumours" / incendiary information when it is spreading virally. This gives authorities time to come up with a response if required.
While I personally wouldn't want to live in a country which does this, the flip side of unrestricted virality in countries that culturally might not be prepared for it are events like https://en.wikipedia.org/wiki/Indian_WhatsApp_lynchings
Given that the US controls much of what happens on the Internet, another issue for many countries (not China so much) is that without controls they become extremely vulnerable to US influence campaigns and "colour revolutions".
I predict that all countries will end up with something like the GFW eventually because there's basically no other way for governments to achieve "Internet sovereignty" (enforce laws regarding users and publishers on the web). The US might be last to do this because it is in the doubly privileged position of a) being able to exert significant pressure on other countries and b) being able to apply regulation to major US-based Internet companies using their own legal system.
ipnon 3 hours ago [-]
The apparatus we call GFW is really a Chinese CDC for memes. The CDC expects novel strains of bird flu every year, it’s okay, they closely monitor the situation, research the novel strains, cull risky populations, and develop vaccines for worst case scenarios. GFW expects novel strains of anti-CCP viral memes every year, it’s okay, they closely monitor the situation, they analyze the meme for spreaders and origin, they use the new meme to gauge changes in public sentiment, they fine or jail or imprison particularly quarrelsome netizens, and in the worst case scenario they prepare narrative shifts or outright censorship to maintain a net that is deemed healthy. It’s meme epidemiology, with mind viruses instead of RNA viruses.
xyzzy123 3 hours ago [-]
I think GFW is more of a fallback (hammer) in the overall system but yeah that does happen "in detail" on WeChat etc.
In the US, censorship is obviously a hot-button political topic (core values), but we are starting to see US concerns around things like troll farms, foreign influence, election misinformation etc and systems to quietly tamp that down. The sorts of things that appeared in the "Twitter Files".
The US doesn't usually need "big hammer" technical controls for this because they have legal control over the corporations involved and can ask them to moderate themselves in line with US law & natsec requirements.
Places like e.g. the UK are in an interesting pickle because while they are _largely_ culturally aligned with the US, their lawmakers don't have the same level of influence on platforms. They can either impotently "shake their fist at the sky"; or they can reach agreements so the major platforms co-operate with their governments; or they implement China-like technical controls.
ipnon 3 hours ago [-]
UK and PRC need a censorship apparatus because they are one party states. UK is a monarchy based on a religious aristocracy. PRC is a socialist state with Chinese characteristics. Memes can destroy these countries because they can delegitimize the despot. But in America memes benefit the polity, because parties lose power all the time. We’re constantly switching who rules, and the baton passes frequently enough that we tacitly agree it’s better to just come back next election with better memes. A meme like “Trump shouldn’t be President” is not an existential threat to America, whereas “Charles shouldn’t be King” and “Xi shouldn’t be Chairman” are direct threats to the continuation of their respective systems of government.
It’s the definitive strength of the United States.
xyzzy123 3 hours ago [-]
Having an overseas social media platform widely used in your country is basically giving foreign intelligence direct access to the brainstem of your citizens.
It's not even about speech necessarily, it's about what speech is amplified and what suppressed, and whether those perspectives are organic or manipulated. Also, who can read all the messages and analyse the trends.
If the US was as memetically robust as you say, foreign owned TikTok wouldn't be a problem. But even free speech cannot hold up under manipulation.
I think a lot of ppl in the US don't notice that this is the position that every other country is in with respect to US social media.
ipnon 2 hours ago [-]
I disagree with your conclusion, but my argument is rather about why a strong censorship and surveillance apparatus exists in UK and PRC and why USA merely has mass surveillance apparatus without concomitant mass censorship. Another feature of American memetic ecosystem is some immunization against manipulation, in that memes such as “Russia is manipulating elections” or “university professors are indoctrinating students” are widespread if not universal. You will note that in nature the most effective rate of immunity in a population is never 100%.
I am a humble HN poster, and this is simply food for thought, and I appreciate your attention.
xyzzy123 2 hours ago [-]
Likewise, thanks for the perspectives.
andxor 1 hours ago [-]
The monarchy holds no executive power.
sofixa 49 minutes ago [-]
> UK is a monarchy based on a religious aristocracy
Not really. The Monarch has no real power, only "influence", but they don't step in even in the face of disaster (Brexit).
It's pretty weird to have a developed country with a state religion, but in reality, it has no bearing on anything.
