I have been researching VPN protocols that work in China and found that Xray [0] is the most recommended route to escape the GFW. An ideal VPN setup is one where packets appear as normal https traffic. Some VPN setups take it a step further and proxy the traffic through Cloudflare. Setting all this up is nowhere as easy as Wireguard. Coincidentally, I came across this project on Github earlier today which is an obfuscation proxy for Wireguard [1], but I haven't found any information about how well it works.
If everyone does this wouldn’t that encourage them to try to do carrier grade SSL decryption? I seem to recall that some country is already doing this and to get online you need to trust the state’s CA.
Well, a long time back, there are proxies such as fqrouter, GoAgent and XX-NET which sends plain but loaded HTTP requests as transport. So I guess if a country decides to ban/decrypt TLS, people can just switch to another proxy/protocol.
Of course, both fqrouter and GoAgent is long gone by now and should not be used. However, it seems that XX-Net is still been actively developed and (according to their project page on GitHub) is currently give out one million free ChatGPT-3.5 tokens for it's paying user...(I mean like... what??? and why???)
X-ray is not the protocol. It’s called Trojan-gfw. X-ray a tool using it. The original (unmaintained) implementation: https://github.com/trojan-gfw/trojan
Yes. I lived in China and that’s how I accessed the internet when my VPN got blocked. They block the port if you connect to it for too long though. Then you will no longer have ssh access to your server without a vpn.
I have noticed many new security and privacy oriented projects use Go and even C/C++.
Wasn't Rust supposed to be the language that should be used to write all security-critical software? What happened? Are crates like rustls/ring still intentionally sabotaging Rust's cryptographic ecosystem with their "we will always be pre-1.0.0 and never have a stable API" philosophy?
>Wasn't Rust supposed to be the language that should be used to write all security-critical software? What happened?
What does "supposed" mean in this case?
There's no one dictating what language "security-critical" or other software will be written. So, if it was "supposed", it was incorrectly supposed, by people reading some enthusiast posts about Rust and thinking it's adoption is inevitable or that it applies to everybody.
In real life, some went with Rust, others chose Go, and others C++, Java, etc.
>Are crates like rustls/ring still intentionally sabotaging Rust's cryptographic ecosystem with their "we will always be pre-1.0.0 and never have a stable API" philosophy?
That could help, but whether Rust has stable crypto crates or not, wouldn't change the fact that teams and projects will use what they wanna use, which is not necessarily Rust.
Just because some enthusiasts went "Rust all the things!" doesn't mean others will follow them.
What do you mean by "unsafe Java"?? Do you mean Java as a language is somehow unsafe? I beg to disagree - it's one of the most scrutinized platforms you can find and widely used in all sorts of security critical software everywhere.
That is because it is popular. Any language that was as popular as java for nearly 30 years will have a large collection of problems. Java avoids a large number of possible problems by being memory safe, but it doesn't avoid them all.
Hyperbola GNU/Linux ditched OpenJDK becasue either bugs or patents. The list on Java CVE's it's atrocious. Java should've died long ago with Golang and some cross-plaform (basic) GUI libraries promoted from Google. Nothing fancy, something like plan9/9front UI's, but enhanced.
Java exists today because of corporateware. Outside of it, it's dead. De-ad.
No one uses Java seriously for emulators, browsers, or basic software. Just ad-hoc company-graded enterprise, live VB6 back in the day.
I don't think this take understands Java's position, relevance, or the roles it serves. Or even what are the important categories, driving most of software development (it's not enulators, broswers -of which they're just a handful, all in C++, or "basic software" whatever that means).
For starters, Java is by no means used just in "corporateware", if this means some intranet stuff. It's also hugely dominant in server side development (including FAANG) and is used by tons of startups, it's big in banking, high frequency trading, and all kinds of heavy service infrastructure.
That covers the huge majority of programming work, not writing "emulators and broswers" (sic), which is why it's in the top 5 of the TIOBE index.
"GUI libraries" have little to do with, not to mention they're generally irrelevant for most modern programming use cases, which is server/backend or web-based (and where they're not, they're already provided by the host OS and its preferred SDKs).
Also "Hyperbola GNU/Linux"? That yardstick of what's secure?
That doesn't say anything about CVE's and the issues on being not so performant against the new iterations of C# or even PHP >7.
