Archive for the ‘Internet’ Category
Remember that thumbsucker I did on the Great Firewall? Well, here’s some data, via this post (thanks, Jamie). It seems that Fang Binxing, China’s Chief Bellhead, boss of the Beijing University of Post & Telecoms, and king of the great firewall, really is in trouble due to his special relationship with Bo Xilai. He briefly came up on the web to threaten to sue a Japanese newspaper which thinks he was detained for investigation. Then, the former head of Google in China (who obviously isn’t neutral in this) prodded him, and he denied having the power to block the offending story.
The FT, meanwhile, thinks Zhou Yongkang, the head of the security establishment, is on the out. That shouldn’t be overstated because he’s due to retire, but he has been doing a rubber chicken circuit of second-division official appearances, and his key responsibilities have been taken over by others.
Fang is supposedly being replaced by Yan Wangjia, CEO of Beijing Venustech, who was responsible for engineering the Great Firewall. Her company’s Web site is convincing on that score. Here’s the announcement that they got the contract to provide China Mobile with a 10 gigabit DPI system:
Recently, Venustech successfully won the bid for centralized firewall procurement project of China Mobile in 2009 with its 10G high-end models of Venusense UTM, thus becoming the first company of its kind to supply high-end security gateway to telecom operators.
It is said this centralized firewall procurement project is the world’s largest single project of high-end 10G security gateway procurement ever implemented, drawing together most of world-renowned communication equipment vendors and information security vendors such as Huawei and Juniper. Through the rigorous test by China Mobile, Venusense UTM stood out, making Venustech the only Chinese information security vendor in this bid.
Looking around, it sounds like they are the hardware vendor of the Great Firewall, specialising in firewall, intrusion detection, and deep-packet inspection kit for the governmental, educational, and enterprise sectors “and of course the carriers”. Well, who else needs a 10Gbps and horizontally scaling DPI box but a carrier? Note the careful afterthought there. Also, note that they’re the only people in the world who don’t think Cisco is a leading network equipment vendor.
Well, this is interesting, both on the Bo Xilai story and also on the general theme of the state of the art in contemporary authoritarianism. It looks like a major part of the case is about BXL’s electronic surveillance of Chongqing and specifically of top national-level Chinese officials:
One political analyst with senior-level ties, citing information obtained from a colonel he recently dined with, said Mr. Bo had tried to tap the phones of virtually all high-ranking leaders who visited Chongqing in recent years, including Zhou Yongkang, the law-and-order czar who was said to have backed Mr. Bo as his potential successor. “Bo wanted to be extremely clear about what leaders’ attitudes toward him were,” the analyst said.
That’s Zhou Yongkang as in the head of the whole Chinese internal security structure, cops, spooks, and all. Bo’s police chief (and future sort-of defector) Wang Lijun is described as being “a tapping freak”, addicted to the productivity and hence apparent power of electronic intelligence. Not only that, Wang eventually began tapping Bo, who was also tapping the CDIC feds who came down to keep an eye on him.
The practicalities are, as always, interesting.
The architect was Mr. Wang, a nationally decorated crime fighter who had worked under Mr. Bo in the northeast province of Liaoning. Together they installed “a comprehensive package bugging system covering telecommunications to the Internet,” according to the government media official.
One of several noted cybersecurity experts they enlisted was Fang Binxing, president of Beijing University of Posts and Telecommunications, who is often called the father of China’s “Great Firewall,” the nation’s vast Internet censorship system.
It’s worth pointing out that the provincial networks belonging to China Mobile, China Telecom etc. are usually organised as companies in their own right, and they often have their own AS numbers, and indeed they often contract for substantial network development projects with Western vendors (Nokia Siemens recently had a big mobile network contract in Sichuan, notably) on their own right.
Anyway, Fang’s involvement is very interesting indeed. He is responsible for the state-of-the-art authoritarian solution to the Internet. This is not just, or even primarily, a question of blacklisting websites or turning off the Internet. The Great Firewall’s detailed design, as the Cambridge Computer Lab found out a while ago, is specifically intended to be a semi-permeable membrane. Rather like Hadrian’s Wall, it is more about the gates through it than the wall itself, and the defences point in both directions.