But the US has shown us that "tradition" and principles aren't enough to stop a hostile takeover of power. A Trump-like future monarch could do a lot of damage if they decided; so indeed the UK could do with lots of reforms to enforce proper separations and encode the purely ceremonial role of the monarch.
physicsguy 4 hours ago [-]
I listened to a British politics podcast the other day called Not Another One and they were discussing that among western governments there is some looking at the UK’s porn block because in general politicians think that things have gone too far in children being able to access to extreme content, and that if 20 years ago it had been suggested this had been where we’d be, it wouldn’t have been seen as acceptable. They used the example that if you want to publish a very explicit book in the U.K., the Obscene Publications Acts would put limits on you doing so, but putting it online would be allowed
bboygravity 4 hours ago [-]
Ah, the good old "think of the children" argument. Does anyone buy that?
ACCount37 2 hours ago [-]
Unfortunately, yes.
Maybe it'll die off in a generation or two, when cynical millennials and zoomers become the backbone of politics. But for now?
"Think of the children" is hilariously transparent to us, but it enjoys moderate support across population, and, much worse, it gets overwhelming support of geriatric politicians. Which is what makes fighting for liberties so hard.
ipnon 2 hours ago [-]
“Think of the children” is a persistent nemesis of modern civil liberties precisely because people buy it so often! One of the easiest emotional arguments to make is “your children are in danger” because parents have extremely low risk tolerance for the safety of their children.
sofixa 43 minutes ago [-]
Yes, especially lots of people with children are terrified that their little darlings will be able to access the best German BDSM content in 4K at an early age.
moi2388 3 hours ago [-]
Perhaps the children who don’t have free access to information anymore.
Oh, right..
feverzsj 4 hours ago [-]
The original GFW was literally built by Cisco. The west already has the technology. They only need an excuse to deploy it.
China relies heavily on export, so they can't just block everything. There are tons of proxy services to bypass GFW in China, and most of them have government background.
userbinator 4 hours ago [-]
would copy this to build their own Firewalls.
Just about every company already uses some form of this on their network, especially those in highly regulated sectors like banking and other finance-related industries.
More usefully and perhaps "on the other side", I have a proxy on my network to block and modify requests for ads and other content I want to "censor".
nromiun 4 hours ago [-]
There is a big difference between a firewall on a private network and another on an entire country's traffic.
teekert 2 hours ago [-]
I for one can only access rt.com from a European country if I use a vpn. So that is step 1. The next steps will come. Our government has shown itself willing and (partly) able to block content from its citizens, regardless of their intent. Ie being pro-Putin, or wanting to study what opinions circulate in Russia to try and maintain some level human understanding for our fellow humans on the other side.
Moreover a large part of our government is willing to implement something as egregious as ChatControl. So they are not above animing extremely invasive spying tech at their own citizens.
1+1=2. All prerequisites have been met for a European “firewall”. Hate the word btw, a firewall is supposed to be a defense tool. But these censoring tools are an attack on our agency. Every time I try to access something I am not allowed to access by my overlords I hear in my head "You are not allowed to see this information citizen."
jychang 5 hours ago [-]
> My second thought is how badly Chinese communism must be doing that they need such a massive effort in order to prevent their citizens from accessing information and voicing dissent.
Well, OpenAI and other companies training AI models have shown that the architecture of the model matters less than the quality of data fed into it. Same applies for humans.
I understand that the Great Firewall is mostly about censoring dissent, but it's also to keep Chinese citizens away from junk food media sources. The type of videos you see on Douyin vs Tiktok is a great example of the difference.
Yes, the videos on Douyin are politically censored, but they're also a lot less brainrot than Tiktok videos. The Tiktok algo is optimized for ad impressions and profit, whereas the Douyin algo is more tuned to some nebulous concept of Confucian social harmony, for better or worse.
A more nuanced take is that I don't think it's useful to measure Chinese govt behavior just mapped to "amount of suppressing political dissent". I actually think the level of censorship is above the level required for that. It's more useful to recognize that "suppressing political dissent" is actually a subset of Confucian "promote social harmony"- which is not strongly valued in the USA but is at least important enough to be paid lip service in China- and I suspect a big chunk of educated members of government may truly believe in that ideal. It explains behaviors like "why the Douyin algo is so different from Tiktok" and other overreaches of the Chinese govt, because it's not solely about suppressing dissent.
0xDEAFBEAD 46 minutes ago [-]
Yeah, I think there may be a lot of wisdom in the Chinese approach.
Right now on the HN homepage, there's a link "The case against social media is stronger than you think", which argues that social media drives political dysfunction in the US and some other countries:
Even if you disagree with that link, and believe social media is a positive force, do we really need to subject all countries to unregulated social media? Seems like putting all of our eggs into one basket, as a species. Why?
supriyo-biswas 5 hours ago [-]
> My first thought was unfortunately whether the UK and other Western nations would copy this to build their own Firewalls
Various western networking companies already sell such products to authoritarian regimes, such as Nokia[1], Blue Coat Systems[2] and Siemens[3]. China, for reasons that are well documented elsewhere, has always wanted to build it with "their tech", the only thing that's new to me is their export of such tech to Chinese-allied nations.
