this post was submitted on 10 Aug 2023
1076 points (98.4% liked)
Technology
59581 readers
4626 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
In case anyone wondered how to potentially get around this...
ssh -N -D 8008 your-server-ip
localhost:8008
(in Chromium/Firefox you can search for this in Settings)So, that's definitely better than nothing, but your browser isn't the only thing -- though these days, it is a very important thing -- that talks to the Internet. If, for example, you're using a lemmy client to read this, I'd bet that it's good odds that it doesn't have SOCKS support.
Though I wouldn't be surprised if someone has made VPN software that intercepts connections and acts as a proxy SOCKS client, which would make it work more like a traditional VPN if you can reach a remote SOCKS server, though maybe with a performance hit.
googles
Yeah, okay, looks like stunnel can do this on Linux. So it's a thing.
You don't need a 100% solution, though, to have a pretty big impact on society. Combine technical barriers with it just being easier to not think about what's going on outside, maybe some chilling effects from legally going after people who do start doing things that you don't like (viewing websites, spreading information, etc), and you can control people's information environment a lot. Make using circumvention solutions illegal -- okay, maybe you can bypass their system if you don't get caught, but do you want to risk it? Make creating or spreading circumvention solutions really illegal. Do you want to risk getting in a lot of trouble so that random other person can get unrestricted or unmonitored Internet access?
On that note, I was reading about the way North Korea does it in an article from someone who got out of North Korea. That is about as close as it gets to a 100% solution. Only a few thousand people are authorized to get Internet access. You need to apply to use the Internet with a couple of days lead time. Each pair of computers has a "librarian" monitoring what the Internet user on each side is doing, and every five minutes or so the computer will halt with whatever you were doing on the screen and require fingerprint re-authorization from the "librarian" to continue. Users are not allowed to view pages in Korean, just English and Chinese (I assume because most information out there that you'd have to go outside North Korea to get access to is likely available in either English or Chinese, and they definitely don't want people seeing anything out of South Korea).
That pretty much screws North Korea in terms of access to information, is a costly solution, but if you place an absolute priority on control of the information environment, North Korea does prove that it's possible to take a society there.
I don't think NK took themselves there, they were already there when the internet was invented. Easier to limit access to few people when you have draconian measures in place when access becomes possible.
Having a society that already widely has access to one that has extremely limited access is a lot more difficult.
This is a good point that many don't think about. Even if you could somehow drop hardware and free starlink into North Korea it wouldn't even matter because the citizens never grew up on internet culture. No one would be able to figure out what to do with it by the time they got caught.
Unfortunately it would be trivial to block an SSH tunnel like this. I recall reading news 10 years ago (maybe even earlier) some foreign journalist tried this at a Beijing hotel room and got shut down in minutes. That was when people are still using PPTP and L2TP protocols to get around censorship, Wireguard and shadowsocks wouldn't be born for another couple years.
Far from trivial unless you’re willing to brick ssh completely, or at least cripple a bunch of non-VPN uses for tunneling. Of course it’s trivial to just block ssh outright, or block tunneling above a certain bandwidth. But that would also block, as an example, most remote IDE sessions, loopback-only server management frontends, etc.
The Kremlin could maybe have something set up that looks for accesses to stuff inside Russia from outside Russia, then flag that IP as suspicious as being a VPN endpoint outside Russia.
So, okay, take this scenario:
IP A, user inside Russia.
IP B, VPS outside Russia.
IP C, service inside Russia that state can monitor.
User in Russia on IP A has an SSH tunnel to VPS on IP B with SOCKS that they control.
That's fine as long as user is only browsing the Internet outside Russia. But if you're routing all traffic through the VPS and you use any sites in Russia, the Great Russian Firewall can see the following:
IP A has a long-running SSH connection to IP B.
IP B is accessing stuff in Russia.
You could maybe also do heavier-weight traffic analsysis on top of that if you see 1 and 2, or gather data over a longer period of time, but seeing 1 and 2 alone are probably enough to block IP A to IP B connections.
That can be defeated by using two external VPSes, opening an SSH tunnel to the first one, and then talking to SOCKS on the second (maybe with another SSH connection linking the two). But that's increasing complexity and cost.
A marginal increase, perhaps. You don’t need a separate VPS - just a second IP. Accept incoming traffic on port 22 on one, and set the default route for outbound traffic to the other.
This is actually pretty interesting, thanks for sharing. Although i live in a third world country that doesnt care about anything at all including piracy, but this tunneling thing looks pretty handy
Couldn't you also just set the VPN to use port 443?
E: Apparently this isn't enough. IE, for Wireguard, you would need to find a way to obfuscate the handshake.
I'm not 100%, but I think you could set this up for free with an Oracle AlwaysFree tier VM.
(Boo Oracle, yes I know. Still very handy.)
Just looked up Oracle Always Free... Good to know about, thanks!