When a computer within it tries to initiate a TCP connection to one outside that is classified as dodgy, the Firewall sends an RST message back to kill the connection. This permits much higher performance than the DNS-based blacklisting typical of, say, the UAE.
It also means that it’s possible to ignore the RST and look through the firewall by using your own firewall utility (specifically, set something like iptables to drop any RSTs for connections in states other than ESTABLISHED before a suitable time has elapsed). However, it would be a fair guess that any traffic doing this is logged and analysed more deeply.
Further, there is a substantial human infrastructure linking the media/PR/propaganda system, the police system, and the Ministry of the Information Industry. This uses tools such as moderation on big Web forums, direct recruitment, harassment, or persuasion of important influencers, the development of alternative opposition voices, and the use of regime loyalist trolls (the famous wumaodang).
The firewall, like Hadrian’s Wall or the original Great Wall, also has an economic function. This acts as a protectionist subsidy to Chinese Internet start-ups and a tariff barrier to companies outside it. Hence the appearance of some really big companies that basically provide clones of Twitter et al. Because the clones are inside the firewall, they are amenable to management and moderation.
And none of this detracts from the genuine intention of the people at 31 Jin-rong Street, the China Telecom HQ, to wire up the whole place. Iran’s surprisingly important role providing broadband to Afghanistan and diversionary links to the Gulf reminds us that providing connectivity can be a powerful policy tool and one that you can use at the same time as informational repression.
So, Fang’s achievement is basically a package of technical and human security measures that let whoever is in charge of them command the context Web users experience.
Last autumn, several of the Chinese web startups were subjected to the combined honour and menace of a visit from top securocrats. Tencent, the owner of QQ and the biggest of the lot, got Zhou Yongkang in person. In hindsight, this will have been around the time the CDIC landed in Chongqing.
So, where am I going with this? Clearly, there was serious disquiet that somebody was usurping the right to control the wires. Even more disquieting, the surveillance establishment in Fang’s person seemed to be cooperating with him. And the systems he set up worked just as well for someone increasingly seen as a dangerous rebel as they did for the central government. (In fact, the people who like to complain about Huawei equipment in the West have it the wrong way round. It’s not some sort of secret backdoor they should be worrying about: it’s the official stuff.)
I do wonder, depending on what happens to Fang (he’s still vanished, but his Weibo feed has started updating again), if we might not see a relaxation of the firewall, which the pundits will consider “reform”. In fact it will be no such thing, rather a cranking up of internal chaos to facilitate a crackdown on opposition.
Yadda yadda China cyberwar. I make the point that the Chinese infosec environment is characterised by chaos, there isn’t a well-defined centre of activity probably enjoying offical tolerance or more like the old Russian Business Network*, and that the great firewall is about censorship and also a sort of trade-barrier protecting the locals from competition. It’s an interesting point why the Chinese Internet got so awful. Structure is a big part of it; rapid economic growth, lots of software piracy, and therefore a hell of a lot of old Windows machines that don’t get patches. But I do wonder, as with all sorts of other Chinese issues, to what extent internal chaos with selectively porous borders is a strategy.
Meanwhile, Four Lions is still a documentary.
*You might say we’ve just not found it yet. But the distinction is that the Russians wanted you to know it was out there.
For instance, Gao Yi, a well-known music critic, tweeted: “Compared with a war, US$7 billion is much more worthwhile. Right now, we lack the off-shore staging capacity for a mid-intensity war.
A well-known music critic? Now that’s special. You don’t get detailed comment on the Royal Fleet Auxiliary’s seabasing capability from Martin Kettle when he’s in one of his SUCK ON MY CULTURE, PROLE moods, or indeed when he’s editorialising, do you? Does Brian Sewell take a view on whether the much delayed Maritime Afloat Replenishment Ship project should go down the Dutch/Canadian JSS route, perhaps building on licence from Schelde in the UK, or stick with specialised tanker and dry-replenishment hulls?
