Cambridge Breached the Great Firewall of China 250
Darren Rayes writes to mention a ZDNet article on Cambridge academics' claims that they have breached the great firewall of China. They also claim that by misusing the firewall they can launch DDoS attacks against IP addresses behind the wall. From the article: "The IDS uses a stateless server, which examines each data packet both going in and out of the firewall individually, unrelated to any previous request. By forging the source address of a packet containing a 'sensitive' keyword, people could trigger the firewall to block access between source and destination addresses for up to an hour at a time."
Submit details! (Score:5, Funny)
Re:Submit details! (Score:2)
Legal action against Cambridge? (Score:5, Insightful)
What about those inside China using those exploits for legitimate ends?
Is Cambridge indirectly helping the Chinese government to fix firewall issues?
Are Cambridge researchers after fame at the expense of the freedom of the Chinese people?
Re:Legal action against Cambridge? (Score:2, Informative)
Re:Legal action against Cambridge? (Score:3, Funny)
(It's "obligatory" because it's the only way insightful anonymous coward comments get modded up.)
Re:Legal action against Cambridge? (Score:5, Informative)
FYI, Cambridge isn't a U.S. university.
Re:Legal action against Cambridge? (Score:3, Interesting)
http://www.cambridge-mit.org/cgi-bin/default.pl [cambridge-mit.org]
/Just showing that they both have very smart technical people learning/researching there.
This is not helping China (Score:3, Interesting)
This is not helping China. They know how their firewall works, they built it. They also know where Cambridge University is (unlike half the readers of Slashdot).
Slashdot is helping China by bringing the article to their attention.
This has been circulating in the security blogs for a week now. There are basically two schools of thought. One is that we might fix the IP stac
Re:This is not helping China (Score:3, Funny)
Re:Legal action against Cambridge? (Score:2)
Re:Legal action against Cambridge? (Score:3, Insightful)
Believe it or not, even America has to say "wow, China, you get to run your own country today" once in a while.
They're supposed to be helping them (Score:5, Interesting)
Their research is concerned with DRM ass hat tactics and such...pity!
Re:Legal action against Cambridge? (Score:2)
You're a navigator by blood, aren't you? Wrong side of the planet, by the way.
<ryoga class="satire/obscure">WHERE THE FUCK IS JAPAN?</ryoga>
Re:Legal action against Cambridge? (Score:3, Informative)
Er. No, there's exactly one of each over 10k people in each [wikipedia.org] nation [wikipedia.org]. Of course, since Cambridge in this context isn't a city at all, and since there's essentially nobody who actually thinks of MIT when someone says Cambridge who has even a passing familiarity with universities, this is essentially moot.
at least one of which is also notable for its large univerity. Used to confuse the fuck out of me, for one.
Probably because you're posting with
Re:Legal action against Cambridge? (Score:4, Informative)
Re:Legal action against Cambridge? (Score:3, Interesting)
China also has a very "wall" orientated culture. Someb
six of one... (Score:5, Insightful)
Certainly TFA suggests that the DoS attack could be used against chinese government computers, but this could also be used against chinese citizens. An exploit is, after all, an exploit. So I would suggest that in the case of the DoS attack, reporting it to the appropriate people - in this case the Chinese authorities - was the right thing to do.
Unfortunately, in this case, the very flaw that allows a DoS against machines within China also permits those inside the firewall to ignore the resets sent back, so by reporting the DoS, they've also reported how the censorship can be circumvented. (or, by discovering the censorship circumvention they've unfortunately stumbled upon a DoS attack).
In this case, I really don't think that there is a One True Answer.
Re:Legal action against Cambridge? (Score:5, Informative)
Re:Legal action against Cambridge? (Score:3, Interesting)
This will make the Chinese government mandates antispoofing by all ISPs. Which actually will be quite a good thing. As a result at least one country in the world will mostly drop off the D.O.S. map. Good thing all around actually.
Now an interesting Cambridge related question is how it relates to the Great Firewall of Britain, aka Clean Feed (TM) which the dictatorship of el presidente de partida Laborista Antonio Bliar has forced most ISPs to implement (in the name of the children and terrorism of course)
Re:Legal action against Cambridge? (Score:2, Funny)
Re:Legal action against Cambridge? (Score:3, Interesting)
The primary problem is that the list is not under direct public control of an independent and accountable body.
From there on it can be used for blocking any content El Presidente Antonio Bliar can deem undesirable. Further to that, one of the functions of Clean Feed is a transparent redirect which will redirect your traffic to a site different from the one you are requesting.
