Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
NetAskari Profile picture
@NetAskari
Jun 17 8 tweets 4 min read Read on X
Scrolly
How hard is it to really ban VPN's technically without going full "North Korea" with the tech of today!? Turns out, actually really hard. How do we know ? Well, the world's biggest surveillance state in China has been trying for a long time and despite some advances, to this day they struggle. Let us have a little walk along "VPN ban lane". 1/
1. The easy way : Ban VPN's on app stores and forbid VPN providers to offer their services in your country. That is probably one of the more successful routes. As most internet users are technically not very well versed, use often mobile devices with "walled gardens" ( like iPhones ) and are often more interested in comfort than learning new skills, banning commercial VPN's for consumers at this level actually is quite effective. China does it and it works more or less. You have to accept some level of "black market", but if you build a good perimeter in the App Store and get manufacturers to forbid side loading, you are definitely limiting the access for a big part of your population. You can maybe also get the providers on board like Apple to maybe do constant surveillance no the device itself. But that needs serious buy-in from them and probably pushes the economical pull of most countries beyond what the suppliers would accept. China is trying on that front, but is not there yet. Maybe the US could enforce it through its market power. 2/
2. Ban IP ranges of known VPN providers: This is the second most effective measure. As most commercial VPN providers only sit on a limited range of IP addresses, it is possible to try to limit your citizens devices from connecting to those, especially if they are in foreign countries. You would need some sort of national firewall for it. It comes with a price tag and the VPN providers might change and expand their IP ranges, but maybe eventually they figure out that the squeeze is not worth the juice and you win. But most likely it will turn into a game of whack-a-mole. 3/
3. Ban VPN protocols on your network: Now we are getting quite technical and something the Chinese have worked on for many years. Deep Packet Inspection baby, plus traffic fingerprinting, end point probing...the whole shebang. It's fun, costly and technically challenging. You need a pretty sophisticated online traffic monitoring system. Sure, AI might increasingly help you out. But then there is also a lot of encrypted traffic ( TLS mainly ) on the web, which those pesky VPN's can try to hide in. Puts a lot strain also you might drop "legit" traffic at times. It also needs an incredibly promiscuous national legal framework. So, also start to rewrite basic laws. 4/
4. Bring your own network protocol : Now we are talking. The nuclear option from the future. Establish your own internet protocol, that is incompatible with the rest of the world, making most VPN services useless ( goodbye TCP/IP ). Think single gauge and wide gauge railways. Just have dedicated national gateways that only accept data packages they can clearly inspect and identify before they "translate" them to your proprietary protocol stack. Nothing goes past that. You might also tank your economy and it isolates yourself from the world in the process but hey ho. For 90% of all the countries this is not feasible ( technically and economically ), though, swing for the fences. Even the Chinese have not managed that yet. 5/
5. Get everyone on board, ban hosting and using VPNs network wide, even beyond your borders: Talk to your friends and partners abroad. Get everyone to agree that on privately hosted VPS systems in 2/3rds of the world, nobody is allowed to host VPN Servers. The hosting providers need to enforce it. The manufacturers of OS's also get on board. Constant monitoring of devices and whole IT infrastructures required. Not just your phone. EVERYTHING, all the time. Build legal framework to outlaw encrypted network traffic all together. The technical requirements are immense and this is a surveillance fever dream, but probably too far away from reality in our world of today. 6/
Of course, I have left out some niche scenarios and you can mix and match the above scenarios to fine tune your approach. But China tried a lot of this and somehow could not make it stick. Though their aim was mainly to keep the masses off it, which worked, and then just whack the occasional violator with a range of punishments, just to "send a message". But has it stopped Chinese citizens from "climbing over the wall", no. It did not. But it "corralled" the problem. 7/
So, what's the moral of this post ? I guess many users also in the west bet on the circumstance that their governments could not infringe heavily on their online usage. They surrendered themselves to comfortable solutions for their digital devices that ultimately created pain points that can be easily exploited. Technical advancements were celebrated for the cost of having a more open "architecture". That is how you end up with an iPhone. The open source scene was often belittled as "backward" nerds, that stand in the way of the "cool progress" that the sleek companies promised. Maybe for the future we should all think about how we want our digital infrastructure to be designed. Rant over...