It’s a pity that this doesn’t mean their politics is any more pacific.
Jamie Zawinski and Charlie Stross pitch in to the poisonous row about Google + and its “real names policy”. Now G+ seemed like a good idea to me because of this instant-classic paper, which demonstrated that a) people hate creepy targeted-advertising schemes even if you pay them to put up with it, b) we manage privacy by letting other people know things to different degrees depending on context, and c) we get really angry when other people talk behind our backs and violate the boundaries between contexts. When this paper appeared I literally chased everyone at Telco 2.0 around with it until they read it. Now, you can see with things like the “circles” feature that someone at Google did too.
But then, there’s this whole fiasco about trying to impose single identities that always consist of two space-separated UTF-8 strings containing only alphabetical characters, that seem normal to someone from Palo Alto.
Yeah, just like that. Which reminds me of a story. Not so long ago, I was talking to the Google product manager for GMail, during – yes – an open-space workshop on privacy and identity issues. He (and he certainly is compliant with the policy sketched out above) asked if anyone knew why GMail lets you pick a graphical skin, basically a user stylesheet, for your account. After all, they spent millions on the pretty UI, so why would you want to do that?
Apparently the idea came from one of the UI/UX designers. Who said that it should be possible to tell at a glance which one of several GMail accounts you were using. The programmers and network engineers of course didn’t get it – why the hell would you want two GMail accounts? Hadn’t they just spent quite a lot of time and money and hard work building an e-mail service that you’d actually want to use? Wasn’t it a major design goal of the whole project that people would want to pipe their other e-mail accounts into GMail, far from creating more e-mail accounts? And surely, if you wanted to keep e-mail associated with different people or things or themes together, you could use labels, and set up filters to automate the distinction?
To which she said that if you have one privacy context that includes your thuggish ex-husband and his lawyer and your fundamentalist Christian teabagger mum, another that includes your high-functioning asperger’s coder boss and various similarly brilliant-but-awkward nice-guy types from work, and yet a third that includes your actual and very irreligious friends, the consequences of wrong-slotting an e-mail were far more serious than just posting to the dev list when you meant the user list or vice versa. Therefore, sometimes you needed a non-permeable membrane between contexts and a suitably glaring visual distinction.
A slow dawn spread across the meeting, someone pointed out that after all it was just an alternative CSS sheet technically speaking, and skins were added to the feature list for the next deploy. (Like the green-screen theme for GMail? Thank feminism.)
Now, it doesn’t look like she’s been consulted on this particular project, and I think her input would probably be worth having. But then the feminists would have something to say about why nobody seems to have asked. Actually, although our Googler didn’t name names and I therefore won’t name him, a bit of lateral thinking suggests her career appears to have developed in a manner to her advantage, so perhaps it’s one for the theory of bureaucracy instead.
The Obscurer has possibly the first intelligent article on the whole “turn off their Facebook! that’ll learn em!” furore. Notably, they interviewed one-man UK mobile industry institution Mike Short. Go, read, and up your clue. I especially liked that the piece provided some facts about the 7th July 2005 terrorist incident and the mobile networks.
There is only one reported case of a UK network being closed by police. During the 7/7 London suicide bombings, O2 phone masts in a 1km square area around Aldgate tube station were disconnected for a number of hours.
Police have an emergency power to order masts to be put out of action known as MTPAS – Mobile Telecommunication Privileged Access Scheme. The move has to be approved by Gold Command, by the officers in highest authority during a major incident, and is designed to restrict all but emergency service phones with registered sim cards from making calls. But a shutdown can have dangerous knock-on effects. Short says that phones within the Aldgate zone automatically sought a signal from live masts outside it, overloading them and causing a network failure that rippled out “like a whirlpool”.
