February 17, 2006


True to its nature, when the internet encounters a new would-be information shepherd, it simply builds a better cat.

THE UNIVERSITY of Toronto has worked out a way to help those trapped behind the blocking and filtering systems set up by restrictive governments.

The system is designed to disable the Great Firewall of China and prevent countries running repressive control over the net ever succeeding.

The software known as Psiphon overcomes one of the main problems of using anti-filter programs. If a user is found by authorities, they can discover everything that a user has been up too.

However Psiphon does not leave footprints on computers. It gives monitored computer users a way to send an encrypted request for information to a computer located in a secure country. When the computer finds the information it sends it back encrypted.

It enters users' machines through computer port 443, which is designed to transport secure data for banking. If China wanted to close this avenue down, it would also have to shut off a lot of its foreign electronic banking operations.

The downside is that the user has to know someone in the safe country to help them set up a proxy and give them a username and password.

The program will be released at the international congress of the free-speech group PEN in May.

Posted by Kate at February 17, 2006 8:02 PM

Saturday Random Links from Maggie's Farm
A bit late with the links this morning - was "overserved" last night at Rudy's. Not my fault.Psiphon. Psiphon will break down the Great Internet Wall of China. small dead animals. Good.Brits move abroad for a better life. The Independent. And t [Read More]

Tracked on February 18, 2006 9:08 AM


This is great news. If people can overcome the Great Firewall of China, maybe someone can figure out how to overcome our CRTC Wall. Bev Oda! Are you going to help? Please don't get trapped by the telecom bureaucrats. And I do mean rats.

Posted by: Andy at February 17, 2006 8:07 PM

I'm guessing that the lefties will want to shut this down too, or at least keep silent. They will claim that all the Chinese government is doing is curbing the unchecked grwoth of capitalism.

Right? all you first-world easy-life Marxists?

Posted by: Doug at February 17, 2006 8:15 PM

As with anything - it can be good or bad depending how it's used. Does this also give terrorists a clean communications channel? If not, it won't take them long to figure out how to do it.

If the good guys have counter-measures now ... how long will it be before the bad guys have them?

I really don't think any measure/counter-measure will be anything but temporary for a long time ... and that's both good and bad.

Posted by: ural at February 17, 2006 8:39 PM

Doug- Unfortunately my little red book doesn't have the answer to your question. Why don't you smoke another bowl and ask another?

Posted by: Doug at February 17, 2006 8:43 PM


The technology already exists to make it next to impossible for anyone to decrypt your communications and its been around for quite a while.

Posted by: Jose at February 17, 2006 8:46 PM

So what? All you need is for a nitwit on this end to blab, and the guy is satay by morning...How do you think the Pakistanis know about the cartoons in that Alberta paper? Sabu in Edmonton phoned his brother in Karachi and told him all about it!

Posted by: Raymond Hietapakka at February 17, 2006 8:52 PM


"The technology already exists to make it next to impossible for anyone to decrypt your communications and its been around for quite a while."

And the intelligence community can routinely decrypt anything encrypted ... these guys don't work out of a garage. If you think you are protected by anything commercially available ... well, give your head a shake.

Posted by: ural at February 17, 2006 8:54 PM

No software that i know of can break 128 encryption...nobody has that yet..if you had that you could break into the backbone of banks.

Posted by: craig at February 17, 2006 8:59 PM

Strikes me as strange that the word Canadian Bararians....small mind that writer.

Posted by: craig at February 17, 2006 9:07 PM


I could be dead wrong ... but I don't think that 128 bit encryption would be available if the western spooks hadn't broken it ... even by dumb force. I would also be willing to bet they have the most computing power in the world ... can't prove it ... but then again, it's hard to prove they even have a laptop.

Posted by: ural at February 17, 2006 9:10 PM

Anybody want some solid numbers on what stockwell Day is talking about..go to captains will make you sick

Posted by: craig at February 17, 2006 9:24 PM

"computer port 443, which is designed to transport secure data for banking."

Ah, no. SSL/TLS encrypted HTTP. It's a standard, but hardly carved in stone.

Posted by: mojo at February 17, 2006 9:27 PM

Thats hyper are confused.

Posted by: craig at February 17, 2006 9:31 PM

I have a hard time imagining all of those Chinese computer geeks having a tough time bypassing governemnt censors...

Posted by: Knight of Good Mr. Iron Man at February 17, 2006 9:32 PM


I don't see anything on CQ that says anything that we don't know already. I'm not being argumentative ... really ... am I missing a post?

Posted by: ural at February 17, 2006 9:41 PM

Apologies, that post by Doug to Doug was written by me.

