Smart folks investigating a memory-dumping vulnerability in the Great Firewall of China (GFW) finally released their findings after probing it for years. The eight-strong team of security pros and academics found the data-leaking flaw, and started using it to learn about the GFW's inner workings in October 2021. It named the …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Thursday 27th February 2025 01:53 GMT Anonymous Coward

So, at heart it is just a big PiHole...

> which is responsible for generating forged DNS responses when a user inside China tries to visit banned websites. This subsystem lives in a fleet of government-operated machines at China's network border, watching for DNS queries.

> When a citizen tries to go to a verboten site, their device requests via DNS the IP address of the site's domain so that a connection to it can be established. The GFW detects and intercepts this DNS query, and sends a DNS response back to the user with a bogus IP address leading to nowhere. Thus, as far as the user is concerned, access is blocked.

(Except when discussing all our PiHoles we usually don't use words like "bogus" or "forged" - that is the difference between voluntarily doing it to all the users on our LAN versus forcing it onto an entire country's WAN.)

3 4 Reply
1. Thursday 27th February 2025 12:35 GMT Bebu sa Ware
  
  Re: So, at heart it is just a big PiHole...
  
  Except when discussing all our PiHoles we usually don't use words like "bogus" or "forged" - that is the difference between voluntarily doing it to all the users on our LAN versus forcing it onto an entire country's WAN
  
  Also the difference between keeping things in and keeping things out.
  
  I recall a doco in the '80s where the commentator was visiting a section of the actual Great Wall and his contention (almost certainly not original) was the Wall's purpose was too keep the people of the Middle Kingdom "inside," at least mentally, rather than to exclude marauding hordes of barbarians which it really didn't do all that successfully.
  
  With the Great Firewall the intent is the same but if the PRC is going achieve any of its imperial ambitions, it will ultimately fail as the history of every past empire will testify. For good or ill the "outside" comes flooding in. :)
  
  13 0 Reply
  1. Friday 28th February 2025 04:51 GMT PRR
    
    Re: So, at heart it is just a big PiHole...
    
    > ....the actual Great Wall and his contention ....was the Wall's purpose was too keep the people of the Middle Kingdom "inside," at least mentally, rather than to exclude marauding hordes of barbarians which it really didn't do all that successfully.
    
    See also Hadrian's Wall. (And Antonine's.)That little rill (even before it was stripped for building stone) never stopped a Scot; hardly hindered an Englishman. It may be that the illusion that somebody (who?) "inside" was collecting proper custom duties was a social feel-good; also justified smugglers' profiteering.
    
    5 0 Reply
  2. Friday 28th February 2025 09:18 GMT Anonymous Coward
    
    Re: So, at heart it is just a big PiHole...
    
    Pretty much every country runs some sort of blocking firewall.
    
    It's incredibly naive to assume your internet traffic is unhindered by your government and whilst there' is sound rationale to "for the good of the people" I would be astounded if their ability to block stuff wasn't misused.
    
    3 9 Reply
    1. Friday 28th February 2025 13:23 GMT Anonymous Coward
      
      Re: So, at heart it is just a big PiHole...
      
      * Pretty much every country runs some sort of blocking firewall...
      
      Your employer, your ISP...
      
      2 1 Reply
  3. Friday 28th February 2025 13:18 GMT that one in the corner
    
    Re: So, at heart it is just a big PiHole...
    
    > Also the difference between keeping things in and keeping things out.
    
    Your (well, my) PiHole is useful for stopping things like access to 4chan[1] as well as pages fetching ads and leaking info to the ad servers.
    
    [1] other vile sites are (not) available
    
    4 1 Reply
    1. Friday 28th February 2025 14:50 GMT FirstTangoInParis
      
      Re: So, at heart it is just a big PiHole...
      
      Or indeed just use Cloudfront’s 1.1.1.3 service.
      
      4 2 Reply
2. This post has been deleted by its author
3. Friday 28th February 2025 22:45 GMT DS999
  
  Wait the Great Firewall is DNS based?
  
  What happens if they try to connect to a website via its IP address / set up a hosts file with the IP address(es) needed so there is no DNS lookup?
  
  0 0 Reply
  1. Friday 28th February 2025 23:21 GMT Anonymous Coward
    
    Re: Wait the Great Firewall is DNS based?
    
    From the fine article:
    
    "There are other subsystems operating so that even if a client was able to receive a correct DNS response, other measures would kick in and block their access."
    
    3 0 Reply
Thursday 27th February 2025 07:51 GMT lglethal

Wallbleed exemplifies that the harm censorship middleboxes impose on internet users goes even beyond the direct, and designed, harm of censorship: It can severely violate users' privacy and confidentiality," the paper concludes.

Some might conclude that breaching users privacy and confidentiality is exactly the purpose of this censorship.

