The PRC Evasion Game Is Not The IPS Evasion Game

Thomas Ptacek | July 7th, 2006 | Filed Under: Defenses, Uncategorized

I’ve talked to several trusted friends about Richard Clayton’s “Ignoring the Great Firewall of China” paper. Long story short: I’m not crazy. But my objections may be too wordy. Here’s another way of summing up the problem with this research:

In “normal” rules, the attacker only has to score once to win the game. Any critical vulnerability is usually game-over. When we think about ways of evading enterprise IPS, these are the rules we’re thinking of. The IPS has to block every shot to stay in the game.

These are not the PRC rules.

In the PRC evasion game, the attacker (here, a dissident citizen of the repressive PRC) has to score every time. The defender can miss almost every access to contraband content. Because when they do detect you, knowingly and overtly violating their laws, they don’t just block your packets. They also put you on a list. And a few weeks later, in the middle of the night, there’s a knock at your door.

Once again, we’re missing the complete picture when thinking about risk.

The problem with the “Great Firewall” is not that it uses bad technology, or that it aims to solve an intractable problem. The problem with the “Great Firewall” is that it exists at all. That’s not a problem we can solve with conference papers or code.

7 Comments so far

  • sargon

    July 8th, 2006 11:57 am

    While I don’t have anything to say about this area or paper in particular I think that the Cambridge group can, at times, be rather sensationalistic. Don’t get me wrong, as a whole I really like what the do, however when I have read papers that cover areas that I know something about I often find they stretch the bounds of truth. Often times the “vulnerably” they discover have either been known for a long time or are not really as applicable as they think.

    Part of this is that they have been very successful marketing themselves to the media and general IT world and its seems to me that the topics they write about are increasingly being address to this group rather than the academia and/or security practitioners. Its not that the topics themselves don’t have merit but rather how they are presented.

  • Jon

    July 8th, 2006 12:02 pm

    While I don’t have anything to say about this area or paper in particular I think that the Cambridge group can, at times, be rather sensationalistic. Don’t get me wrong, as a whole I really like what the do, however when I have read papers that cover areas that I know something about I often find they stretch the bounds of truth. Often times the “vulnerably” they discover have either been known for a long time or are not really as applicable as they think.

    Part of this is that they have been very successful marketing themselves to the media and general IT world and its seems to me that the topics they write about are increasingly being address to this group rather than the academia and/or security practitioners. Its not that the topics themselves don’t have merit but rather how they are presented.

  • Pretending to Be Mike Lynn

    July 8th, 2006 3:52 pm

    That’s not a problem we can solve with conference papers or code.

    I dunno, word is the GFWoC is all Cisco code. We have ways of fixing Cisco code. :)

  • daniel

    July 8th, 2006 6:07 pm

    Tom, I think you have made a painfully accurate observation, and it is one of threat models & risk management. Without understanding the threat framework within which one is functioning, offering workarounds is a worthless and perhaps dangerous exercise. The solution must not only address the mechanism by which a security bypass is possible but also the *context* of threat & the security systems being bypassed.

    If the PRC equivalent of the Stasi disappear you when your traffic patterns differ from the norm…well, that is a very different risk model requiring a hidden-in-plain-sight-cypherpunk-covert-channel-approach rather than a front door entry. Making dissident traffic indistinguishable from the masses, perhaps something like the idea of “Crowds” way back in the late 90’s and working some hocus-pocus proxy-encapsulation- rewrite-redirect on the server side–that might by interesting. However, it is a moot point because while the technical issues are entertaining to discuss, the reality is that the consequences for dissident’s are nontrivial and in meatspace.

    I would contend that the authors of the PRC paper and a majority of the audience have not considered what the actual threat is outside of their sand-boxed academic/r&d perspective - this is the land where the physical & digital divides merge.

    Furthermore. I disagree with you with regard to code and conferences: they do help. Discussion and and understanding are inherently valuable. Once the topic is in the open, we are now free to brainstorm first on system requirements, and then specifications on how to bypass the system, and then applying those ideas into a solution. The solution(s) must to be tailored to the actual problem, something the paper clearly did not do. The greater threat/risk isn’t a dissident’s lack of communication with the outside world, it is getting killed for trying to communicate with the outside world!

    Architect a solution that addresses the hidden-in-plain-sight requirement, and then there is something both useful and worthy of discussion.

  • Thomas Ptacek

    July 8th, 2006 8:00 pm

    Daniel, this is great commentary.

    On your first point, regarding whether there are techniques that can be used to create safe passage through the PRC filters — yes, there definitely are. But I worry about the implications of talking about them, except in the abstract.

    Which brings me to your second point, about the utility of papers and conferences. Yes. Papers are good. Disclosure is good. If the Cambridge group wants to research ways to defeat content filtering, I invite them to get in line and outdo the current state of the art.

    They haven’t done that. Instead, they’ve pointed out a well-known (and trivial) flaw in a SPECIFIC deployment — the equivalent of me pointing out, say, the OpenSSL SSLv2 overflow in the Motorola corporate webserver (hypothetically), and in public. That’s not vulnerability research.

  • Daniel

    July 8th, 2006 9:08 pm

    Your synopsis is what precisely I was getting at, although I was being obtuse. The publication offered nothing of strategic and little of operational value, however it did:

    1) Unnecessarily expose an egress vector
    2) Show how little the authors understood of the problem, and even more how they were incapable of addressing it. Mighty amateur.

    My point (and I suspect yours as well) is that those that are in know are simply getting the job done, not publishing detrimental, inflammatory drivel for the sake of publicity. In my weird world, I believe that if you are going to publish/talk/share information, make it either amusing, relevant or useful. Their doc was lacking in all three categories, and the sad fact is that there is only more of this caliber of “research” on the horizon. The least we can do is keep on fighting the good fight and calling foul when necessary.

  • Dan Ingevaldson

    July 9th, 2006 7:20 pm

    I’m in China right now, and I don’t have anything to say about the great firewall or anything, but I am definitely wondering why every American here is wearing sweatpants. Can you guys do a blog entry about that? Thanks.

    • Leave a reply