Posted by: Jose at February 17, 2006 9:45 PM

No you have not...mabe its me..those are the first real numbers on it that iv seen..

Posted by: craig at February 17, 2006 9:45 PM

That's great. Especially since it behooves the Chinese to learn as much as they can about us before they nuke us all into oblivion. Their future historians will appreciate the effort.

Posted by: simpleton at February 17, 2006 9:50 PM

They don't have to nuke us they are buying us...They have or are in the prosses of buying Noranda..thats hard rock mining..thats pretty much the Canadian shield..

Posted by: craig at February 17, 2006 9:56 PM

Why would the Chinese want to nuke their customers?

Posted by: ural at February 17, 2006 10:01 PM

Um Jose, it's Jose, jew know, Jose, Jose me love Fidel, uncle Fidel, old uncle Fidel who love Jose, me real, real smart like all cuban whores with phd. Me get job busboy in hotel for canada, me Jose, jew know, Jose love Fidel.

Posted by: Jose at February 17, 2006 11:14 PM


Posted by: craig at February 17, 2006 11:16 PM

Good name for a Danish newspaper: port 443

Posted by: WalterP at February 18, 2006 6:37 AM

Encrypted streams on 443 can be captured and decrypted offline. Based on the number of machines in China that keep trying to break into my firewall, they appear to have sufficient compute power to apply to the task.

So, I see it as good news - the more of those Chinese computers that are buried decrypting tunnelled Google searches for 'Oppression' and 'Hypocrisy' and 'Violation of Human Rights', the fewer that will be bothering my local firewall.

Posted by: Shaken at February 18, 2006 9:08 AM


Not up to technical snuff here, folks, but I believe I read the creaters.makers of 128 byte encryption were forced by gov't to build-in a "secret trap-door" to allow access when needed by US intelligence groups. Any truth to this?

Shaken....interesting post.

Posted by: Garry P. at February 18, 2006 9:35 AM

In case some folks haven't been keeping up on their tech. reading: The US govt has had built three "massive parallel processor" computers, each of which have 50,000 (yes, fifty thousand) pentium microprocessors. These machines take up roughly the space of half a basketball court.

It's also been published that they are owned by NASA, Dept. of Energy and (this'll surprise you-NOT!) the CIA.

How do you think the US, the UK and Australia (the two allies with whom the US shares it's top level intelligence...heard of Echelon?)are able to decrypt digital cell calls, etc? Even satellite cellphone calls?

And that all came out several years ago. Imagine the technical progress since then!

The bottom line of all this is that commercially available encryption software for business and other legitimate reasons, at 128 bits or higher, is almost certainly safe from NON-governmental hackers.

But if somebody is a terrorist, terrorist aider, international criminal of other sorts, their days of secure computer or cell phone communications are over.

(Besides SDA and other great blogs, you folks ought to also hang out at tech sites like CNet, ZDnet, The Register, etc. Much to be learned there! :-)

Posted by: Dave at February 18, 2006 10:20 AM

This is so stupid. Whoever wrote that article has very little sense. The Chinese on the other hand, are quite smart.

First, blocking port 443 to disable a proxy web cache? Give me a break. Do they block port 80 to prevent websites they don't want now? NO! It's a content filter, not a port blocker. A proxy web cache falls under the same filtering as all web sites. Following the authors logic, there would be NO web site access in China, period.

Second, every large ISP in existence, and even a few small hosts run proxy web caches. This isn't a new idea.

Third, A proxy web cache has an IP address. 27 seconds after the Chinese gov't figures out that you are using a proxy they are going to block you. How do they find out? "CONNECT"

I just had a machine hacked from a Chinese address so how did those guys get through the great firewall of China huh? Any hacker worth his salt can do it from anywhere and cover his tracks.

Posted by: Altruistic at February 18, 2006 11:10 AM

THE UNIVERSITY of Toronto has worked out a way to help those trapped behind the blocking and filtering systems set up by restrictive governments.

Actually, what does this say about the quality of education at UT? It says they can read the instructions that come with Apache.

Posted by: Altruistic at February 18, 2006 11:14 AM

Actually, Altruistic, this idea seems so odd that I am ready to believe it's actually a honeypot operation. How efficient to have all the IP addresses of everyone in China wanting to see the banned material.

I sure wouldn't bet my freedom on it until I knew exactly who was on that UT team, the key length of the encryption, and who was behind the operation on the other side of the 'security moat'.