Considering the record of this government on telling the truth that is a very dangerous weapon to give to the
Re:Legal action against Cambridge? (Score:3, Insightful)
The govt record aside, what exactly prevents two enforcers from the Russian mafia walking into the house of the technical staff responsible for Clean Feed in the middle of the night with a gun?
Currently nothing.
Phishing is netting them less and less people and most of the ones they catch nowdays in English speaking countries are sore losers with nearly empty bank accounts in "fringe" banks and building societies. Compare that to the number of account details they will catch just in one eveni
Re:Legal action against Cambridge? (Score:2)
(Yes, I know, makes no sense in Español.)
Re:Legal action against Cambridge? (Score:3, Interesting)
The Such and Such is evil lets block it mentality is not a good thing(TM)...
I can understand why spoofed source packets are bad and the majority of the time they are being used for illicit purposes, but should we ban bit torrent because the majority of th
Re:Legal action against Cambridge? (Score:3, Interesting)
Here you are deeply mistaken.
After 7/7/2005 el presidente Antonio's Bliar government's cronies have visited nearly all ISPs and most of them now implement it.
If we do not do it for the children we always do it for the other "obvious" reason.
By the way, I do not have an objection to its existence. I have an objection to the fact that:
Mongolians? (Score:5, Funny)
Stateless? (Score:3, Interesting)
Re:Stateless? (Score:5, Informative)
Stateless != ruleless. For example, you could use OpenBSD's "pf" to create a stateless firewall that references an external rules file, then use a cron job to rewrite that rules file once an hour. That might be a pretty reasonable approach if you're filtering billions of packets per hour and can't afford to track state for each connection.
Re:Stateless? (Score:3, Informative)
You misspelled "this".
State tables aren't happy magic O(zero) constructs - they take resources just like rulesets do. Imagine the case where a firewall is checking a billion simultaneous connections against a ruleset with only one entry. Do you honestly content that it'd be easier to look for the existence of a state table entry than to
Re:Stateless? (Score:2)
Re:Stateless? (Score:2)
I can think of one useful application for this (Score:3, Interesting)
Of course at the same time I can think of a million abusive applications for this...
Actually it would have to work the other way round (Score:5, Interesting)
Not a big deal either. Just send the IP Address of any mailserver you want to protect with a packet containing something "sensitive".
Re:Actually it would have to work the other way ro (Score:2)
Re:Actually it would have to work the other way ro (Score:3, Interesting)
I am going to try that!
Solution? (Score:5, Insightful)
What does slashdot think about this?
Re:Solution? (Score:3, Insightful)
Their population accepts a lot worse than losing Internet access.
I don't think a government that rolls tanks over dissidents is going to worry too much about cutting off their Internet.
Re:Solution? (Score:2)
The reason they've gone to such lengths with the great firewall is that they recognize internet access is essential to China's economy and productivity.
It makes no sense for the Gov't to cut off the outside.
They'd sooner rebuild the great firewall from the ground up.
Tiannamen Where? (Score:3, Interesting)
I highly doubt that they could get their population to accept them completely shutting off access to the outside world
Er, exactly which China are we talking about here. If the population don't accept things then they get run over by tanks.
Re:Tiannamen Where? (Score:3, Interesting)
Re:Tiannamen Where? (Score:2)
Please define 'keeping the population under control'. In pursuing this goal, should any limits be placed on the actions of government?
Re:Tiannamen Where? (Score:2, Interesting)
Re:Tiannamen Where? (Score:5, Interesting)
Re:Tiannamen Where? (Score:3, Interesting)
Re:Tiannamen Where? (Score:2)
You are just as ignorant as the censored chinese. (Score:2, Informative)
And the line of tanks stopped because the single person driving the lead tank didn't know what to do. It wasn't a policy decision handed down by the PLA to not hurt anyone because of cameras. They had just finished killing dozens, possibly hundreds of innocent people. They were shooting automatic ri
Re:Tiannamen Where? (Score:2)
Obviously not the Republic of China [wikipedia.org]. Must be that other one.
Re:Solution? (Score:2)
Hey, it's happened before (Google for "Qing dynasty", "isolationism"), of course, it led to the Opium Wars and China's eventual sub-division...Who knows what might've been if they'd just been a little more like the ancestors in the "trade and diplomacy" departments -- maybe I'd have learned Chinese at four instead of (trying and mostly failing) at forty...
