The Butterfly Effect Part II: Inside the Chinese Firewall

Posted by tadelste on Jan 14, 2006 8:16 PM EDT
Spencer Global; By Charles Spencer
Mail this story
Print this story

This is the second part of my series on the Internet in China. I recently returned from a year teaching at a Chinese University. During my time in China, I had the pleasure of getting to know the state of the Internet in China, both directly and indirectly, through my own use of the Internet and the classes. In my last article, The Butterfly Effect: Microsoft, Security, and the Developing World, I dealt with the effect of pirated software and security and its impact on development. In this article, I would like to cover my experience of the Chinese Firewall from the inside and the way we contribute to censorship in China.

Scanning Chinese networks the old fashion way with nmap or similar tools struck me as a bit impolite and potentially illegal. Being on the other side of the wall, I was not going to push my luck too much. However, part of my teaching duties involved several classes on research writing and basic computer skills. This gave me access to a very effective network testing tool. Basically, several hundred average Chinese University students. To get an idea of what the average Chinese experience of the outside Internet world was like, I could simply assign my students to retrieve various information from the Internet and wait for their reports. For example, if a site was not reachable from inside China, I would be quickly inundated by emails and questions from panic stricken students trying to complete their homework assignments.

My total number of students was well over a 1,000 for the length of the school year. I could also add to this all the miscellaneous students, staff, and public seminars where I simply referred them to my teaching website (hosted outside of China). That would bring the number to something like 2,000 people. About 100-200 in any given week where engaged in some sort of Internet related project for my classes. My own modest teaching site received a little over 5,000 hits in my time in China. So, through my classes at the University and other schools in Eastern-Central China, I was able to run a sort of ongoing distributed human scan of Internet connectivity in China.

My informal survey results: Of course there is always a few students that would, for one reason or another, be incapable of connecting; however, when a site could not be accessed at all, I would see my student red flag go up quickly. Normally, within about 24 hours of giving an assignment it would be obvious that something was wrong.

My own Internet connection provided to me by the University, as far as I could tell, seemed completely unadulterated and functioned as it would in any Western country. This included access to many news sites in Taiwan and Japan. For example, I could access the Gutenberg library, but my students could not. News sites such as BBC, and occasionally CNN, were completely unaccessible by me or the students. The Google search engine seemed to do some strange things. Both my students and I were able to download, and watch live, the entire U.S. presidential debate on C-span's website. Later, we were able to download the transcripts in both English and Chinese; including the segments where Bush directly criticized China. These were the same transcripts and video that I later used to teach debate class at the University.

On my own Linux computer, I had no problems connecting to bank websites in New York with 128 bit SSL; or connecting by SSH to computers in the United States and South America. I also frequently used Skype to make encrypted phone calls to friends and family around the world; Granted, the quality of the connection was at times so poor as to be unusable. This I would take to be more an issue of distance and network quality than censorship. Bittorent and FTP functioned normally, including Linux sites hosted in Taiwan and the United States.

The most surprising source of censorship in China:

There were several instances where the red flag on my human Internet scanner went up to an unusual high level. Students reported 100% failure. After investigating the problem, I discovered that it was not a firewall restriction or China's own network failure, but foreign networks and servers outside of China blindly blocking larger parts of China's networks from connecting. This included one incident that basically cutoff service from China to most of Europe and the United States.

An often overlooked aspect of our fight against Spam and malicious activity is our own contribution to censoring the Internet in China (also by extension other developing nations). What seems to have been missed is how we, as systems administrators and security professionals, also are contributing to the great firewall of China.

Here is how it works for those unfamiliar with the process: Millions of unlicensed, unsecured, and unpatched Microsoft desktops across China are turned into zombies networks by the bad guys. Those bot/zombie networks attack servers with Spam and malicious activity outside of China. Systems administrators around the world cutoff traffic to their network by blocking large blocks of IP addresses in mainland China. The average user inside China attempts to connect to websites outside China on those networks and fails. This failure to connect, both inside and outside China, is then attributed to the government sensors and the mystic of the firewall is reinforced. The effect is that the Chinese firewall, if only in part and inadvertently, is being reinforced by Western democratic countries and companies protecting their systems from China's infected computers.

Granted, that this is a very effective method of protecting networks. However, it would seem rather hypocritical of us to cheer for Open Source, the free flow of information, and criticize the Chinese Governments actions; while at the same time, with a couple dozen key strokes, we restrict millions of people from accessing information they so desperately need to further their development. Yes, we need to, and should, cutoff the spam and bot nets from the Internet; however, it needs to be done with more of scalpel and less of a howitzer.

Overall, the restrictions on the Internet in China are first and foremost a function of networks that are overwhelmed by such a rapidly growing user base. One estimate puts the NEW Internet users in China at over 10,000,000 people a month. Even this is perhaps a low figure. Many of my own students never used the Internet until they came to the University. In addition, thousands of inexperienced systems administrators struggle to manage computer systems built and documented for the English speaking community. Secondly, the restrictions on the free flow of information are a function of the network security environment in China. Millions of compromised computers attacking networks inside and outside China, and our inevitable security response to them. Finally, I would list the real efforts of the authorities to restrict information. The reality is, China simply does not have the computing power and expertise to effectively regulate all of the traffic on the Internet. The volume of white noise alone insures this fact. The most effective control methods the authorities have is the simple psychological intimidation associated with showing an ID to use a computer in a public Internet cafe. I might remind the reader that using a computer in a public libraries in the United States also has similar conditions attached.

There are very real controls on the flow of information in China. What needs to be understood is the practical reality for millions of Chinese to access information is far less terrible than what it is made out to be in Western Press, at least on a Political level. Increasingly China is becoming more politically open, if for no other reason than it is a prerequisite for a market economy to function correctly. This will take time. However, on a technical level, the restrictions are far worse than what is recognized outside of China. Because, in the final analysis, not being able to connect is as bad as not being allowed to connect.

Full Story

  Nav
» Read more about: Story Type: LXer Features

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.