One of the open secrets of AWS is that even though AWS has a lot of regions and availability zones, a lot of AWS services have control planes that are dependent on / hosted out of us-east-1 regardless of which region / AZ you're using, meaning even if you are using a different availability zone in a different region, us-east-1 going down still can mess you up.
I am pretty squeamish around blood (even reading about it...), but this piece was so well written and engrossing and impactful that I made it all the way through in one shot. I had no idea that the bovie instrument (and broadly the entire field of electrosurgery [1]) was even a thing; I assumed it was anll still scalpels and such.
An incredible piece highlighting something people should know more about; thanks for posting this!
I too am squeamish and while I agree that the piece was very well written, it was too much for me. I had to tap out during the part about 18th/19th century grafting experiments. Just too much for me lol.
Will probably pick this back up and skip over the rest of that part though!
You can in fact already do this (have Mac windows show up as separate floating windows in VisionOS instead of all being on the single MacOS window) using a third party tool called Ensemble:
The point is that this should absolutely be capable of being a power-computing extension for Mac, but instead it’s been relegated to a $3k personal theater that runs apps for some reason
This doesn't work anymore; the GFW no longer detects VPN connections by port but instead by performing deep packet inspection to characterize the type of traffic going over every connection. Using this technique in combination with some advanced ML systems, they're able to detect any encrypted VPN connection and cut it off; it's basically not possible to run any kind of outbound VPN connection (even to private servers) from inside of China anymore, and it's usually not even possible to _tunnel_ a VPN connection through some other protocol because the GFW now detects that too.
Stepping back and looking at it from a purely technical perspective, it's actually insanely impressive.
So there's a disconnect between what you're saying and what others and myself have experienced in China even recently. You appear to be saying that it's not possible to use a VPN to bypass the GFW, but I apologise if I have misunderstood.
The comments have multiple examples of people successfully bypassing the firewall. I personally just used Mullvad with wireguard + obfuscation (possibly also DAITA) and it just worked. No issues whatsoever.
This changes, not only over time, but also from region to region.
A close friend of mine travels to China often, and they use Mullvad because of my recommendation. Last year it worked great for them, but earlier this year they went back to China, and it really didn't work.
What I found most interesting is that they had different results in different places. Apparently, in the business areas of Shanghai and Beijing, were they had meetings and events, they could get Whatsapp and Slack messages; when they went back to the hotel, in a residential area where there were almost no offices or tourists, it didn't. In Chongqing even less stuff worked.
I was very skeptical of this when they told me, but they could replicate this consistently over a couple of weeks. It wasn't related to hotel Wifi (that's a different can of worms), this was on mobile data.
Everything worked when they switched to using https://letsvpn.world, at the recommendation of some chinese colleagues of them.
This was with a basic Mullvad install on iOS and Mac, they're not technical enough to harden their VPN connection further; may be they could've easily obfuscated it more and it would've worked.
The GFW being more lenient for tourists (esp. their foreign mobile plan) checks out with the stories I hear too. I'm guessing the less touristy places don't have "support" for these "exceptions" so they get a degraded experience there.
> the focus in this document is to enhance IP Traffic Flow Security (IP-TFS) by adding Traffic Flow Confidentiality (TFC) to encrypted IP-encapsulated traffic. TFC is provided by obscuring the size and frequency of IP traffic using a fixed-size, constant-send-rate IPsec tunnel
(If they block a constant rate stream, that'll hit a whole ton of audio/video streaming setups)
I don’t think that’s possible. AV data is behind the TLS layer, all the DPI can see is a CBR stream that matches HTTPS signature. Unless it can do a MitM (Kyrgyzstan-style) they can’t really tell anything about the payload content save from what the TLS handshake may expose. Past it, observability stops at packet sizes and timings.
As I understand it, modern DPIs try to fingerprint TLS traffic through feeding data that passed some pattern matching to ML models that try to predict how likely it’s between a genuine commonplace browser and a “normal” webserver (or a video streaming server or game server - whatever they trained it on). And in turn modern obfuscation software tries to match the behavior and be seen exactly as it’s your Chrome user watching some cat videos or something equally innocuous.
When I lived in China 10 years ago, GFW had a pretty effective way by slowing constant traffic that goes to an outside china ip address more and more over time. I had about 6 hours per ip (it starting to get slower and slower during that time) before having to rotate because even basic webpages didn't get through and ssh was unusable.