On the day, other networks were simply overloaded as Londoners sought reassurance and information. Vodafone alone experienced a 250% increase in call volumes
MTPAS is the GSM-land equivalent of the old fixed phone Telephone Preference Scheme (not to be confused with the new one that blocks cold-callers), which permitted The Authorities to turn off between 1% and 90% of phone lines in order to let official traffic through. As far as I know, the Met never asked for it and it was City of London Police who initiated it without asking the Met or anyone else, and in fact O2 UK’s network had been keeping up with demand up to that point, before the closure caused the cascade failure Short describes.
The significance of O2 is that it used to be “Surf the Net, Surf the BT Cellnet” and some residual gaullist/spook reflex in the government tried to keep official phones on what was then one of two British-owned networks.
Anyway, this weekend seems to have the theme “The Intersection of Charlie Stross and the August 2011 Riots”. Charlie’s talk at USENIX is sensibly sceptical about some tech dreams as they apply to networking.
This leaves aside a third model, that of peer to peer mesh networks with no actual cellcos as such – just lots of folks with cheap routers. I’m going to provisionally assume that this one is hopelessly utopian, a GNU vision of telecommunications that can’t actually work on a large scale because the routing topology of such a network is going to be nightmarish unless there are some fat fibre optic cables somewhere in the picture. It’s kind of a shame – I’d love to see a future where no corporate behemoths have a choke hold on the internet – but humans aren’t evenly distributed geographically.
Especially as the theoretical maximum bandwidth of one fibre is about the same as the entire radio spectrum. And the point about routing table size and complexity is a very good one, especially as it’s assumed that the routers aren’t CRS-1s but rather Linksys fifty quidders or mobile phones.
However, one thing the liberation technologists should take away from the riots is that you shouldn’t get hung up on bandwidth. It’s great to be able to post the photos on Flickr, but it’s more useful to have your own secure voice and messaging. When the Egyptian government relented on its GSM cut-off, the Egyptian Twitter feeds lit up with calls for more people to this or that exit of Tahrir Square or medical supplies to the clinic or (and I remember this) that a lost child was waiting at the press tent.
It was what NANOG users would call operational content. There was of course no need whatsoever for it to go via a Bay Area website – all Twitter provided was the one-to-many element, very important, and the publicity on the Web. The latter is a nice-to-have feature, the former, critical. Text, or even voice, is not a high bandwidth application and doesn’t necessarily need access to the global Internet.
So yes – perhaps there is in fact quite a bit of angular momentum to be had in a mobile mesh-WLAN client as an instrument of democracy, as long as you’re willing to accept that it’s not the sort of thing that can be exclusive to people who agree with you. But then, that’s the test of whether or not you actually believe in democracy.
Something else, between Charlie’s USENIX talk and the riots. Isn’t one of the biggest disappointments, from a police point of view, the performance of CCTV? No doubt it will help put some of the rioters in jail. But it didn’t prevent the riots and neither did it seem to help quell them much. It’s possible that the whole idea that potential surveillance (like the original panopticon) is a policing influence isn’t as strong as it’s made out to be.
Another point; not all crimes are punished or even taken notice of. This is obvious. Less obvious is that the degree to which the police ignore crime is an important political fact. Is it possible that CCTV, by forcing them to make at least a token response to everything that passes in camera range, actually contributed to using up the police strength? In a riot, the police aim is to demonstrate public, mass control. They are usually willing to ignore quite a lot of individual criminality in the process. It’s possible that surveillance culture and technology are opposed to strategy.
Over at Stable & Principled, I’ve been blogging about running out of policemen and how the Prime Minister doesn’t seem to have any thoughts at all that weren’t adequate-ish newspaper columns from about 2004. But how did we get to the stage of using up the Met and most of the wider police forces’ reserves of manpower just like that? This isn’t a “What does it all mean?” post, although inevitably we’ll have one of them for you as well. It’s more like a “How does it all work?” post.
In all, 2,347 people have been arrested nationally. This is only a rough lower bound on the numbers of people involved, as obviously not everyone got caught and some of the people arrested are innocent. At an arrest rate of one in 10, that would give a total of 23,000. 51% of the arrests were in London, or to be precise the Met’s area of operations, which gives us the answer to one question at least – the police eventually quelled the riot by outnumbering the rioters, 16,000 cops versus an estimated 11,500 rioters. Obviously if you pick a different arrest rate fudge factor you’ll get a different answer, but then at least we’re using a model of sorts.
