Hanno's blog

tl;dr A very short key exchange crashes Chromium/Chrome. Other browsers accept parameters for a Diffie Hellman key exchange that are completely nonsense. In combination with recently found TLS problems this could be a security risk.

People who tried to access the webpage https://demo.cmrg.net/ recently with a current version of the Chrome browser or its free pendant Chromium have experienced that it causes a crash in the Browser. On Tuesday this was noted on the oss-security mailing list. The news spread quickly and gave this test page some attention. But the page was originally not set up to crash browsers. According to a thread on LWN.net it was set up in November 2013 to test extremely short parameters for a key exchange with Diffie Hellman. Diffie Hellman can be used in the TLS protocol to establish a connection with perfect forward secrecy.

For a key exchange with Diffie Hellman a server needs two parameters, those are transmitted to the client on a connection attempt: A large prime and a so-called generator. The size of the prime defines the security of the algorithm. Usually, primes with 1024 bit are used today, although this is not very secure. Mostly the Apache web server is responsible for this, because before the very latest version 2.4.7 it was not able to use longer primes for key exchanges.

The test page mentioned above tries a connection with 16 bit - extremely short - and it seems it has caught a serious bug in chromium. We had a look how other browsers handle short or nonsense key exchange parameters.

Mozilla Firefox rejects connections with very short primes like 256 bit or shorter, but connections with 512 and 768 bit were possible. This is completely insecure today. When the Chromium crash is prevented with a patch that is available it has the same behavior. Both browsers use the NSS library that blocks connections with very short primes.

The test with the Internet Explorer was a bit difficult because usually the Microsoft browser doesn't support Diffie Hellman key exchanges. It is only possible if the server certificate uses a DSA key with a length of 1024 bit. DSA keys for TLS connections are extremely rare, most certificate authorities only support RSA keys and certificates with 1024 bit usually aren't issued at all today. But we found that CAcert, a free certificate authority that is not included in mainstream browsers, still allows DSA certificates with 1024 bit. The Internet Explorer allowed only connections with primes of 512 bit or larger. Interestingly, Microsoft's browser also rejects connections with 2048 and 4096 bit. So it seems Microsoft doesn't accept too much security. But in practice this is mostly irrelevant, with common RSA certificates the Internet Explorer only allows key exchange with elliptic curves.

Opera is stricter than other browsers with short primes. Connections below 1024 bit produce a warning and the user is asked if he really wants to connect. Other browsers should probably also reject such short primes. There are no legitimate reasons for a key exchange with less than 1024 bit.

The behavior of Safari on MacOS and Konqueror on Linux was interesting. Both browsers accepted almost any kind of nonsense parameters. Very short primes like 17 were accepted. Even with 15 as a "prime" a connection was possible.

No browser checks if the transmitted prime is really a prime. A test connection with 1024 bit which used a prime parameter that was non-prime was possible with all browsers. The reason is probably that testing a prime is not trivial. To test large primes the Miller-Rabin test is used. It doesn't provide a strict mathematical proof for primality, only a very high probability, but in practice this is good enough. A Miller-Rabin test with 1024 bit is very fast, but with 4096 bit it can take seconds on slow CPUs. For a HTTPS connection an often unacceptable delay.

At first it seems that it is irrelevant if browsers accept insecure parameters for a key exchange. Usually this does not happen. The only way this could happen is a malicious server, but that would mean that the server itself is not trustworthy. The transmitted data is not secure anyway in this case because the server could send it to third parties completely unencrypted.

But in connection with client certificates insecure parameters can be a problem. Some days ago a research team found some possibilities for attacks against the TLS protocol. In these attacks a malicious server could pretend to another server that it has the certificate of a user connecting to the malicious server. The authors of this so-called Triple Handshake attack mention one variant that uses insecure Diffie Hellman parameters. Client certificates are rarely used, so in most scenarios this does not matter. The authors suggest that TLS could use standardized parameters for a Diffie Hellman key exchange. Then a server could check quickly if the parameters are known - and would be sure that they are real primes. Future research may show if insecure parameters matter in other scenarios.

The crash problems in Chromium show that in the past software wasn't very well tested with nonsense parameters in cryptographic protocols. Similar tests for other protocols could reveal further problems.

The mentioned tests for browsers are available at the URL https://dh.tlsfun.de/.