> My second thought is how badly Chinese communism must be doing that they need such a massive effort in order to prevent their citizens from accessing information and voicing dissent.
This is a very controversial opinion, but the overton window has shifted in this respect and many people often like censorship/DPI when done for "altruistic reasons", and it was sad to see Europeans (presumably) asking for blocking of social media sites since Nepal[4] had done the same, disregarding the second-order effects it would have.
Of course, we live in interesting times, with a major western world power embracing economic policies that prioritize government ownership of industries[5], which is typically closer to communism than anything we've seen in the past :)
https://github.com/net4people/bbs/issues/519
> After its founding in 2018, one of Geedge's first clients was the government of Kazakhstan, to whom the company sold its flagship Tiangou Secure Gateway (TSG), which provides functions similar to China's own Great Firewall, monitoring and filtering all web traffic that passes through it, as well as attempts to bypass such censorship.
> The same tool has been rolled out in Ethiopia and Myanmar, where it has been instrumental in enabling that country's military junta to enforce a ban on VPNs. In many cases, Geedge works with other private companies, including internet service providers (ISPs) such as Safaricom in Ethiopia, or Frontiir and Ooredoo in Myanmar, to enact government censorship, the documents show. No ISPs that have partnered with Geedge responded to a request for comment.
> The leaks show employees at the company working to reverse-engineer many popular tools and find means of blocking them. One set of documents lists nine commercial VPNs as "resolved," and provides various means of identifying and filtering traffic to them. Similar capabilities have long been demonstrated by the Great Firewall, with most commercial VPNs inaccessible from within China and many dedicated anti-censorship tools also hard to access.
> At least one Jira support ticket shows evidence of plaintext capture of email
A few years later (still before v2ray) they got more aggressive: Unknown protocols were stalled after a few kilobytes. I then learned if I pretend I'm doing something legitimate (!) such as downloading favicon.ico within a proper HTTP channel, they won't touch my "packets" (the favicon content was my packet). I think there was also a Iodine project doing the same with ping packets but it was slower than favicon-as-packets for me. Today I see v2ray has taken it to the maximum extent, suggesting valid web page front for an IP, valid https certificates, etc.
When I started making money I was thinking about renting many IPs and send my traffic as round-robin to them as the detection relied heavily on IP consistency. That is, connections were fingerprinted by IP.
I don't live there anymore and don't get to verify this hypothesis, but given the leaked source codes it's an intersting weekend project.
What else is also interesting, I looked at traffic decoders in the list of leaked source files: TCP, HTTP, QUIC, ... but no mention of UDP, which made no difference in bypassing GFW. I guess the same IP rate limiter was at work with UDP at a lower level.
I've also observed similar behavior with the vpn I'm using as backup where the server I'm using tends to get blocked in around the same timeframe. It's using openvpn/wireguard as the underlying protocol which doesn't try to obfuscate itself so I suspect traffic pattern analysis plays a larger role in what gets blocked than the protocol itself. The exception was my recent trip week-long trip where I was mostly cycling between two servers without noticing either being blocked.
AFAIK, the only thing that stops an MITM attack (where they respond as if they’re the remote server and then relay to the real remote server) are certificates.
If an authority requires you trust their root certificate so they can spy on you, QUIC will not make any difference.
My second thought is how badly Chinese communism must be doing that they need such a massive effort in order to prevent their citizens from accessing information and voicing dissent. We are lucky to be living in such a free society. Internet seems to be losing the battle against government interference and censorship and that is more of a bad thing then a good thing.
While I personally wouldn't want to live in a country which does this, the flip side of unrestricted virality in countries that culturally might not be prepared for it are events like https://en.wikipedia.org/wiki/Indian_WhatsApp_lynchings
Given that the US controls much of what happens on the Internet, another issue for many countries (not China so much) is that without controls they become extremely vulnerable to US influence campaigns and "colour revolutions".
I predict that all countries will end up with something like the GFW eventually because there's basically no other way for governments to achieve "Internet sovereignty" (enforce laws regarding users and publishers on the web). The US might be last to do this because it is in the doubly privileged position of a) being able to exert significant pressure on other countries and b) being able to apply regulation to major US-based Internet companies using their own legal system.
In the US, censorship is obviously a hot-button political topic (core values), but we are starting to see US concerns around things like troll farms, foreign influence, election misinformation etc and systems to quietly tamp that down. The sorts of things that appeared in the "Twitter Files".
The US doesn't usually need "big hammer" technical controls for this because they have legal control over the corporations involved and can ask them to moderate themselves in line with US law & natsec requirements.
Places like e.g. the UK are in an interesting pickle because while they are _largely_ culturally aligned with the US, their lawmakers don't have the same level of influence on platforms. They can either impotently "shake their fist at the sky"; or they can reach agreements so the major platforms co-operate with their governments; or they implement China-like technical controls.