It’s certainly interesting, though, that a fairly small crowd was able to exhaust the policing resources of most of the UK. If the 23,000 rioters had shown up in central London to march on Whitehall, even assuming they were willing to be as troublesome and violent as they were elsewhere, I think the Met would have handled it without breaking sweat and certainly without needing to summon the South Wales force as mutual aid. Even the most hayseed British police forces deal with crowds of 23,000 young men reputed to be ready for violence, every weekend, quite commonly several at the same time, without very much happening. They are lower division football matches. And to be frank, a 23,000 strong national demo is disappointing.
So what’s up? One point is dispersion vs. concentration. Demonstrators want to occupy symbolic space and show their organisation by the very fact they could concentrate all these people. Casuals want to duff up the other mob. Therefore, the police problem is to either prevent them from getting to Parliament Square or the match, or else keep them segregated from other people while they are there. The police are on the tactical defensive, but the strategic offensive – if they stick it out they win.
Obviously, the demonstrators (or thugs) can’t counter this by dispersing because that would defeat the point. They have to come to the Bill, and the Bill can then canalise them. Kettling is the ultimate expression of this thinking.
If the police have to look for the crowd, though, this is obviously going to be a much more labour-intensive exercise. You can’t kettle several dozen groups of ten or so people spread over a dozen streets – the idea is absurd. You have to go looking for them. That in turn conditions what the crowd can do – it can’t stage a classic mass demonstration – and favours people who are willing to just randomly destroy stuff that happens to be undefended, while the traditional mass demo favours a show of what you might call subversive respectability. The slow march of the Zulus, if you like.
Another important point was that there was no key identity-group here – it wasn’t aligned with any one ethnic or religious group or geography and wasn’t even totally young, and it didn’t explicitly identify with a class either. Therefore, anyone who felt like it could join in, and did. This obviously helped it go national and also made a traditional (since the 80s) police tactic more difficult. How do you call community leaders to ask everyone to go home if you can’t identify the community? From the other direction, how do you negotiate with authority if you can’t identify a community?
(This is of course the final problem with the Big Society – its only organising principle is that it’s a society and apparently it’s big.)
I wonder if a lot of the violence was driven by the fact anyone could turn up, and therefore the only way to demonstrate that you really were one of the gang rather than a do-gooder or a fink or just some random spectator was to do something obviously illegal.
Also, did this kind of riot drop in between the classic modes of British policing? If someone commits a crime, there’s investigative policing, if it’s the right kind of crime and the right kind of victim. If the Chartists are marching on Westminster, line up on Westminster Bridge with shields and big sticks. And of course there’s community policing if there’s time between the other two for some cups of tea and old ladies, etc.
Investigation was rather irrelevant while it was going on, although of course it’s not any more. And the heavy mob couldn’t draw a shield wall around every shop in London. Neither could they find enough bodies to kettle every group of rioters, or find enough rioters in one place to kettle. It does look like the December 2010 student riots were a tactical learning-experience for a lot of people.
Finally, those BlackBerries. Not much to say here, except that the most important feature involved seems to have been the fact that BBM is multicast. You can message groups rather than only individuals. There are apps that let you emulate this with SMS, although the reply will only go to you.
As a general rule, BlackBerry Enterprise Server traffic should be hard to do anything to as the server, typically hosted by an organisation for its own purposes, generates its encryption keys when it’s set up. It’s not anything RIM or your operator has to know about. But this is of limited relevance – plenty of people run their own mail servers, but I’ve never heard of anyone who self hosts BlackBerry. The BlackBerry Internet Service, which is hosted by operators, certainly can be monitored by the operator as they own the server. UK operators would be covered by the Regulation of Investigatory Powers Act and might have to hand over logs from the BIS servers.
I don’t know, however, if the BIS machine archives the content of what passes through it (which isn’t required by RIPA anyway). Obviously, the traffic-analysis data of who messages who and when is potentially revealing.