This text is mostly a translation of a German article I wrote for the online magazine Golem.de.

tl;dr Journalismus bangt um seine Finanzierung, aber Werbung nervt. Die Aufmerksamkeit für die Ereignisse um Adblock Plus ist völlig übertrieben. Die Idee der Acceptable Ads ist eigentlich vernünftig, die Medien sollten sie selbst aufgreifen.

In den letzten Tagen macht mal wieder eine Nachricht um den Werbeblocker Adblock Plus die Runde und wird von zahlreichen Medien aufgegriffen. Ich wollte mal meine Meinung dazu aufschreiben, das wird jetzt etwas länger. Vorneweg: Ich fühle mich in gewisser Weise zwischen den Stühlen. Ich verdiene mein Geld überwiegend mit Journalismus, ich kann aber sehr gut nachvollziehen, warum Menschen Adblocker einsetzen.

Die eine Seite: Zukunft des Journalismus

Der Journalismus ist in der Krise, das wissen wir spätestens seit dem Ende von dapd, der Financial Times Deutschland und dem Beinahe-Ende der Frankfurter Rundschau. Viele Menschen machen sich Sorgen um die Zukunft guter Berichterstattung und viele Journalisten machen sich Sorgen um ihren Job. Die Zukunft des Journalismus liegt im Internet, aber es gibt ein Problem: Bisher haben Zeitungen damit Geld verdient, bedrucktes Papier zu verkaufen und dieses Geschäftsmodell erodiert in rapider Geschwindigkeit. Im Internet Geld zu verdienen ist schwer. Es gibt im wesentlichen vier Möglichkeiten, mit Jouranlismus im Netz Geld zu verdienen: Werbung, bezahlte Inhalte, Spenden/Sponsoring und aus Steuern und Gebühren finanzierter Journalismus.

Keine dieser Möglichkeiten funktioniert sonderlich gut. Viele, die gute Inhalte produzieren, haben es verdammt schwer. Viele glauben, dass man die Nutzer nur irgendwann zum Bezahlen von Inhalten „umerziehen“ muss und dann alle ihre Paywalls anschalten, ich halte das aus verschiedenen Gründen für eine Illusion. Von allen Möglichkeiten, Onlinejournalismus zu finanzieren, funktioniert Werbung derzeit am besten. Nicht gut, aber für die meisten besser als alles andere.

Aber das Geschäftsmodell „Werbung“ wird angenagt. Immer mehr Nutzer nutzen Software wie Adblock Plus, ein relativ simpel zu installierendes Browserplugin.

Die andere Seite: Der genervte Nutzer

Wer heute ohne Werbeblocker im Netz surft bekommt den Eindruck die Werbeindustrie hat jedes Maß verloren. Werbung, die Musik abspielt, die wild blinkend um Aufmerksamkeit bettelt, die ihn ausspioniert, die das System auslastet oder die – das kommt immer wieder vor - versucht, Viren auf dem Rechner des Nutzers zu installieren oder ihn auf betrügerische Webangebote weiterleitet.

Die wenigsten installieren sich einen Adblocker leichtfertig. Denn auch das ist nervig und problembehaftet. Ich habe beispielsweise jahrelang ohne Werbeblocker gesurft. Schon lange vor es Adblock Plus überhaupt gab hatte ich mal ein Tool namens Privoxy installiert, es aber nach kurzer Zeit wieder deinstalliert. Jeder Werbeblocker bringt Probleme mit sich: Manche Seiten funktionieren nicht richtig, der Werbeblocker selbst will Speicher und Systemressourcen, kann für Browserabstürze verantwortlich sein und hat möglicherweise Sicherheitslücken. Werbeblocker installiert man sich erst dann, wenn die Nachteile durch Werbung so gravierend sind, dass sie die Nachteile eines Adblockers deutlich aufwiegen.

Diesen Punkt haben wir inzwischen erreicht und er führt dazu, dass gerade auf IT-Webseiten immer mehr Nutzer mit Adblockern unterwegs sind.

Die dritte Seite: Werbung an sich

Es gibt noch eine dritte Perspektive, die hier nicht verschwiegen werden soll und der ich einiges abgewinnen kann: Werbung ist eigentlich – aus gesellschaftlicher Sicht – eine reichlich dumme Angelegenheit. Werbung dient dazu, Menschen zu mehr Konsum zu bewegen. Sie fragt nicht, ob dieser Konsum irgendeinem Zweck dient. Sie bindet unglaubliche Mengen an Ressourcen und menschlicher Kreativität.