I know that if you were to work in any company, Java would ve everywhere, but today the times changes. Even the Crustacean lang it's preferable againt Java on big backends.
On the ligther workloads, Golang works great and it solves the multiplatform issue by crosscompiling from anywhere to anywhere.
These sound like musings based on "coolness factor" and hype, with a very distorted sense of the facts on the ground. Like the kind one gets from reading about various technologies or tinkering rather than actually working with them.
In any case, there's some serious lack of seriousness in the above. I mean, Java "not so performant against the new iterations of C# or even PHP >7"?
JetBrains is valued at $7 billion by the Bloomberg Billionaires Index and they build their popular IDEs in Java... So Java isn't de-ad outside of corporateware...
I know it's used by inertia in some corporate envs and thanks to some GC tunings it looks that it can run really well over long time.
But even with GraalWM, the performance outside big irons leaves much to be desired...
If we're talking about Go, the design of this language is perfect for writing a network related stuff, it's pretty easy, safe and stable. Language's stdlib is mature.
As far as I know, in case of Rust you have to rely more on external libraries when you're writing network stuff to make development process less verbose and comfortable. Please, correct me if I'm wrong.
The std libraries in rust are sufficient for most things, but it’s definitely true there are very rich crates for networking with higher level semantics or specialized abilities (for instance async networking is generally done by bringing in tokio or something similar). In rust this isn’t considered bad, and in a lot of situations like embedded systems you don’t want or can’t use std because (for example) posix semantics aren’t available.
Personally I’m not a fan of batteries included languages because they inevitably suffer a Python heat death if standard libraries as the ecosystem improves faster without the baggage standard libraries carry intrinsically.
Hence, IMO the fact std provides a highly common and simple layer and external crates provide opinionated ergonomic interfaces is a feature, not a flaw, of rust. The crate ecosystem in rust is exceptionally good.
Go uses garbage collection, while Rust uses manual memory management with borrow-checking to ensure safety. Both are just as safe, but garbage collection is slower while Rust's manual memory management requires a lot more effort on the part of the developer. In particular, the performance of garbage collection is less predictable, making Go unsuitable for things like audio processing or video games, where you need to reliably deliver data every few milliseconds to avoid crackling audio or weird glitches. In Rust, you can predict exactly when memory will be freed, and if part of your code must always run in a predictable amount of time, this can be done. Go doesn't give you that guarantee. This isn't very important in traditional client-server apps, CLI tools etc, so go is usually fine for those.
In addition, Go requires a runtime, which is somewhat heavy. This makes it pretty unsuitable for kernels, software that runs on bare metal, microcontrollers etc. Rust doesn't have that problem.
However, Go is usually much faster to write in, as you don't have to worry about managing memory and proving to the borrow checker that you're doing it correctly. The fact that you have Goroutines instead of OS threads also makes it easier to handle lots of concurrent activities, like in a web app that concurrently handles many requests.
With a single execution context this is true. But, whereas you simply can't write data race bugs in Safe Rust† in Go you can write them and they blow up your safety guarantees. If you race something trivial Go promises (unlike C or C++) that this doesn't immediately set fire to the world, the raced trivial object (say, an integer) is ruined and you must not touch it, but if you stay away from that object your program has clearly defined behaviour. Unfortunately non-trivial objects (say, a slice) are immediately Undefined Behaviour when raced.
† This falls out of the mutability rules. A data race is when somebody else modifies something at "the same time" as you're using it, e.g. thread A changes actor to "Steve Buscemi" from "Susan Sarandon" at the same moment thread B is printing the actor out and oops, we write "Susan Sarcemin" or crash or something different happens, who knows. Rust says you can't have multiple aliases and mutability, so this never happens.
To be pedantic, Go strings are immutable and will carry different pointers to different underlying rune slices, so the reader would just display one string or the other, not "Susan Sarcemin".
That said, I'm not sure why developers freak out over races so much. Races that result in simple display of data that's one nanosecond old is typically not a failure condition in most applications. Actual failure conditions from races are usually from read-operate-writes like increments/decrements/etc. And for these, we have tons of solutions, anywhere from atomics to transaction contexts to CRDTs, etc.