From a network point of view, though, I doubt if snooping on the traffic in transit would be very useful. You’d know that someone was using a BlackBerry, as it would be opening Packet Data Profile connections through the network and querying the BlackBerry network DNS. But as they monitor messaging all the time, that isn’t very useful information. Certainly nothing as useful as the BIS server log.
OK, I’m completely sick of paying far too much to my shitty boutique ISP and BT for crackly steam voice and ADSL2+ that regularly provides between 400 and 600 Kbps downlink and 30-100 up. Right here in London. The SNR margin, attenuation, etc look normal and the modem trains to over 10Mbps, but there is reliably 1-3% packet loss so TCP never actually breaks out of slow-start mode.
I have some options.
Go to another ADSL op – well, the danger is that they’ll just port the hank of copper flapping in the breeze, leaving me no better off, rather than replacing it completely.
Get BT FTTC service whether from BT or someone else – the problem is that our exchange was originally planned for the 31st December 2010 (at the time this was a horses’ birthday, used for all areas where there was a planning permission fuck-up), and has since been sliding right. The last update pushed it from June 2011 to September 2011, although BT is claiming that “Lower Holloway” can have it now. But there is no such exchange.
Also, data bundle sizes for FTTC service are all incredibly stingy.
Bury the hatchet and get Virgin cable service – this eliminates the fritzing, bent-safety-pin mess that is BT’s aerial plant around here, although some of the cable installs are worth seeing, and would probably get us much, much more bandwidth. Also, cable has been installed here before so they might let me off the install fee.
However, reading their tariff, I can’t make any sense of what it actually costs. Everything’s “FREE! for the first six months thereafter suchandsuch”, or “NOW! MORE TELLY for just £5”, or “FREE! with a Virgin Phone line for £12.99 a month”. A Virgin Phone line? Is that a thing? On the principle that people who won’t actually name a price are ipso facto lying, I’m not keen.
Also, no IPv6, daft adverts about “fibre optic broadband” when it’s not, etc.
So how do you get from Shoreditch to the South Bank? Well, as Tom from Boris Watch pointed out, you take a number 243 bus. Or you wait 15 years – one way or another. Or you practice, baby. Or you get a haircut. Anyway, so much for taking the opportunity to reuse what I thought was quite a good joke. If journalism is the first draft of history – an ill-thought out exercise in speed-typing riddled with basic factual errors that aspires one day to be edited into ideological propaganda – and blogging is the first draft of journalism, then Twitter is evidently a lot of old cock.
I wanted to flag this article on how the tube map is a lie. Apparently, people tend to underestimate how long their routes will take when using the Beck map, not just tourists but natives (or as we call ’em round here, slightly less recent immigrants) too.
I think the explanation, and the fix, are as follows. Beck’s key insight was to analogise the system to an electrical circuit and draw a schematic diagram of it, showing the key components (stations) and how they interconnect. However, the problem is that we expect a map to show geographical information whereas the Beck map shows logical information.
The fix is, I think, to adopt cold potato routing. The Internet normally uses hot-potato routing – networks hand over traffic to each other at the first possible interconnection point, trying to get rid of it as soon as possible. This has some advantages – it avoids the situation where traffic for Network B is routed into Network A, carried across it, and then carried back towards its source because the furthest interconnect point has failed.
Occasionally this causes a pathological equilibrium – consider a network with customers on both coasts of the US and interconnections with another similar network. Under hot-potato routing, traffic from a customer of A on the East Coast to a customer of B on the West Coast could get routed into B on the East Coast, back out to A, and eventually into B on the West Coast.
Cold-potato routing is the opposite. You carry the traffic as far towards its destination as you can yourself, then hand it off. Roughly, cold is more efficient but hot is more robust. Basically, the recommendation from this would be to avoid changes as far as possible, including changing between modes of transport – which includes, of course, getting onto the tube in the first place. When everything breaks down – every five minutes – of course you can revert to hot potato to route around the break.
You’ll note that Tom’s solution gets it in a one-r.