I wonder... (Score:4, Interesting)
Re:I wonder... (Score:4, Interesting)
Re:I wonder... (Score:5, Interesting)
Falun Gong Is a Cult
www.china-embassy.org
Research Society of Falun Dafa and the Falun Gong organization under its control are held to be illegal
english.people.com.cn
Fifteen Falun Gong Cult followers attempted to sabotage cable TV network equipment
app1.chinadaily.com.cn
southcn:Falun Gong Cult OUTLAWED
www.newsgd.com
Here we should point out that the banning of "Falun Gong" by the Chinese government is also part of
www.chinaembassycanada.org
Falun Gong Practitioner Not Sorry for Killing Father, Wife
news.xinhuanet.com
Now compare all that to
http://www.google.com/search?q=Falun [google.com]
Now, if the Chinese Gov't is making Google filter based on English keywords, you think they're not going to do the same with their uber-firewall?
Many Chinese schools teach english. It isn't like they only speak various Chinese dialects over there.
Re:I wonder... (Score:2)
Re:I wonder... (Score:3, Insightful)
Re:I wonder... (Score:2)
Re:I wonder... (Score:2)
hard to believe (Score:2, Insightful)
Re:hard to believe (Score:4, Insightful)
Stateful firewalls scale poorly.
should we slashdot china's firewall?.... (Score:2, Funny)
-ed
Re:should we slashdot china's firewall?.... (Score:2)
Re:should we slashdot china's firewall?.... (Score:3, Insightful)
That isn't technically a DDoS (Score:5, Informative)
Re:That isn't technically a DDoS (Score:2)
People, a DDoS is a Distributed Denial of Service. The hint's in the first word, don't use it if it doesn't apply
Re:That isn't technically a DDoS (Score:3, Insightful)
RTFA. The attack can be either from a single machine, or it can be distributed. The source of the attack is unimportant. Either a single machine can generate the pa
Try the Saudi firewall (Score:5, Interesting)
Re:Try the Saudi firewall (Score:2)
hey just don't want their constituents (well, sort of) to be shocked and outraged by the moral indecency that is the outside world :p
Yeah, that's it. That's why Saudis wear mostly western garb outside of SA.
Re:Try the Saudi firewall (Score:2, Informative)
Re:Try the Saudi firewall (Score:2, Interesting)
- porn
- the usual "movies found on the internet" you see on CNN only after much editing
- pictures of the same
- pictures and movies of local popstars
Korea needs something like that... (Score:2)
That would mean that I could actually fight those ssh bruteforce zombies that apparently make up 95% of KorNET.
Benefits of the wall (Score:3, Interesting)
It also speaks to the power of the internet's design. Here is a nation notorious for its control of information, and the techniques they use are easy to discover, and possible to circumvent. If China can't restrict the internet, then there's hope that other governments and maybe even multinational corporations won't be able to pull it off either.
With luck, the firewall will become an irony of the past, as the importance of human dignity becomes apparant to the Chinese government.
Now they need a national-scale stateful firewall (Score:2)
Re:Now they need a national-scale stateful firewal (Score:2, Informative)
Ninjas rough up geeks (Score:2, Funny)
Re:Ninjas rough up geeks (Score:2, Funny)
National Security (Score:5, Insightful)
Couldn't the Chinese government view this as an act of terrorism? In the interest of national security the Chinese government will start an ambiguous "War on Terror" after the the US "War on Terror" and "War on Drugs" which are _also_ unwinnable and declared solely to keep the ruling party in power via fear.
Oblig. Monty Python (parody) - The Terrorist Song (Score:4, Insightful)
by Usurper_ii
(Sung to the tune of Python's The Lumber Jack Song)
I'm a terrorist and I'm OK
I read at night and I work all day.
The Government:
He's a terrorist and he's OK
He reads at night and he works all day.
I read a lot and I seek the truth
I go to the lavatory.
After OKC, I saw some things that didn't make sense to me.
The Government:
He doesn't believe our story about OKC,
We monitor when he goes to the lavatory.
On Wednesday night, he went to an unapproved web site.
Chorus:
He's a terrorist and he's OK
He reads at night and he works all day.
When, after 9-11 didn't all add up,
I met with others on the net, to talk it up.
The government:
He didn't believe our story about 9-11.
We followed him to unapproved web sites after hours.
In our report, well say he had bomb-making materials under his sink.
Chorus:
He's a terrorist and he's OK
He reads at night and he works all day.
I don't think a plane hit the Pentagon.
I think the World Trade Center buildings fell all wrong.
I wish I could convince my dear ol' mom!!
The government:
He's a terrorist and we're going to make him pay?!