> I'm not sure why developers freak out over races so much
In all languages if you cause a data race you lose Sequential Consistency. Java's experience teaches us that even if you go to extraordinary lengths to ensure that everything else is still fine, programmers cannot reason about non-trivial software without Sequential Consistency and so now they can't fix it. In something like C or C++ all races are Undefined Behaviour, all bets are off. In Go as we saw some data races aren't immediately dangerous but even if you're careful you do lose Sequential Consistency and so good luck doing anything when you don't understand what your program means any more.
> And for these, we have tons of solutions
If you put the solution in place and thus prevent a data race, you don't have a data race. Now, when was the last time you wrote a program in which you got everything right first time?
> To be pedantic, Go strings are immutable and will carry different pointers to different underlying rune slices,
I wasn't thinking specifically about Go for this example, but alas Go's strings aren't trivial objects, and so this data race would be immediate UB in Go, whereupon "Susan Sarcemin" while still very unlikely is not impossible. The text (underlying rune slices? really? I guess that would be on brand but it's a bad idea) isn't getting mutated, but your string typed value is, and that is a non-trivial object.
I don’t know what you mean by manual memory management. Memory management in rust is fully automated. The only manual thing is if you want to annotate lifetimes to ensure memory is available past implicit lifetimes, or if the line time of something can’t be automatically derived. Borrow semantics are not manual memory management. You don’t directly control when memory is freed in rust, but because it’s (often) stack based it’s usually pretty obvious memory is freed when the stack is unwound.
I feel like you’re confusing rust with c/c++ in this discussion.
I don’t find go faster to write in at all. I feel like they’re about the same, but I find go package management to be a mess and prefer cargo. Rust however does require you to be more aware of memory lifetime and ownership, and provides generally better performance in exchange.
What if "C/C++" is not actually a thing and modern software engineering practices is what actually makes software safe? Writing modern C++ with good test coverage, sanitizers deployed and wrapping critical/unsafe parts into safe interfaces gets you _very_ far.
I don't necessarily disagree with you about C/C++ (or even Brainfuck) but some languages have the tendency to push you in the right direction and I've come to appreciate those more with time.
Unfortunately far too many people writing C++ are not writing modern C++. Most writing C with classes.
You can write memory unsafe code in rust, including memory management if you want - you just have to wrap it in unsafe which at least clues others in to watch this area carefully. In C++ you can put unsafe code anywhere. Sometimes unsafe is really needed, rust makes it hard enough to write unsafe code that you will only do that where you must and then jump back to safe code. In C++ you are likely to mix safe and unsafe code all over and that makes audits harder.
Wishing for something won't make it come true. C++ has had decades to get this to where it needs to be, there's no reason to hope that if we just give them another chance they'll get it right this time when you can instead use a language which got it right.
Bear with me on this one. Look at Cuba, and North Korea. Those two suffer famines, crippling blackouts, and the harrowing and pervading stench of failed civilization. Yet, the citizens of none those countries are trying to topple their government. How do they manage? Massive brainwashing, which is in turn made possible by controlling access to information.
Cuba, the case I'm most familiar with, it's very interesting because (so far) it doesn't limit much the access to outside information using the Internet[^2], but only official newspapers, books, radio and TV programs are allowed.
I have this view that the information that the citizens of a country consume is like the regulatory signals of an organism. For a healthy organism, those signals must be coherent, otherwise some terrible disease will consume the organism.
Of course, as a creature of the enlightenment, I hate that notion. I want my information to be free.
But in the big scheme of things, the way I feel about it just doesn't matter. It's enough that states that police the information their citizens consume live longer than states that not. How to get from now to then is an open problem in some cases, but everybody is trying. CP and terrorism, and the vague term of "national security," are the vanguard which is being used to rive down the door on privacy in the Western countries, though the battle is already lost in much of the rest of the world.
The asymmetry in DPRK prevents overthrow by the citizenry. It would need to happen by a coup / military overthrow. Read a book by an escapee and you'll see that DPRK will execute people in the streets which keeps the populace under control.
I'm a little confused what Russia has to gain from this. My impression was previously that Russia was somewhat of a wild west when it came to piracy and internet restrictions.
To make things weirder, the article claims that only mobile networks are affected. I wonder why that is. Is this just the decisions of a handful of telcos and it's being reported as a state-imposed restriction?
Edit: also in my opinion, "blocking at the protocol level" is a bit misleading since they can't actually see the packet contents. Wireguard for example is just UDP packets. They have to infer from other patterns that the traffic is Wireguard and drop packets that meet those criteria.
