Hmm. People who recommend widely used approaches, and well-known, well-established providers, "don't have any experience with cenorship circumvention".
So the solution is no-name providers using random ad-hoc hackery, chosen according to a criterion more or less custom designed to lead you into watering hole attacks.
Right.
@reisse is 100% right. Most people outside of heavily censored regions have no clue what technology is actually used in those countries. The well-known, well-established providers don't actually work in censored regions because:
1) The problem is very difficult and requires a lot of engineering resources 2) It's very hard to make money in these countries for many reasons, including sanctions or the government restricting payments (Alipay, WeChatPay, etc)
The immediate response would be: "If the problem is so difficult, how can it be solved if not be well-known, well-established providers?"
The answer is simple: the crowdsourcing power of open source combined with billions of people with a huge incentive to get around government blocking.
> It's very hard to make money in these countries for many reasons
Tor and I2P, for example, don't actually make money anywhere. Which is not to say that they work for any of the users in all of these places, or for all of the users in any of these places.
> The answer is simple: the crowdsourcing power of open source combined with billions of people with a huge incentive to get around government blocking.
The actual answer is that (a) they're using so many different weird approaches that the censors and/or secret police can't easily keep up with the whack-a-mole, and (b) they're relying on folklore and survivorship bias to tell them what "works", without really knowing when or how it might fail, or even whether it's already failing.
Oh, and most of them are playing for the limited stakes of being blocked, rather than for the larger stakes of being arrested. Or at least they think they are.
Maybe that's "solving" it, maybe not.
You're dramatically underestimating the sophistication of these groups. Think about it: these people are risking their freedom by working on this technology in any capacity. They are not naive to the risks of the work nor are they naive to the technical threats facing the software. In fact, the opposite is true. Western VPN companies are very much naive because the risks their users face are much less severe, and at a technical level they don't require anywhere near the same level of sophistication. They're primarily just WireGuard and OpenVPN, which are trivial for censors to block.
Tor is great, and they do great research on censorship circumvention, but it isn't used at any significant scale in these countries.
It's very sad that every sane and informed comment (like reisse's) has to meet this kind of snarky comment whose only purpose is being snarky on HN.
Perhaps you should stop and think about why people living in countries where governments actually censor a lot hardly use these "well-established providers" to circumvent censorship. Tip: it's not because they're stupid.
Actually, my main original purpose was to call (more) attention to the fact that looking for somebody specifically advertising a VPN to your particular country, for a censorship-resistance purpose, has a vastly greater chance of getting you a honey pot than almost any other possible way of looking for a relay. Honey pots are particularly dangerous in one-hop protocols with cleartext exit.
The part about the unreliable ad-hockery is also true, albeit less critical. The fact is that you don't know what your adversary is doing now, and you definitely don't know what they're going to to roll out next. You don't have to be stupid to decide to take that risk, but you also don't have to be particularly stupid to not think about that risk in the first place, especially when people are egging you on to take it.
The greater purpose underlying both is to keep people from unknowingly getting in over their heads. I have seen lots of people do actually stupid things, up close and personal, especially when given instructions without the appropriate cautions.
And "services and providers" doesn't necessarily mean commercial VPNs. In fact those were way down the list of what I had in mind. Your own VPS is a "provider". So is Tor or I2P (not that those won't usually run into problems). So is your personal friend in another country.
> Actually, my main original purpose was to call (more) attention to the fact that looking for somebody specifically advertising a VPN to your particular country, for a censorship-resistance purpose
Please re-read my post then. I do not call to look for VPN for your or anyone's particular country, I call to look for VPNs for these specific countries because they have the current bleeding edge blocking tech, and if VPN works there now, it will 100% work in every other country. If you're in China, you don't have to look for Chinese VPNs, some of Russian ones will work there too.
At DefCon 26 (25?) I attended two presentations that scared me:
1. there was a presentation about several admins in a hostile country who had been arrested because someone from Harvard pinged a server they ran as part of IPv4 measurement. The suggestion was to avoid measuring countries with strong censorship laws to prevent accidental imprisonment of innocent IT.
2. similar presentation about ToR project struggling to find fresh egress/ingress addresses. Authoritarian countries were making lists of any IP addresses that were known ToR IPs and prosecuting/imprisoning users associated with them as a result of traffic on those addresses.
I would be extremely careful trying to bypass authoritarian restrictions unless I was 110% confident what I was doing.
Yeah. If an authoritarian government controls the network infrastructure, there's no way to use that network infra without risk.
To actually bypass this, you need your own network. Does anyone know of any sneakernet protocols that would be useful here?
Scuttlebut, Briar and NNCP come to mind.
None of the things I listed are "widely used approaches, and well-known, well-established providers" in the parts of the world where it does matter.
Yeah, maybe V* and derivatives are random ad-hoc hackery, but they also are the well-known standard now.
> Yeah, maybe V* and derivatives are random ad-hoc hackery, but they also are the well-known standard now.
A lot of people use Telegram and think it's private, too.
What about the part about choosing your VPN provider in the way most likely to get you an untrustworthy one who's after you personally?
[flagged]