Re: Firewall USA to Firewall China

[daw@dawn7.CS.Berkeley.EDU (David A Wagner)]

-----BEGIN PGP SIGNED MESSAGE-----

In article <199602130139.RAA11162@mage.qualcomm.com>,
Peter Monta <pmonta@qualcomm.com> wrote:
> > [ Jim Clark, "Firewall China" ]
> >
> >   A: A lot of people think that's not possible. It's difficult to enforce,
> >   but it's certainly possible. A corporation has a so-called fire wall -- a
> >   single point of entry into the corporate net. You can have a country
> >   that has a single point of entry into its "country net." It's doable. All
> >   you need, though, is one breach of security, and there's a leak.
> > 
> >   A fire wall is a filter -- it filters and doesn't let certain people come in.
> >   You can only come in if you have the right permission. So you could
> >   easily set that up so that it would filter out your objectionable
> >   material.
> 
> He seems to be confusing network security with the propagation of content.
> A firewall is going to have a lot more trouble filtering dangerous
> thoughts than UDP port 1234, unless there are humans in the loop.

Hmm, I'd argue that firewall technology would indeed let China filter
out many "subversive" thoughts on the Internet.

The firewall is not going to be able to stop the two-rogue problem:
two technically knowledgeable rogue agents, one on each side of the
firewall, *will* succeed in communicating dangerous thoughts if they
try hard enough.  But that's not so important to solve perfectly,
in practice.

No, in reality, China could set up a few simple application proxies
and only allow world -> China traffic on a few closely controlled
ports, such as http, smtp, nntp, ftp, etc.  The proxies could

* filter out "naughty" and "seditious" sites (e.g. www.playboy.com),
* filter out email, news, etc. which has traversed
  a "known dangerous site" (e.g. a remailer or ftp.hacktic.nl),
* daily update their lists of subversive sites
  (e.g. by reading Raph's remailer list),
* filter out indecent newsgroups,
* do simple keyword searches (e.g. fuck, revolution, protest, crypto),
  and/or
* do simple content analysis
  (e.g. maybe filter out .gifs, to stop nude pics).

This would hose 93% of the subversive stuff on the 'net.

"Social solutions" (read: men with guns) can eliminate the last 7%.

And so it goes.

Sure, someone in the "free world" (e.g. not China or the USA) could run
a remailer / http-proxy at a new site each day, enabling someone knowledgeable
in China to find dangerous material.  But the fact remains that this
requires technical knowledge and the willingness to go to the trouble of
actively accessing the remailer site.

Again, someone in the China could run a remailer / reposter / http-proxy
themselves inside the firewall; that's where the "social solutions" come in.
Kick down the door (see, jackboots are good for something after all!), beat
up the children, and you can kiss that remailer goodbye.

Technically, you're right in saying that you can't filter all the content
perfectly; it's the classic covert channel problem.  But practically, the
Chinese gov't can probably wreak havoc with 'net freedom in China.

- -- Dave Wagner
Fuck the CDA.
- ---
[This message has been signed by an auto-signing service.  A valid signature
means only that it has been received at the address corresponding to the
signature and forwarded.]

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Gratis auto-signing service

iQBFAwUBMSEPwyoZzwIn1bdtAQEFDAF9GXWLz9beaciHbY3mo3Reaom7K5IK0k2I
pVz5NrHqa80eDtC8Rr0w/kSzkKtq4GCL
=k93A
-----END PGP SIGNATURE-----