This isn't about cracking down on piracy or anything of that sort. It's about slowly getting control of the media and information channels that Russian people have access to. The same playbook that China has been using since forever. Authorities have been encouraging popular Internet celebrities to start posting their content on local networks/apps, so in time Western media sources like Youtube and Twitter will be blocked. The government wants to get full control of the information channels so it can squash dissent easily.
I don't live in China. Yet I'd very much like my country having its own national software stack (OS, search engine, browser, social media apps). All is fine for you guys in the US, but you forget when our national interests conflict with yours or big tech corporations or when the privacy of our citizens is concerned, it happens to be a national security issue. I trust my own government to not spy on me unnecessarily, and even if I'm to be spied by someone, I'd prefer my own government who is far more likely to act in my best interests than the three letter agencies of US.
I don’t disagree with this, but it would be better to have a stack that’s not controlled by any government but is based on technical standards - not governmental dictates or corporate control.
I would also note that in your country the US agencies have no authority. However your own government can use that information to imprison you or otherwise exert its jurisdictional control. I think that’s generally what people worry about. It’s hard to imagine a reason the US government would care about you as a citizen of X country, whereas there are lots of governments who oppress their citizens for being themselves and for who they associate with.
> it would be better to have a stack that’s not controlled by any government but is based on technical standards
That era of globalization is slowly passing away.
> I would also note that in your country the US agencies have no authority.
No it plenty does. Not well-known on the west side of the internet, but the US can and did easily order to our governments the individuals (which she saw to be influential in the directions she didn't want) to be imprisoned, tortured and executed. And this is just cost-effective side of the coin. Three letter agencies can make anyone disappear. I just searched for almost 25 mins for an article documenting such a case. I was able to find it several times in the past with increasing difficulty. It's not even on the webarchive now. I think the article is finally nuked by some agency.
> there are lots of governments who oppress their citizens for being themselves and for who they associate with.
Not everyone agrees with the idea that individual freedom extremism is good, or that everyone should be allowed to do or say anything as long as it doesn't adversely affect others. In fact in this side of the world we think that's a silly and naive standpoint.
It’s only passing away if people let it. However, I’d note that it’s only passing away in a small number of authoritarian regimes, and technical standards dominate the stack for the parts of the world who value openness. I don’t think this is a “west vs east” thing, but a valuing of open societies.
I think people in many parts of the world would like to see the “others” oppressed - until tides change and they find themselves the “others.”
Once you allow someone to decide some thoughts are a crime because they agree with your views, it’s just a matter of time before that prison is open to your way of thinking.
On the CIA and extraordinary rendition and other things, yes I know it exists. My point isn’t that. My point is that your government does it a lot more and the likelihood of being snatched up by your government (wherever you are) is absurdly higher than the US breaking into your home and extracting you. That it happens is unacceptable but it’s also structurally rare to the point it’s news worthy.
I for one feel sorry for people who are imprisoned for no other reason for the people they love, the ideas they have, the way they view the world. I will welcome them to my side of the world with open arms and wish them peace, and mourn the loss of their home to people who feel they must hurt people for being alive.
Edit: I literally found the article from my childhood project of replicating the website of the article, sitting in Google Drive trash, awaiting the 30days deletion. I searched for the exact title and indeed the article is nuked from the entire internet including webarchive except mere links on FB and Twitter. Three letter guys caught red handed. Here's the data of the article: https://drive.google.com/drive/folders/1wjPH5hN-uyATlO7K3Ynz...
Open the metin.txt for article. veri.json is metadata, 'baslik' means title. I hope my google account will not be burned over this.
I agree, this is egregious. At least I’m allowed to say that and advocate strongly against such stuff without fear of reprisal. In many parts of the world I wouldn’t be allowed to criticize the government. (In fact I’m vacationing in one right now)
Edit: I think the fact that typing his name into a browser provided me not just Wikipedia but hundreds of websites advocating on his behalf, but you couldn’t find an article after 25 minutes of searching and fear you’ll be in some sort of trouble for having it in your Google drive exemplifies my point. An open internet isn’t just a tool for evil by the deranged. It’s how the good and the just know the truth.
Edit 2: by the way, thank you for the respectful discussion here, we don’t all have to agree on things but it’s wonderful to discuss with folks that aren’t part of the echo chamber.