Diese Meinung mag nicht jeder im Detail teilen, aber mehr oder weniger denken vermutlich sehr viele Menschen so. Die wenigsten werden sagen: „Werbung ist etwas grundsätzlich tolles und schützenswertes.“ Schützenswert ist vielleicht der von der Werbung finanzierte Journalismus, aber nicht die Werbung selbst. Deswegen hat man auch wenig Hemmungen, Werbung zu blockieren. Man blockiert nichts wertvolles und hat nicht das Gefühl, etwas zu verpassen.

Es ist in gewisser Weise eine Tragik, dass so etwas sinnvolles wie Journalismus (bei aller Kritik im Detail) heute in starkem Maße von so etwas sinnlosem wie Werbung abhängt. Nein, einen einfachen Ausweg habe ich nicht anzubieten. Aber ich denke man muss sich dieses Dilemmas bewusst sein.

Der Streit zwischen mobilegeeks und Adblock Plus

Eine sehr erfolgreiche Software zum Blocken von Werbung ist das Browserplugin Adblock Plus. Adblock Plus hat vor einiger Zeit ein Programm für sogenannte „akzeptable Werbung“ (Acceptable Ads) eingeführt. Dafür hat Adblock Plus eine Reihe von Regeln, die wenig überraschen. Sie entspricht in vielen Punkten dem, was auch die meisten Nutzer als „akzeptable Werbung“ betrachten würden, etwa das Verbot von Sound in der Werbung oder von Layer Ads. Adblock Plus pflegt eine Whitelist von Seiten, die sie als akzeptabel betrachten und diese werden in der Standardeinstellung nicht blockiert.

Nun nimmt Adblock Plus von manchen Werbebetreibern auch Geld dafür, dass sie vom Werbeblocker ausgenommen werden. Das kann man fragwürdig finden. Der Betreiber der Webseite mobilegeeks Sascha Pallenberg berichtete darüber schon mehrfach, oft in ausgesprochen polemischer Weise („mafiöses Netzwerk“), und hat dabei eine erstaunliche Medienresonanz. Zuletzt berichtete mobilegeeks, dass Google und andere große Unternehmen an Adblock Plus nicht unerhebliche Beträge zahlen, um in die Liste der akzeptablen Werbung aufgenommen zu werden.

Dass eine Software mit Geschäftsmodellen arbeitet, die fragwürdig sind, kommt häufiger vor. Dass einiges von dem, was die Firma hinter Adblock Plus treibt, kritikwürdig ist, will ich nicht bezweifeln. Die gigantische Medienresonanz der Geschichte hat aber einen faden Beigeschmack. Die Süddeutsche, die Welt, die FAZ oder die Neue Züricher Zeitung sind üblicherweise keine Blätter, die besonders ausführlich über Netzthemen berichten oder sich für die Details seltsamer Geschäftsmodelle im Internet interessieren. Die ganze Geschichte wird viel größer gemacht als sie ist.

Der Effekt dürfte bei vielen Nutzern übrigens kaum sein, dass sie künftig ohne Adblocker surfen. Wer Adblock Plus misstraut, wird entweder das Acceptable Ads-Feature abschalten (ist problemlos möglich) oder auf einen alternativen Werbeblocker setzen, der ohne ein solches Feature auskommt (es gibt genügend davon).

Acceptable Ads

Grundsätzlich ist die Idee von Acceptable Ads nicht dumm. Die Medienbranche täte gut daran, die Diskussion darum, was an Werbung akzeptabel ist und was nicht, selbst zu führen. Man könnte sich etwa eine Selbstverpflichtung der Medienbranche ähnlich dem Pressekodex des deutschen Presserats vorstellen. Im Prinzip kommt man immer wieder zu ähnlichen Schlüssen, was akzeptable Werbung ist: Kein Blinken, kein Sound, keine Layer-Ads, kein Flash.

Nun gibt es allerdings ein Problem mit dem, was Adblock Plus unter Acceptable Ads versteht: Die Seite lässt manches durch, was zumindest ich alles andere als akzeptabel finde. So wurde etwa die Werbung eines Unternehmens namens YieldKit akzeptiert und dafür offenbar extra die Regeln, was akzeptable Werbung ist, geändert. YieldKit platziert via JavaScript Werbelinks in einen Text. Das greift schon die journalistisch gebotene Trennung von Werbung und Inhalt an. Wenn dafür Geld fließt, dass Adblock Plus derartiges durchlässt, dann ist die Kritik am Geschäftsmodell von Adblock Plus berechtigt. Aber die Grundidee, eine Diskussion über akzeptable Werbung anzustoßen, die halte ich nach wie vor für sinnvoll.