> it's basically not possible to run any kind of outbound VPN connection (even to private servers) from inside of China anymore
This is not true anymore, and your own link says so:
> all circumvention strategies adopted by these tools are reportedly still effective in China
And while this paper is not the most up to date, there are actually many new kinds of obfuscating VPN/proxy/tunnel technologies out now, and they are currently not blocked. Some methods can even disguise themselves as unencrypted, plaintext legitimate-looking HTML and still tunnel traffic (slowly) through it.
Assuming they don't MITM SSH, you should still be able to use something like wireguard over an SSH tunnel. At least I would think.. it's all SSH traffic as far as any DPI listener is concerned, you'd of course need to ensure the connection signature through another vector though.
> it's basically not possible to run any kind of outbound VPN connection (even to private servers) from inside of China anymore.
Really? Because the paper you linked says they don't block any TLS connections so you can just run a VPN over TLS:
> TLS connections start with a TLS Client Hello message, and the first three bytes of this message cause the GFW to exempt the connection from blocking.
Give it a try if you want; it doesn't work. For TLS traffic they track what the connection looks like over time; a TLS connection for normal web traffic versus a VPN connection tunneling through TLS apparently look different enough that they can detect and cut it off.
Worth noting is that OpenVPN’s TCP TLS mode does not work that way. It’s essentially the UDP protocol messages except wrapped into TCP. The initial handshake is not a normal TLS client hello.
This is a pretty well known thing; the M3/A17 generation GPU was a ground-up redesign that added things like dynamic caching and hardware ray tracing [1] which are highly nontrivial to simply extend an existing architecture to support. Unfortunately I can’t find where I read this, but IIRC at the time M2 came out there were expectations that M2 would have a new GPU architecture with hardware ray tracing but this wound up being delayed to M3 because it took longer than expected to do a ground-up redesign of the GPU.
I once saw an interview with the SVP who oversees Azure datacenter buildout or something like that and a thing that stuck with me was that he said his job got a lot easier when he realized he was no longer in the computer business, he was now in the industrial cooling business.
Reading this article immediately made me think back to that.
About 15 years ago at this point a bunch of my friends/labmates and I salvaged enough discard PCs from the Levine Hall (Penn CS building) loading dock to assemble an entire small renderfarm, which we squirreled away in a corner of the graphics lab and used for learning and playing with RenderMan.
I had the incredible good fortune to cross paths with iq at Pixar; I was an intern while he was developing the Wondermoss procedural vegetation system for Brave. A bunch of us interns were already fans of his work from the demoscene world and upon learning this, he was kind enough to put together a special lecture for the interns on procedural graphics and the work he was doing for Wondermoss. That was one of the best and most mind-blowing lectures I've ever seen- for every concept he would discuss in the lecture, he would live-code a demo in front of us (this was before ShaderToy was a thing, so live-coding was something nobody had ever really seen before), and halfway through the lecture he revealed that the text editor he was using was built on top of his realtime live editing graphics system and therefore could be live-coded as well.
One of the things he showed us was an early version of what eventually became the BeautyPi tech demo [0]; keep in mind that this still looks incredible today and iq was demoing this for us interns in realtime 14 years ago.
Wondermoss was a spectacular piece of tech. Every single forest scene and every single piece of vegetation in Brave is made using Wondermoss, and it was all procedural- when you'd open up a shot from Brave in Menv30, you'd see just the characters and groundplane and very little else, and then you'd fire up the renderer and a huge vast lush forest would appear at rendertime. The even cooler thing was that since Brave was still using REYES RenderMan, iq took advantage of the REYES algorithm's streaming behavior to make Wondermoss not only generate but also discard vegetation on-the-fly, meaning that Wondermoss used vanishingly little memory. If I remember correctly, Wondermoss only added like a few dozen MB of memory usage at most to each render, which was insane since it was responsible for like 95% of the visual complexity of each frame. One fun quirk of Wondermoss was that the default random seed was iq's phone number, and that remained for quite a number of years, meaning his phone number is forever immortalized in pretty much all of Pixar's films from the 2010s.
iq is one of the smartest and most inspiring people I've ever met.
The sting in the phone number tale is that, at one point, he changed his phone number and suddenly all the vegetation changed when scenes were re-rendered.
It's all shaders! That's why they take up so little memory space.
Here's a video where IQ explains how to "model" a greek temple using this technique: https://youtu.be/-pdSjBPH3zM?t=303