Or in other words, that's a feature, not a bug...

26 0 Reply
1. Thursday 27th February 2025 12:26 GMT KDavis27
  
  What if the following exchanges were made to the last paragraph of this article?
  
  "[USA permissive data handling law and practice] exemplifies that the harm [corporate and state data collection] impose on internet users goes even beyond the direct, and designed, harm of [blind profiteering]: It can severely violate users' privacy and confidentiality,"
  
  I fail to see the difference between China's firewall and USA corps' and governments' terms of service. China's decision to attempt to protect their populous from threats and misinformation on the internet and corporate America's (and the West's) attempt to steal all your data end up having the same flaws.
  
  >Some might conclude... feature, not a bug
  
  yeah, but you don't think ISPs are doing this or whatever your DNS provider is in the US and selling that info for profit?
  
  7 21 Reply
  1. Thursday 27th February 2025 16:37 GMT Anonymous Coward
    
    > China's decision to attempt to protect their populous from threats and misinformation on the internet
    
    um... what? are you a CCP shill here? you do know countries can prevent "threats" and misinformation through proper education, not literal forced censorship, right?
    
    22 0 Reply
    1. Friday 28th February 2025 09:21 GMT BartyFartsLast
      
      But it's so much easier to censor stuff and if you don't know it exists, how do you know it's censored?
      
      "I love the poorly educated" as said by a failed casino owner.
      
      17 1 Reply
  2. Thursday 27th February 2025 22:51 GMT Benegesserict Cumbersomberbatch
    
    'Does Big Brother exist?'
    
    'Of course he exists. The Party exists. Big Brother is the embodiment of the Party.'
    
    'Does he exist in the same way as I exist?'
    
    'You do not exist,' said O'Brien.
    
    14 0 Reply
2. Thursday 27th February 2025 21:31 GMT NoneSuch
  
  "Wallbleed exemplifies that the harm censorship middleboxes impose on internet users goes even beyond the direct, and designed, harm of censorship: It can severely violate users' privacy and confidentiality,"
  
  It's China. Users have zero privacy and if they criticize the government they can be put in jail. And you wonder why I am so vehemently against encryption back doors? This is where they eventually lead and one day people like Boris Johnson will tell you what to think.
  
  Fight this now or risk your own personal walled garden with zero alternatives.
  
  16 3 Reply
  1. Thursday 27th February 2025 21:42 GMT David 132
    
    Interesting that you name-check BoJo when he hasn't been PM for a couple of years. Obviously, Starmer, being a freedom-loving Labour person rather than a nasty evil Tory, cancelled the Online Safety Act and all other restrictions on freedom of speech as the very first thing he did... oh, wait, he didn't.
    
    With stuff like this, I tend to assume that it's what the Deep State (yeah, I know that sounds a bit tinfoil-hattish) wants, regardless of the colour of the government. The Home Secretary, on his/her first day, after being shown where the coathooks & toilets are and how to claim expenses, is ushered into a room for a "cordial chat" with representatives of MI5/GCHQ and is told exactly what the latter want, and oh, incidentally we have all your e-mails and private letters, and we know what you bought from Lovehoney, and wouldn't it be a shame if it were to be splashed all over the Daily Mail....
    
    13 1 Reply
    1. Friday 28th February 2025 06:54 GMT matjaggard
      
      I doubt it's that explicit or sinister, Hanlon's Razor is worth remembering.
      
      The issue here is that none* of our MPs have the required technical understanding to properly scrutinise policy. I saw once a finance guy saying that everyone either has power or understanding of how to solve issues, never both. I think it's our popularity contest version of democracy plus the fact that we don't pay MPs enough to attract clever people (unless they're clever enough to know they can help a mate whilst an MP and get a lucrative job afterwards) that causes the issue.
      
      *a guess, not fact checked.
      
      12 0 Reply
      1. Friday 28th February 2025 09:44 GMT Zolko
        
        everyone either has power or understanding of how to solve issues, never both. I think it's our popularity contest version of democracy
        
        no, that's the Dilbert principle : what do you do with incompetent people ? You obviously don't give them difficult tasks, you give those to competent people. But even competent people need some management when working in a team ... so the clever thing is to give the management tasks to incompetent people. This has the added advantage that the incompetent people already in management don't have to fear a competent newcomer
        
        7 2 Reply
    2. Friday 28th February 2025 12:59 GMT Elongated Muskrat
      
      I think the underlying problem here is that pretty much every Home Secretary is an authoritarian. I can't actually recall one that wasn't, the Blair government was certainly hot on ID cards and snooping. I think it's probably a prerequisite for the job, and to be fair, a number of the "problems" they are tasked with solving are political in nature (like making sure the government properly appeases people who hate foreigners, so they can keep their seats).
      