Man kann sich über manche Details sicher streiten. Ob Animationen generell verboten oder im bestimmten Rahmen erlaubt sein sollten etwa, oder ob Flash eine Existenzberechtigung hat. Manche Nutzer finden es spooky, wenn ihnen Werbebanner durchs Netz folgen, andere haben damit kein Problem. Aber es gibt denke ich zwei Punkte bei denen kann man sich nicht streiten: Sicherheit und Systemauslastung.

Adblocker als Schutz vor Malware

Werbung im Netz ist ein Sicherheitsrisiko. Werbeblocker sind eine sinnvolle Maßnahme, die Sicherheit beim Surfen zu erhöhen. Die Situation ist einigermaßen gruselig. Das BSI hat im letzten Jahr zweimal vor Malware in Werbebannern gewarnt. Es ging dabei nicht um die Schmuddelecken des Internets, zahlreiche populäre Webseiten waren betroffen.

Eine beliebte Software zur Verbreitung von Werbung nennt sich OpenX. OpenX hatte in der Vergangenheit immer wieder massive Sicherheitslücken. Im vergangenen Jahr verteilte die offizielle Webseite von OpenX eine gehackte Version mit einer Backdoor. Diese gehackte Version ist extrem verbreitet. Ich betreibe selber Webserver und habe schon mehrere Installationen davon stillgelegt. OpenX wird inzwischen nicht mehr weiterentwickelt, es gibt einen Nachfolger namens Revive, aber http://www.kreativrauschen.com/blog/2013/12/18/zero-day-vulnerability-in-openx-source-2-8-11-and-revive-adserver-3-0-1/ erst im Dezember wurde in Revive eine weitere massive Sicherheitslücke entdeckt.

Das ist nicht akzeptabel. Überhaupt nicht. Ein „wir bemühen uns, dass so etwas nicht vorkommt“ reicht nicht. Dafür kommt es viel zu oft vor. Ich möchte wissen, welche Strategie die Werbebranche hat, so etwas abzustellen. Ich möchte von den werbenden Webseiten, die mich darum bitten, meinen Adblocker abzuschalten, wissen, welche Software ihre Werbepartner einsetzen, denen sie immerhin die Sicherheit ihrer Kunden anvertrauen. Ich möchte wissen, warum noch niemand einen professionellen Audit von Revive organisiert hat oder Bug-Bounties bezahlt. Solange die Branche dieses Problem nicht soweit im Griff hat, dass das Risiko geringer ist als sich durch den Werbeblocker Sicherheitsprobleme einzuhandeln, werde ich weiterhin jedem, der mich um seine Meinung fragt (und das sind in Sachen PC-Sicherheit ein paar) sagen, dass Adblocker eine effektive Maßnahme zu mehr Sicherheit im Netz sind.

CPU-Last

Kommen wir zum Thema Systemlast. Werbung benötigt Rechenpower. Nicht ein bisschen, sondern ganz erheblich. Als es zuletzt mal wieder eine Kampagne von verschiedenen Medien mit der Nachricht „schaltet doch bitte Eure Adblocker aus“ gab, habe ich testweise die Seiten der beteiligten Medien mit Firefox und ohne Werbeblocker aufgerufen. Das Ergebnis war beeindruckend. Auf allen Seiten schnellte die Systemlast nach oben, in top (ein Tool unter Linux zum Anzeigen der Systemauslastung) waren abwechselnd Firefox und das Flash-Plugin ganz oben und benötigten über 50 Prozent der CPU-Leistung.

Ich habe dazu nur eine Frage: Wenn ihr schreibt „Bitte schaltet den Adblocker aus“ - meint ihr wirklich, dass sich eure Besucher deswegen einen schnelleren PC kaufen?

(Hinweis am Rande: Ich weiß, dass das Problem mit der CPU-Last unter Linux verstärkt auftritt, weil der Flash-Player für Linux so schlecht ist. Aber nein, das ist keine Entschuldigung.)