Yeah, the case is on wikipedia but the original article from muslimskeptic.com is gone. I found the article last time from webarchive, the article is gone from there too. I appreciate you as well.
> if I'm to be spied by someone, I'd prefer my own government who is far more likely to act in my best interests than the three letter agencies of US.
I'm also aware of an opposite opinion: if I'm to be spied by someone, it's better to be a three letter agency overseas, since it's much harder for them to harm me, than a three letter agency in my home country, which can just knock at my door.
And thanks for the comment. Indeed, I was thinking about countries like Russia, where US three-letter agencies don't have extradition power, as far as I know (thinking about Snowden). Countries like mentioned in that thread, indeed, have more complicated relationships with US.
Tech nerds often don't realize how much the world of software is subject to the real world. You can be cut off access to any technology if your country is not willing to give its natural resources to another. No different from trade sanctions. Open source is a bunch of individuals helpless in the face of orders from Pentagon to close it all up.
* You won't have the expertise to quickly build your own solutions when this happens you are cut off access to a certain technology. A browser is a beast to implement as we all know.
* You can't trust that e.g. Chromium as audited by American "experts" is really not phoning home if it detects the IP is from e.g Turkish defense corporation A's RD center.
* You need to have that software-skilled workforce anyway to ensure technological progress of your country.
I fully agree with you. Digital sovereignty is important for countries and it makes sense that they are trying to become digitally independent. The bad part is that this particular instance, it will be used against the people.
I would say that better goal would be for individuals to be digitally sovereign, and not countries. Individual digital sovereignty protects us from external and internal oppression.
I'm afraid that's technically not possible. Internet is inherently centralized due to the need for ISPs, and there are TLS CAs, TSMC, and many more things. Current sophistication of technology needs centralization for its manufacture and use.
But are you going to block the US/Europe on your national network so that your citizens live in a silo. Are you afraid of free flow of information or of your citizens seeing it? That's what Russia, China, and North Korea do, is that what you want in your country?
I don't directly propose blocking the rest of the world, but e.g. using a national social media app implies banning foreign ones. I'd very much like the personal data and the advertising income mined from the eyeball time of citizens to not cross the borders of my country. This is not to mention a state-run app would have just enough ads to pay for the costs of the service, and maybe even none if it's ruled in the parliament that advertisement is harmful to the wellbeing of citizens.
> Yet I'd very much like my country having its own national software stack
The question is would you take that at the expense of blocking the big American corporations? That's probably really how the Chinese have developed their own to this degree. For example they weren't ubiquitous but Google was starting to make headway in China and Chinese in the late 00s when gmail hack/Google ban/GFW started. Baidu is not a quality service (though maybe because of government restrictions)
If the CIA/NSA spies on you what would a plausible bad outcome look like?
If the Chinese government spies on you and finds some behavior it finds unacceptable your social credit tanks and you cant travel, send your children to a good school....
Many non-western countries do not share cultural values with western countries. As an example, see the number of anti-LGBT people in Georgia (the country, not the state of Georgia in US) – it's not just a small protest, but thousands of thousands of people. When it comes to Russia, they are doing it for the same reasons, but also in response to the sanctions: "If you don't want to work with us, you won't get any traffic from our country". Every country in the world seeks to control information; Russia is not unique in this regard. The primary reasons they are blocking the Internet are sanctions and an attempt to preserve conservative values.
People won't be able to read anything contradicting government's point of view. It is important for stability in society that there is only correct and truthful information and no falseful foreign propaganda seeding distruct in government (e.g. by falsefully claiming that high-ranked officials own expensive villas in Europe that they cannot afford with their salary).
> only mobile networks are affected. I wonder why that is.
Because it is only testing stage now.
> Is this just the decisions of a handful of telcos
Why would telecoms spend money on censorship by themselves? It doesn't increase their profit.
> Wireguard for example is just UDP packets.
WireGuard packets are not obfuscated and can be easily detected. And even if it was obfuscated, everything that doesn't look like HTTPS can be blocked without causing much troubles.
> My impression was previously that Russia was somewhat of a wild west when it came to piracy and internet restrictions.
Your impression was absolutely wrong. Before war, Microsoft and other big western companies along with police hunted companies which tried to use pirate software. So it was not a good idea to use pirate software for company in Russia, at least if you're big enough to be noticed. Ordinary people were kind of ignored, AFAIK.