      The wider point is that the Home Sec is just a figurehead for the Home Office; politicians come and go, sometimes pretty rapidly (especially under the shambles that was the last Conservative government), but the civil servants at the top of the Home Office, who are tasked with actually getting things done, remain. Jim Hacker might lose his seat, but Sir Humphrey Appleby is still there. Large scale projects very often survive the lifetime of several parliaments, not least because of the momentum they take on once commenced, and because of the sunk cost fallacy.
      
      10 1 Reply
    3. Friday 28th February 2025 15:49 GMT DoctorPaul
      
      Anyone remember "the Millbank Tendency"? My problem with Labour is that they are basically a bunch of control freaks and worryingly better at it than the Tories who at least could be relied on to generally stuff up anything that they tried.
      
      1 1 Reply
  2. Friday 28th February 2025 19:02 GMT The man with a spanner
    
    "Wallbleed exemplifies that the harm censorship middleboxes impose on internet users goes even beyond the direct, and designed, harm of censorship: It can severely violate users' privacy and confidentiality,"
    
    ....And in contrast to the harms caused to the population by being deliberatly buried by toxic shit that is intentionaly untrue and designed confuse and courupt rational debate or the promotion of even a vaguly civalised society.
    
    4 0 Reply
Thursday 27th February 2025 12:26 GMT KDavis27

Nomenclature

Why are they called "boffins" when mucking around in infrastructure in China and "cyber criminals" when doing the same thing in telecom/corporate infrastructure in the USA/West?

Seems like a ludicrous double standard to me.

3 25 Reply
1. This post has been deleted by its author
2. Thursday 27th February 2025 16:35 GMT Anonymous Coward
  
  Re: Nomenclature
  
  not really "double standards" when the former is designed to violate democratic rights, free speech, privacy, etc. and the latter is basically fuck-all, but okay.
  
  4 1 Reply
  1. Thursday 27th February 2025 19:10 GMT SuperG
    
    Re: Nomenclature
    
    What democracy? What rights?? Certainly not the US here, which is going full fascist...
    
    11 5 Reply
    1. Thursday 27th February 2025 21:22 GMT steelpillow
      
      Re: Nomenclature
      
      Except in five years time the US won't be full racist any more.
      
      Can't say that for China's abuses of human rights.
      
      2 5 Reply
      1. Thursday 27th February 2025 22:52 GMT Anonymous Coward
        
        Re: In five years?
        
        "Except in five years time the US won't be full racist any more."
        
        So you think there will be fair and free elections in four years?
        
        You obviously didn't read Project 2025.
        
        20 1 Reply
      2. Saturday 1st March 2025 18:00 GMT Hubert Cumberdale
        
        Re: Nomenclature
        
        "Except in five years time the US won't be full racist any more."
        