Ein Allmendeproblem

Nachdem ich gestern noch eine Weile über die Sache nachgedacht hab, ist mir ein offensichtliches Problem aufgefallen: Einzelne Nachrichtenwebseiten können vermutlich kaum etwas ausrichten. Werbeblocker deinstallieren werden die Nutzer nicht, wenn eine einzelne Webseite aufhört, nervige Werbung zu schalten. Die Nutzer darum zu bitten, ihren Werbeblocker auf einzelnen Webseiten auszuschalten, funktioniert vermutlich nur in sehr begrenztem Umfang.

Deswegen: Wenn einzelne, kleinere Webangebote voranpreschen und besonders nervige Werbeformen ausschließen, ist das löblich, es wird ihnen aber vermutlich wenig gedankt – ein klassisches Allmendeproblem. Das ganze müsste eine Debatte der Branche sein. Ein guter Anfang wäre es, wenn all diejenigen, die zuletzt entsprechende Appelle an ihre Besucher gestartet haben, sich auf eine Art Kodex einigen würden. Da wäre schon ein relevanter Anteil der deutschsprachigen Nachrichtenwelt zusammen.

Datenschutz

Was ich bis jetzt nur am Rande gestreift habe: Das Thema Datenschutz. Nicht weil ich es vergessen habe, sondern weil ich das Gefühl hatte es verkompliziert die ganze Debatte noch enorm. Werbung wird heute fast immer nicht über die jeweilige Seite selbst sondern über externe Vermarkter ausgeliefert. Das bedeutet automatisch: Der Werbevermarkter bekommt nicht nur Aufmerksamkeit, sondern auch Daten. Dazu kommen noch zahlreiche Services, die ausschließlich Daten abgreifen und für den Nutzer komplett unsichtbar sind. Nicht wenige davon sind gerade für journalistische Angebote kaum verzichtbar, etwa die Zählpixel der VG Wort oder die Statistiken der IVW. Das darf aber nicht darüber hinwegtäuschen: Gerade diese Services dürften inzwischen ein enormes Datenmaterial mit großen Missbrauchspotential haben.

Fazit

Werbung ist doof, aber sie wird auf absehbare Zeit ein wichtiges finanzielles Standbein des Journalismus bleiben. Wenn ihr wollt, dass die Leute aufhören, Adblocker einzusetzen: Macht Werbung erträglich. Dann wird die Rate derer, die sich Werbeblocker installieren, ganz von selbst zurückgehen. Ja, das bedeutet Konflikte mit den Werbevermarktern. Ja, ihr müsst denen erklären, dass Flash doof ist und dass ihr es Euren Nutzern nicht zumuten könnt, wegen ihrer Banner neue Rechner zu kaufen. Nein, von dem Werbebetreiber, der letzten Monat einen Virus verbreitet hat, solltet ihr keine Werbebanner schalten. Ja, es kann dazu führen, dass ihr kurzfristig finanziell lukrative Werbung nicht mehr schalten könnt.

Disclaimer / conflict of interest: Ich benutze auf diesem Blog Google Ads. Google scheint die einzige Firma zu sein, die richtig viel Geld mit Werbung verdient und trotzdem in der Regel das tut, was die meisten als akzeptable Werbung ansehen (mit der großen Ausnahme Datenschutz). Außerdem benutze ich Zählpixel der VG Wort und einen flattr-Button. Ich schreibe regelmäßig Texte für die IT-Nachrichtenseite Golem.de, die an einer der jüngsten Kampagnen zum Thema Adblocker beteiligt war.

Bildquellen: Leuchtreklame von Wikimedia Commons (Public Domain), restliche Bilder Screenshots.

Das Bundesamt für Sicherheit in der Informationstechnik (BSI) macht ja seit vorgestern mächtig Wirbel um einige Zugangsdaten, die sie angeblich aus einem Botnetz haben. Leider informiert das BSI bislang nur sehr spärlich über Details. Ich habe, nachdem die zugehörige Webseite nach einigen Stunden wieder einigermaßen erreichbar war, verschiedene von mir in der Vergangenheit genutzte Mailadressen prüfen lassen. Bei einer Mailadresse eines großen deutschen Freemail-Anbieters, die ich vor langer Zeit als primäre Mailadresse genutzt hatte, schlug der Test an und ich bekam eine der Warnmails (ich dokumentiere die Mail weiter unten). Das ist jetzt aus zwei Gründen interessant:

1. Ich habe diese Mailadresse seit ungefähr zehn Jahren nicht genutzt. Ich habe alle Accounts, die ich aktiv nutze, auf meine aktuelle Mailadresse auf eigener Domain umgestellt. Das bedeutet: Die Daten, die das BSI da hat, sind also - zumindest teilweise - uralt.