Posted by: Shaken at February 18, 2006 12:40 PM

Garry P: "secret backdoors" to 128 bit encryption? Urban myth, dude. Reputable encryption progs (PGP, for example) use public domain algorithms. That is, they are open to scruitiny by anybody in the public, as well as the government. So you have hundreds or thousands of university profs & other cryptanalysts reviewing the math, and any subterfuge would be made public pretty quickly.

Dave - 50,000 pentiums or not, the PGP algorithm (even the older DOS version, based on the IDEA encryption scheme) would be safe.

From the PGP Attack FAQ:

As we all know the keyspace of IDEA is 128-bits. In base 10 notation that is:


To recover a particular key, one must, on average, search half the keyspace. That is 127 bits:


If you had 1,000,000,000 machines that could try 1,000,000,000 keys/sec, it would still take all these machines longer than the universe as we know it has existed and then some, to find the key. IDEA, as far as present technology is concerned, is not vulnerable to brute-force attack, pure and simple

Details at:

However, there are easier ways than brute force to decrypt a message.

Most folks use a simple word or combination of words for their passwords, and these could be brute forced pretty easily. Using spouse names, phone numbers, names of pets... you'd be whacked pretty quick by the NSA if you did this.

It's much better to use ALL sorts of characters that make a nonsense password, including numbers, capitals, and different ASCII characters ($#@~\ etc).

I use Schneier's Password Safe to store my PGP key(s), which are randomly generated by one of a couple of programs I use. The PGP keys are at least 25 digits long, and would be very difficult to brute force. I never commit them to memory; I have one password I keep safe for the Password Safe file, and load the individual keys from memory to PGP.

There are other ways to hack encryption passwords, too. Loading up software keyloggers on your machine, or installing hardware loggers would also work.

In short, there are much easier things to do to hack your privacy rather than pointlessly trying to brute force the message. The governments are experts at using these, too.


Posted by: MHB at February 18, 2006 2:16 PM

MHB:......thanx for the lesson....urban myths don't always make it all the way out to my rural domicile.

Posted by: Garry P. at February 18, 2006 3:04 PM


I never thought of it that way but you are right, the idea is bizarre. Why would UT be designing software to circumvent the laws of a foreign government? That's very strange. I can't imagine that is a good idea for Canada/China relations either.

Posted by: Altruistic at February 18, 2006 9:23 PM

CHINA AND THE INTERNET: An interesting story in the Washington Post. Excerpt:

No one told the editor in chief. For 90 minutes, he ran the meeting, oblivious to the political storm that was brewing. Then Li announced what he had done.

The chief editor stammered and rushed back to his office, witnesses recalled. But by then, Li's memo had leaked and was spreading across the Internet in countless e-mails and instant messages. Copies were posted on China's most popular Web forums, and within hours people across the country were sending Li messages of support.

The government's Internet censors scrambled, ordering one Web site after another to delete the letter. But two days later, in an embarrassing retreat, the party bowed to public outrage and scrapped the editor in chief's plan to muzzle his reporters.

Via Hugh Hewitt, who observes "The Party ought to require every member read An Army of Davids. (Who's got the rights in the PRC Glenn?)". Why limit it to Party members? I think that everyone in China should read it! +

An Army of Davids : How Markets and Technology Empower Ordinary People to Beat Big Media, Big Government, and Other Goliaths (Hardcover)
by Glenn Reynolds + via
@ +

The Great Firewall of China (About This Series)
Today: A Letter's Journey in Cyberspace
Coming Monday: A Battle Over Ideas
Coming Tuesday: A Measure of Freedom

The Great Firewall of China | A Letter's Journey in Cyberspace
The Click That Broke a Government's Grip

By Philip P. Pan
Washington Post Foreign Service
Sunday, February 19, 2006; Page A01

BEIJING -- The top editors of the China Youth Daily were meeting in a conference room last August when their cell phones started buzzing quietly with text messages. One after another, they discreetly read the notes. Then they traded nervous glances.

Colleagues were informing them that a senior editor in the room, Li Datong, had done something astonishing. Just before the meeting, Li had posted a blistering letter on the newspaper's computer system attacking the Communist Party's propaganda czars and a plan by the editor in chief to dock reporters' pay if their stories upset party officials. >>>

Posted by: maz2 at February 19, 2006 9:02 PM

First of all, it's UofT, not UT. Secondly, I belive the lab in question is the Citizen Lab at the Munk Centre for International Studies. The Professor who heads the lab teaches Political Science and has been interested for some time in the interaction between technology and civil society. An example of that would been individuals under repressive regimes organizing over the Internet--this is just an outgrowth of that research. You can go to their website if you're interested about the people behind all this.

I doubt the Prof really cares about Canada/China relations. Why should he?

Posted by: Wrenkin at February 21, 2006 1:01 AM