        Hahaha hahahahahahaha haha haaaaaaaaaaaaaaaa haa aha ahhaaha ha
        
        Hahahahaha hahahaha hahahaha haha haa haaaaa haaaa ahaaa
        
        Haaaaa haha hahahahaha haaaaaa haa haaaaaaaa hahahaa
        
        Haha haa hahaha haaaaaaaaa haaaa ahhahaa hahaha
        
        Hahaha haa haa haaaaaa haaa ahhaa haha haaaaaa
        
        Ha haahahahaha haaa haaa haha hhaaaaa
        
        Hahaha haaaha haaaa hhhhaaa hahaha
        
        Ha haaaa hahaha haaaaaaaa haaaha
        
        Haha hha haaaaa hahahaha haaaha
        
        Ha hahahaha haahaaaaaaaa haha haaaa
        
        Haa haaaaaaaa ha ha haahhh
        
        Haha haaaa haha hahahahahh hhaaaaaa
        
        Hahahahahahaha hahahaha ha haaaaaha
        
        Haha hhaaaa hhaa hahahaaaaaa haha
        
        Ha haaaaaaaa haa haaaaaaaaa
        
        Ha haahaaha hahahahaaa haaaaaaaa
        
        Hahahaha haaahahaa hhaaaaa
        
        Hahaha haaahhahahaha haaaaaaaa
        
        Ha hahahahhahaha haha haaa
        
        Ha hhaa hha hhaaaaaha haaa
        
        Haha haha haaaaaaaaaaaa ha
        
        Ha hahaa hahahaha hahaha
        
        Haha hhhhh haaaaha haaaa
        
        Ha haaaahhhhaaaa hahahaaa
        
        Ha haaaaa haaaahaaa hahahaha
        
        Haha hha hhaahaa haaaaa
        
        Haaaaa haa hahahahaha hhhahaaa
        
        Haha haha hahahaaaaa haha
        
        Haaaaaa haha hhaahahaa
        
        Hahahahaha hahaaaaaaa haha
        
        Haaaaa hahahaha haha
        
        Haaaaaaaaaaaaaaaaa haaaha
        
        Ha ha haaaaa haahahahaha
        
        Hahaaaa haha hhhhaaa hhaaa
        
        Hahahahaha haaahaaaaa hhaaa
        
        Ha haaa hahahaa haaa
        
        Ha hhaaaaaa hahahahaa
        
        Haahhaha hahaha hhaaaaaaaa
        
        Hahaha hhhhhhhaa hhaaaaa
        
        Ha haaa hahahah haaaaaaaaa
        
        Ha haaaa haha hahaha
        
        Hahaha haahhahaha hhaa
        
        Haaa haaahaha hhaa haaaaa
        
        Hahaha haaaaa hhaaaaaa
        
        Ha haaaaaaaa haaaaaah
        
        Ha haha haaaa hahaha
        
        Hahahaha hahahahaa hha
        
        Hahaha haaaaaaaa hahahaaa
        
        Haha hhaaa hhaaa haaaa
        
        Hahahahaha hhaaaa hhhhhh
        
        Ha haaaa hahaaa hhhhh
        
        Ha hahaha hhaahaaha hhaaa
        
        Haahahah haaaaaaaa hha
        
        Haha hhhhaaaa haahaaa
        
        Haahhaha haaaaa ha
        
        Hahahaa hhhhhhhhaaa
        
        Ha hahahaha hhaaaha
        
        Hahaaa haha haaaaaaa
        
        Ha haaaaaa ha haaaa
        
        4 2 Reply
  2. Friday 28th February 2025 09:23 GMT Anonymous Coward
    
    Re: Nomenclature
    
    Sweet summer child, you really believe that western countries don't monitor and filter what you can see on the internet?
    
    3 6 Reply
    1. Friday 28th February 2025 14:25 GMT Anonymous Coward
      
      Re: western countries
      
      "western countries don't monitor and filter what you can see on the internet?"
      
      I can see what you write and almost everything I write appears here, with comments.
      
      That does not happen in, eg, China, where critical posts tend to never appear or disappear fast.
      
      9 0 Reply
Thursday 27th February 2025 12:44 GMT Lee D

Ah, so when a US university probes a nation-state's computer systems exploiting vulnerabilities constantly for years that's okay, but when they do it to the US, that's previously been called a potential act of war.

Gotcha.

9 14 Reply
1. This post has been deleted by its author
2. Thursday 27th February 2025 16:35 GMT Anonymous Coward
  
  yeah, and?
  
  do you actually realize the difference between exploiting bugs inside a censorship system designed to block people inside the country from knowing how their country truly is, and exploiting bugs to steal money from charities, cut off important energy and healthcare structure, and so on?
  
  20 2 Reply
  1. Friday 28th February 2025 09:52 GMT Zolko
    
    Re: yeah, and?
    
    of course we realise the difference : we are the good guys, they are the baddies. When we kill people they're terrorists, when they kill people they're freedom fighters. We don't censor, we fight against misinformation campaigns. When we cancel elections it's to protect democracy. Life must be simple wherever you live
    
    4 9 Reply
3. Friday 28th February 2025 10:21 GMT Anonymous Coward
  
  I really hope you're just a young kid, because I'd hope every adult already knows that governments can be hypocritical.
  
  3 0 Reply
Friday 28th February 2025 16:30 GMT TimMaher

DNS

It’s always DNS.

4 0 Reply
Friday 28th February 2025 19:41 GMT Evil Auditor

It can severely violate users' privacy and confidentiality

In China, all your privacy and confidentiality are belong to them.

3 0 Reply
Friday 28th February 2025 20:05 GMT Anonymous Coward

The Great Internet Concentrator!! More Misdirection In ElReg!!

Quote: "....secrets of China's Great Firewall....."

Fact: The biggest internet concentrator in the USA is where? Washington D.C.

Coincidence? I think not.....................................

In fact I don't give a rat's ass about the "secrets of China's Great Firewall"........

....but the secrets of the USA's Great Concentrator would be of great interest!!

When will ElReg be publishing a summary of the relevant whistleblower paper? Soon?

1 8 Reply
1. Friday 28th February 2025 21:12 GMT JWLong
  
  Re: The Great Internet Concentrator!! More Misdirection In ElReg!!
  
  "When will ElReg be publishing a summary of the relevant whistleblower paper? Soon?"
  
  As soon as AT&T gets back to them. But don't hold your breath, they're kind of like Apple Inc.
  
  1 1 Reply
2. Saturday 1st March 2025 01:06 GMT Anonymous Coward
  
  Re: The Great Internet Concentrator!! More Misdirection In ElReg!!
  
  Dummy. Its actually in Reston, VA.
  
  1 0 Reply