Both Internet restrictions and surveillance also were present in Russia in the recent years. Officially to protect children, unofficially to suppress opposition as well.
> Your impression was absolutely wrong. Before war, Microsoft and other big western companies along with police hunted companies which tried to use pirate software. So it was not a good idea to use pirate software for company in Russia, at least if you're big enough to be noticed. Ordinary people were kind of ignored, AFAIK
Didn't they say somewhere that in response to the sanctions imposed early in the war they were going to go lenient on piracy? I wonder if that promise ever amounted to anything, or if it was just empty words.
I'm not aware of any real steps about that. Probably empty words.
There are enough software makers in Russia, so allowing piracy would just make their life harder. Like why would you want to buy КОМПАС-3D for some hefty price if you can pirate Autocad for free.
Since enforcement was at the behest of the behemoths, I dare say they stopped. No need to try to make Microsoft and Disney willing to do business in Russia if they’re banned from doing so.
In a strange twist, I'm currently in Russia and use a VPN almost daily, but not for news — English-language news sites from HN to CNN simply aren't blocked, and to watch out for any new scary local stuff I find it most convenient to subscribe to Meduza in Telegram AND read a Russian news site such as lenta.ru "between the lines".
Websites I need a VPN for most of the time are ones that just don't like users with Russian IPs, like my Western credit card company.
> If I was denied access to information sources I trust I would not go and swallow state propaganda.
It seems there is always a segment of the population that takes up nationalism/populism. You don't need a majority to enable authoritarianism, just enough to ease them into power, maintain the facade of support and help chill dissent.
From my days of piercing the great firewall of china, as long as you’re somewhat technically adept AND have access outside somehow AND aren’t currently in the crosshairs it’ll work fine.
Are you using port 51820 or a different port for your Wireguard endpoint? Just curious as I have read where others have used different ports to circumvent DPI.
Yes im using 51820, but good idea to change it. I actually have 2 setups. One is a home router within a wireguard server builtin, the second is my Tailscale mesh network using an exit node at home in USA.
I've read that some people have used port 853 to mimic encrypted DNS or other ports less than 1024 to circumvent some WireGuard limits. I've yet to run into that.
My office in Moscow has IPsec tunnels and is fine, but we also see no outages other than the occasional last mile loss on one of the circuits (not at the same time). Maybe that’s because it’s a business line.
> I'm a little confused what Russia has to gain from this. My impression was previously that Russia was somewhat of a wild west when it came to piracy and internet restrictions.
Is it not obvious? Russia has long blocked many apps associated with the west, such as Facebook, Twitter etc. and promotes the use of russian-only webspace. Because the people are not stupid, many evaded this act of censorship with VPNs. It was a surprise VPN were permitted for such a long time as it is.
“Beware of he who would deny you access to information, for in his heart he dreams himself your master.” -- Pravin Lal
Also, it's not just mobile operators. Major ISPs (with millions of customers) have some sort of DPI, or at the very least enforce the state's blacklist (which includes such "nefarious" websites such as FB, Linkedin, Medium, etc)
A dictator has made some ridiculously bad moves and now fears that his time may be wrapping up. The (arguably correct) move from his perspective is to control the information space as strongly as possible. Ideas and truth are his enemy right now.
> I'm a little confused what Russia has to gain from this.
Nothing at all. It's a pointless exercise with which some cyber security apparatchik in Putin's regime hopes to earn kudos from his credulous betters.
In fact it will likely be detrimental once the filter forces communication of legit traffic (...) to propagate without VPN, which you know will happen the minute someone gets inconvenienced.
1.5 years into a "3-day operation" against a smaller poor country armed with hand me downs and some of the western peacetime production does not fit the narrative of 2nd best army in the world.
It's embarassing for the government that we there are even talks about them running out of tanks.
Locking down the internet supposedly helps against espionage and allows easier control of the news narrative. Authoritative regimes are always very concerned with that because the lack of open political discussion makes them seem very stable and united until the very last moment.
Additionally, Putin has a deeply seated mistrust against technology and the internet and technology.
If you’re a dictator who just survived an abortive coup, then, yeah, you’re probably going to want to tighten control on what people can and can’t see. Putin is very weak right now, and likely feeling extremely insecure. For good reason; like, you would not want to be his life insurance provider right now.
This sort of this is as likely to be emotional support censorship for Vlad’s benefit as anything else; hard to imagine it being very effective, certainly. Expect more and more ineffectual crackdowns on information as he deteriorates.