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with NetAskari

NetAskari Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @NetAskari

NetAskari Profile picture
May 19
EXCLUSIVE: How the track foreigners in China - We got rare access to demo system developed by the Ministry of Public Security in China for the prefecture of Zhangjiakou, to track and surveil foreigners visiting or being residents ( actually it applies to most nationals as well, but in this case it seems to be aimed at foreigners ). It is officially known as "Dynamic control platform for overseas personnel". 1/12Image
The test-system is fed with real world data it seems. We confirmed with some individuals that the data in the system were theirs, including some data of our own. The system provides a wide range of functionality, not all implemented. 2/12 Image
In China, locals as well as foreigners have to be registered with local authorities. So your general whereabouts are known. If you are a traveler, usually this is done via your hotel. This is how it was for most of ht time in the past. Digital tools have streamlined this process, but also opened up a complete new possibility of real time tracking. Camera's with face detection can track your location in real time, going from one place in a town to another. 3/12Image
Read 13 tweets
NetAskari Profile picture
Apr 21
Longxin Technology, one of the many players in China's expansive digital forensics eco system offers a new iteration of its "mobile phone evidence collection system" that aims for analyzing Telegram messages and Uyghur language content. 1/12 Image
Founded in 2017, Longxin has expanded quickly with over a dozen sub-bureaus across the country, lodging itself firmly into the world of over-regional service providers for Public Security Bureaus. 2/12 Image
One of their main products is the LX-line of multi-channel digital device mirroring and analytics systems. They come as stand-alone tools, mobile versions or full data-forensics laboratories. 3/12 Image
Read 12 tweets
NetAskari Profile picture
Feb 15
After having a run through some of the sample files, here is what we know so far from the massive data leak that seems to be on sale ( or has ben already sold ) on Breach Forums. We did not have access to the full list of all the files ( would love to, but not cashing out 10 XMR ). 1/7Image
The data seems to be truly taken from the NSCC, the National Super Computer Centre in Tianjin. This is a government owned datacenter, designed to let SOE's and universities run complex data simulations, virtual test systems, scientific computation models etc. 2/7 Image
Image
Many of the documents are actually proprietary binaries for scientific software and hold test results, simulation setups. For us it is hard to identify how confidential or special they are. There seem to be no cyber security related topics as far as we can see, but it would have been slightly surprising for an institution like the NSCC to hold data on that. 3/7
Read 7 tweets
NetAskari Profile picture
Feb 7
In June 2025 we found complete tender for a "cyberspace security training platform" issued by the Police Training college in Xinjiang, China.
The document is rather detailed about the requirements, services, size and technical aspects and capabilities of this project. Setup timeframe
was about 3 months, value 530k U$. Lets dive in via this long thread will be >PART 1< ... 1/10Image
Image
Starting with the institution: the Xinjiang Police Academy is the main undergraduate training and education facility for the Ministry of Public Security
in the region and has quietly become a powerhouse in the CN hackathon ecosystem as the following wins confirm:
* 2025 Pangu Stone Cup by Qi’anxin: 3rd place
* 2023 Pangu Stone Cup by Qi'anxin: 1st place
* 2022 “Blue Hat” Cup: 2nd prize
* 2021 National College Student Cyber Security Elite Competition: silver medal
They are also running their own CTF competition, called "Yijing Cup CTF Competition". 2/10Image
In its essence, the project is a complete digital teaching setup plus integrated "cyber shooting range" to conduct red/blue operations, data forensics, building elaborate training exercises and labs. The whole documen is 90 pages long, so we will just look at some selected topics. We will post the original excerpt plus a machine translation of it. 3/10Image
Image
Read 10 tweets
NetAskari Profile picture
Feb 2
In 2024 we traveled to the Chinese city of Chengdu to find follow the trails of three APT groups: I-Soon, No Sugar Tech, Chengdu404 and Sichuan Silence. In this thread we will do some site visits, getting "thrown out" and talking to a former member of top management, all the while we are trailed by security. 1/10Image
Let's start with I-Soon: Gaining fame during a rather juicy leak of internal chats in 2024, that presented proof of their involvement in cyber attacks and information theft on behalf of regional Public Security Bureaus. After the story broke, the company got closed down and they abandoned their office. 2/10Image
Image
Chengdu was just one of their offices country wide, but by now the company seems defunct. In one chat they mentioned though that they acquired technology from a company named "No Sugar Tech", to get access to QQ accounts. 3/10 Image
Read 11 tweets
NetAskari Profile picture
Jan 5
We got our hand on a Chinese DLP program the government and national security agencies use to monitor state employees computers for leakage and usage of confidential documents. Meet 保密管理系统. 1/9 Image
Designed mainly for WinXP and Win7, it lodges itself rather deep inside the system to have full file system access, controls hardware/USB devices, dynamic content analysis and enumeration, provides network traffic proxies and enables remote control and granular file behavior. 2/9 Image
It was build by the well known Chinese cyber security government SuperRed but relies heavily on open source technology to provide its core functionality. 3/9 Image
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(