It’s the definitive strength of the United States.
It's not even about speech necessarily, it's about what speech is amplified and what suppressed, and whether those perspectives are organic or manipulated. Also, who can read all the messages and analyse the trends.
If the US was as memetically robust as you say, foreign owned TikTok wouldn't be a problem. But even free speech cannot hold up under manipulation.
I think a lot of ppl in the US don't notice that this is the position that every other country is in with respect to US social media.
I am a humble HN poster, and this is simply food for thought, and I appreciate your attention.
Not really. The Monarch has no real power, only "influence", but they don't step in even in the face of disaster (Brexit).
It's pretty weird to have a developed country with a state religion, but in reality, it has no bearing on anything.
But the US has shown us that "tradition" and principles aren't enough to stop a hostile takeover of power. A Trump-like future monarch could do a lot of damage if they decided; so indeed the UK could do with lots of reforms to enforce proper separations and encode the purely ceremonial role of the monarch.
Maybe it'll die off in a generation or two, when cynical millennials and zoomers become the backbone of politics. But for now?
"Think of the children" is hilariously transparent to us, but it enjoys moderate support across population, and, much worse, it gets overwhelming support of geriatric politicians. Which is what makes fighting for liberties so hard.
Oh, right..
China relies heavily on export, so they can't just block everything. There are tons of proxy services to bypass GFW in China, and most of them have government background.
Just about every company already uses some form of this on their network, especially those in highly regulated sectors like banking and other finance-related industries.
More usefully and perhaps "on the other side", I have a proxy on my network to block and modify requests for ads and other content I want to "censor".
Moreover a large part of our government is willing to implement something as egregious as ChatControl. So they are not above animing extremely invasive spying tech at their own citizens.
1+1=2. All prerequisites have been met for a European “firewall”. Hate the word btw, a firewall is supposed to be a defense tool. But these censoring tools are an attack on our agency. Every time I try to access something I am not allowed to access by my overlords I hear in my head "You are not allowed to see this information citizen."
Well, OpenAI and other companies training AI models have shown that the architecture of the model matters less than the quality of data fed into it. Same applies for humans.
I understand that the Great Firewall is mostly about censoring dissent, but it's also to keep Chinese citizens away from junk food media sources. The type of videos you see on Douyin vs Tiktok is a great example of the difference.
Yes, the videos on Douyin are politically censored, but they're also a lot less brainrot than Tiktok videos. The Tiktok algo is optimized for ad impressions and profit, whereas the Douyin algo is more tuned to some nebulous concept of Confucian social harmony, for better or worse.
A more nuanced take is that I don't think it's useful to measure Chinese govt behavior just mapped to "amount of suppressing political dissent". I actually think the level of censorship is above the level required for that. It's more useful to recognize that "suppressing political dissent" is actually a subset of Confucian "promote social harmony"- which is not strongly valued in the USA but is at least important enough to be paid lip service in China- and I suspect a big chunk of educated members of government may truly believe in that ideal. It explains behaviors like "why the Douyin algo is so different from Tiktok" and other overreaches of the Chinese govt, because it's not solely about suppressing dissent.
Right now on the HN homepage, there's a link "The case against social media is stronger than you think", which argues that social media drives political dysfunction in the US and some other countries:
https://news.ycombinator.com/item?id=45234323
Even if you disagree with that link, and believe social media is a positive force, do we really need to subject all countries to unregulated social media? Seems like putting all of our eggs into one basket, as a species. Why?
Various western networking companies already sell such products to authoritarian regimes, such as Nokia[1], Blue Coat Systems[2] and Siemens[3]. China, for reasons that are well documented elsewhere, has always wanted to build it with "their tech", the only thing that's new to me is their export of such tech to Chinese-allied nations.
> My second thought is how badly Chinese communism must be doing that they need such a massive effort in order to prevent their citizens from accessing information and voicing dissent.
This is a very controversial opinion, but the overton window has shifted in this respect and many people often like censorship/DPI when done for "altruistic reasons", and it was sad to see Europeans (presumably) asking for blocking of social media sites since Nepal[4] had done the same, disregarding the second-order effects it would have.
Of course, we live in interesting times, with a major western world power embracing economic policies that prioritize government ownership of industries[5], which is typically closer to communism than anything we've seen in the past :)
[1] https://www.wired.com/2011/08/nokia-siemens-spy-systems
[2] https://www.bis.doc.gov/index.php/about-bis/102-about-bis/ne...
[3] https://www.spiegel.de/international/business/ard-reports-si...
[4] https://news.ycombinator.com/item?id=45137363
[5] https://www.intc.com/news-events/press-releases/detail/1748/...