> you would not want to be his life insurance provider right now
Why not? Sounds like the perfect scam, collect the $$$, funnel it to some offshore account. When Putin dies the chaos of succession ensures that nobody will be able to attempt to collect before I leave the country.
I mean, I'm not sure how it works in Russia, but in most countries the insurance industry is about the most heavily regulated part of the finance industry, particularly since the financial crisis; that would be difficult to pull off :)
(Now curious whether "client became a dictator and is currently provoking people into murdering him" is sufficient basis for an insurer to get out of a policy...)
Probably because Telegram is a state-level honeypot. The chances a place like Russia would have its population (and lots of people in what they consider their "ex-colonies") communicate over a platform that they can't intercept and monitor are zero. Add a track record of technical incompetence and an absurd backstory of the founder that escapes from state control to .. Cyprus of all places.
Was wondering about those friendly fire incidents that keeps cropping up from Russian units - one unit got arty on them by the Ukrainians and then they requested counter-fire but their own side dropped it on them instead.
It caused a lot of issues for Russians when they tried to block it, because they basically blocked entire sections of AWS and GCP.
The real tinfoil hat is assuming that they allow it because it's compromised; the founder of Telegram has absolutely no love lost for the Russian state, they basically seized his company (VK; a hugely popular facebook-like which also has a music player and such) and all his assets that were in the country after trying to exert control over him (and his desire not to be controlled); that's why telegram was founded in the first place.
Of course, I have no first-hand account except watching as my video game became unplayable for Russians while the Telegram blocking was happening and my GCP rep explaining it to me, and that I had an Estonian girlfriend for 7 years who was giving me the play-by-play on what was happening.
Possibly the easiest thing to exist in error or for the state to fabricate and yet you didn’t even provide a citation.
tsk
Dude is literally living in exile, yet you claim allegiance by him being affiliated with Russia, when his only crime here was being born in there and thus having some ties.
Seems crazy to me. Like, cold-war propaganda crazy.
this idea that Telegram is somehow nebulously “the enemy” and signal is “the virtuous” is so patently and clearly a propaganda campaign and we fall right into it.
The point of Signal having end-to-end encryption is to avoid trust. Telegram, on the other hand, relies on trust. Obviously that's going to attract more criticism.
That argument doesn't work when you cant reliably distribute and run your own clients and given that they (Signal) have hidden updates for over a year to work on mobilecoin in the dark (proving their willingness and ability to do this) it leaves little left for that argument; theres also a bunch of other stuff but that is meaningless to get into. The point is that Signal mostly also boils down to: “trust us”.
On the other hand, while you are totally right about Telegram being quite a bit “trust us”; but they have better UX and are not at all hostile to third party clients and alternative implementations of their “secure” messaging protocol.
Which is also the subject of a lot of controversy of course, because (*puts on tinfoil hat*) it was originally handrolled and not US cryptographer approved.
(always get downvoted when I point out that Signal is doing weird stuff which only serves really to solidify my stance)
For reasons, yes, but not the nefarious ones you seem to imply. They tried multiple times in the past and created lot of problems for other services as a side effect. Also, a large portion of the Russian population and military use telegram for communication.
Ah, of course. Good ol' Russia furthering its reach of state propaganda and brain washing its people into truly believing that Russia doesn't invade, but instead saves other countries.
Source: Am from Estonia, and a lot of Russians living here very much believe this.
I set up WireGuard server for my family back in Russia in the first days of the war and since then provided VPN access to a few more families. It’s been a lot more stable than relying on popular VPN providers who get banned one after another.
Any advice on alternatives to WireGuard, if Russian gov manages to ban it on protocol level with DPI?
While working in an environment where VPN connections were pretty much all blocked⁰ a friend of mine had success using https://guacamole.apache.org/ to access a remote machine¹. Not quite the same as a direct VPN connection but worth a try if nothing else functions, it looks enough like normal HTTPS traffic that he got away with it.
I once tinkered with https://github.com/yarrick/iodine and successfully connected to resources over the wireless on a train, bypassing its traffic capture and sign-up requirement, so that might be an option, though I think fully blocking external DNS is more common now so this is less likely to work²³.