We read his e-mail and didn't like what he had to say?!...
Just me:
I wish I'd been born, back when America was really free!!
The Government:
He's a terrorist and we're going to make him pay
He reads the Constitution and knows his rights.
He's just like McVeigh, Bin Laden, and al-Qaeda!!
Chorus:
He's a terrorist and he's OK
He reads at night and he works all day.
Re:Oblig. Monty Python (parody) - The Terrorist So (Score:2)
Only the bad part is, unlike in My Cousin Vinny, there is no jury and my trial is in secret.
Usurper_ii
Re:Oblig. Monty Python (parody) - The Terrorist So (Score:2)
Crud, an entire joke shot to crap because I forgot one apostrophe.
Usurper_ii
OWED TO THE SPELL CHECKER
I have a spelling checker --
It came with my PC.
It plane lee marks four my revue
Miss steaks aye can knot sea.
Eye ran this poem threw it,
Your sure reel glad two no.
Its vary polished in it's weigh,
My checker tolled me sew.
A checker is a bless sing,
It freeze yew lodes of thyme.
It helps me right awl stiles two reed,
And aides me when aye rime.
To rite with care is quite a feet
Of witch won should be proud.
And wee mu
Cyber Attacks, a good thing?? (Score:5, Insightful)
Re:Cyber Attacks, a good thing?? (Score:2)
I guess our idealism suddenly vanishes when the other side also has nukes.
Last weeks news - original post here (Score:5, Informative)
http://www.lightbluetouchpaper.org/2006/06/27/ign
And for all the details, the paper to be presented is here:
http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf [cam.ac.uk]
I think the interesting thing is that by configuring our end to ignore the invalid resets from the Great Firewall of China we can aid the distribution of otherwise censored material.
DDoS attacks against the GFC seems not to be that easy, as the article mentions the GFC is not one giant router at the backbone, but rather smaller machines closer to the end stations - the firewall is distributed accross an unknown number of gateways.
great (Score:2)
Re:Congratulations (Score:4, Insightful)
Re:Congratulations (Score:2, Insightful)
Insecurity by obscurity.
www.PeenieWallie.com [peeniewallie.com]
Re:Congratulations (Score:5, Interesting)
It's not something that is trivial to fix. Others can do a better job of explaining why, but for now, suffice it to say that it'd require a significant effort on the part of the Chinese Gov't.
Maybe it can be fixed in The Great Firewall of China v2.0
Re:Congratulations (Score:2)
Re:Congratulations; Same old tired argument. (Score:5, Interesting)
Well done on writting a 'how-to' on pointers to make the firewall better. Im sure people out there new these things, and used them to their advantage. Now all holes will be plugged and even more censorship will rein in China. You have now had your 15mins of fame.
This is the same old tired argument we hear here on Slashdot over and over again. Expose the flaws and you either 1) alert the hackers on how to expose them or 2) Allow the admins to patch them. It's funny how depending on your political ideology, people will swing either way. How about a consistent opinion in favor of revealing flaws? Those who favor security by obscurity deserve neither.
Re: (Score:2)
Re:Congratulations; Same old tired argument. (Score:3, Interesting)
I think these researchers just proved once again that nothing is uncrackable. The idea of security is similar to the titanic.
Re:Congratulations; Same old tired argument. (Score:2)
WTF? The scripts look for banners? Why? So they can do click-fraud?
The idea of security is similar to the titanic. Its unsinkable until everyone owns your box.
WTF? Is that some sort of innuendo about the Kate Winslet, because I don't recall anyone "owning" the Titanic.
Re:Congratulations; Same old tired argument. (Score:4, Informative)
Re:Congratulations; Same old tired argument. (Score:2)
How about a consistent opinion in favor of revealing flaws?
So you want 100,000 unrelated people to come to a consensus? I can't get 10 people to agree where to go to lunch.
Re:Congratulations; Same old tired argument. (Score:2)
While I do from time to time argue that slashdot as a whole holds certain opinions, even I don't try to argue that any individual slashbot necessarily holds any of them.
Consistent opinion from who? (Score:2)
Re:Congratulations (Score:3, Insightful)
They're academics.
Their whole raison d'etre is to learns and share their learning. The information itself is ethically neutral. It can be used for good or for bad.
Re:Fragmentation (Score:2)
Re:Fragmentation (Score:3, Informative)
Re:Fragmentation (Score:2)
Re:Just a keyword? (Score:2)
Re:Just a keyword? (Score:2)
Re:Will the Chinese prosecute... (Score:2)