--
[0] practically only HTTP(S) permitted, not even SSH, DPI in use that detected just using SSH or OpenVPN over port 443
[1] NOTE: be careful breaching restrictions like this, you are at risk of an insta-sacking if discovered, or worse if operating in some securiry environments!
[2] and the latency when it does work is significant!
[3] and that much traffic over port 53 might get noticed by the heuristics of data exfiltration scanner, encouraging sysadmins to notice and implement a way to block it
Most of these nation-state-run blocking attempts tend to block known VPNs but allow ssh through. So, my suggestion would be ppp over ssh. See https://tldp.org/HOWTO/pdf/ppp-ssh.pdf for more details. You'll need a Linux-ish server, and you'll need to fiddle with routing tables on both the server and the client to get the incoming VPN connections to be able to contact the wider internet. But it's probably the least likely to be blocked.
Using Links+ to proxy all info into that not leaking everything should be mandatory. TOR, I2PD, anything.
If you are using a JS based browser, you don't deserve security in first place.
If any, you can always use torosocks and yt-dlp to fetch all media.
If I had time I could set up a tutorial not to use SSH as a proxy, but as a client to a remote VPS/tilde to use the offpunk client there to browse web/gemini and gopher sites anonymously. OFC you won't get images, but at least you could be able to read news nicely formated either from gemini://gemi.dev or natively from offpunk.
Non-techie Russians can use Lagrange in Android and gemini://gemi.dev to read most media through an HTTP->Gemini proxy which makes a great job on reformatting the sites and cutting down the bandwitdh.
Basic English it's required, but if you can read "News Waffle" and copy the URL into that dialog box, you can get lots of interesting sites.
> If you are using a JS based browser, you don't deserve security in first place.
In some cases, that is true, but not all, and I suggest not even most. In many cases, I think people are just as culpable for being unwilling to use Whonix.
> If I had time I could set up a tutorial not to use SSH as a proxy, but as a client to a remote VPS/tilde to use the offpunk client there to browse web/gemini and gopher sites anonymously.
Aside, it's a shame that it's not common practice to provide resource gleanings in the form of such access to random others from one's VPS. An easily reproduced NixOS environment in VM with locked down containers proxying through a local tor instance(s) would scale up alright and significantly limit risks for the donor. I find very few people take up the offer to even use another's VPS though.
>WireGuard does not focus on obfuscation. Obfuscation, rather, should happen at a layer above WireGuard, with WireGuard focused on providing solid crypto with a simple implementation. It is quite possible to plug in various forms of obfuscation, however.
>TCP Mode
>WireGuard explicitly does not support tunneling over TCP, due to the classically terrible network performance of tunneling TCP-over-TCP. Rather, transforming WireGuard's UDP packets into TCP is the job of an upper layer of obfuscation (see previous point), and can be accomplished by projects like udptunnel and udp2raw.
* Heuristics to detect the WireGuard protocol:
* - The first byte must be one of the valid four messages.
* - The total packet length depends on the message type, and is fixed for
* three of them. The Data type has a minimum length however.
* - The next three bytes are reserved and zero in the official protocol.
* Cloudflare's implementation however uses this field for load balancing
* purposes, so this condition is not checked here for most messages.
* It is checked for data messages to avoid false positives.
No problems here just the test. See what kind of response we get for known work arounds so we can bring out a more comprehensive blocking program in the future.
I think this is a good thing. Apply obfuscation on top of WireGuard, that way you can have the functionality and security of the WireGuard tunnel and swap between different obfuscation techniques as needed.
The idea is you connect to the wireguard UDP port from one of the obfuscation tunnels.
laptop -> obfuscation tunnel (udp2raw/iodine/ssh/tor/wstunnel/etc.) -> wireguard UDP port. Though some protocols like ssh or tor only support TCP, so you have to run an additional tunnel in the machine to get to wireguard (udp-over-tcp).
All decent VPN protocols should masquerade as HTTP/2 or HTTP/3. For this reason WireGuard is pretty useless as it can be easily detected (and it is not secure because requires running code at the kernel).
I disagree. I think it's good that implementing a secure network tunnel and obfuscation are separate. WireGuard can handle the secure tunnel functionality while I can apply any sort of obfuscation protocol on top of it without worrying about its security or having to reconfigure the network, like udp2raw, iodine, shadowsocks, websockets, etc.
[0] https://github.com/XTLS/Xray-core
[1] https://github.com/database64128/swgp-go