Eine Sache, die hier vielleicht spannend ist: Im November letztes Jahr gab es einen größeren Leak von Accountdaten bei Adobe. Da war ein Account mit dieser Mailadresse dabei (fragt mich nicht warum ich irgendwann einen Adobe-Account hatte, wie gesagt, ist mindestens zehn Jahre her). Es ist natürlich reine Spekulation, aber es scheint mir zumindest vorstellbar, dass es sich bei den BSI-Daten schlicht um die selben Daten handelt. Rein zeitlich würde es ins Bild passen. (Update: Mehrere Leute teilten mir mit dass sie vom Adobe-Leak betroffene Mailadressen haben, die das BSI nicht kennt, also Spekulation höchstwahrscheinlich falsch)

2. Ich erhalte hier eigentlich eine völlig nutzlose Warnung und unpraktikable Tipps. Denn was mir das BSI letztendlich mitteilt: Sie haben Zugangsdaten zu irgendeinem Account irgendwo im Zusammenhang mit einer Mailadresse von mir. Oder, um das BSI zu zitieren: "Dieses Konto verwenden Sie möglicherweise bei einem Sozialen Netzwerk, einem Online-Shop, einem E-Mail-Dienst, beim Online-Banking oder einem anderen Internet-Dienst."

Verbunden ist das ganze mit dem kaum umsetzbaren Vorschlag, ich solle doch am besten alle meine Passwörter ändern.

Was ich ja jetzt gern wüsste: Weiß das BSI, um was für einen Account es geht? Und falls ja: Warum teilen sie es mir nicht mit? Ich werde zumindest versuchen, darauf eine Antwort zu erhalten. Laut Bundesdatenschutzgesetz ist das BSI verpflichtet, mir Auskünfte über Daten, die sie über mich gespeichert haben, zu erteilen.

Hier die vollständige Mail, die man vom BSI erhält:

Sehr geehrte Dame, sehr geehrter Herr,

Sie haben diese E-Mail erhalten, weil die E-Mail-Adresse [...] auf der Webseite www.sicherheitstest.bsi.de eingegeben und überprüft wurde.

Die von Ihnen angegebene E-Mail-Adresse [...] wurde zusammen mit dem Kennwort eines mit dieser E-Mail-Adresse verknüpften Online-Kontos von kriminellen Botnetzbetreibern gespeichert. Dieses Konto verwenden Sie möglicherweise bei einem Sozialen Netzwerk, einem Online-Shop, einem E-Mail-Dienst, beim Online-Banking oder einem anderen Internet-Dienst.

Um diesen Missbrauch zukünftig zu verhindern, empfiehlt das BSI die folgenden Schritte:

1. Überprüfen Sie Ihren eigenen Rechner sowie weitere Rechner, mit denen Sie ins Internet gehen, mittels eines gängigen Virenschutzprogramms auf Befall mit Schadsoftware.

2. Ändern Sie alle Passwörter, die Sie zur Anmeldung bei Online-Diensten nutzen.

3. Lesen Sie die weiteren Informationen hierzu unter www.sicherheitstest.bsi.de.

Diese E-Mail ist vom BSI signiert. Wie Sie die Signatur überprüfen können erfahren Sie auch unter www.sicherheitstest.bsi.de.

Mit freundlichen Grüßen
Ihr BSI-Sicherheitstest-Team

I finished my Asia trip a few days ago. As you could obviously see, my motivation for blogging decreased during the trip. I'll finish with a quick summary of what I did.

I entered Laos from China, but I didn't spend a lot of time in Laos. The main reason was that I was quite frustrated with the weather. It was a comparatively cold winter in southern China and Laos and the buildings there are not really isolated at all and heating usually doesn't exist. While the days were all sunny and nice, the nights were sometimes quite tough. In Laos, usually the only mode of transport are buses and minibuses. I crossed the border at Houay Xai and quickly moved on to Bangkok by bus and train.

Travelling in Laos and Thailand was quite a different experience when compared to Kazakhstan and China. For the first half of my trip, I mostly felt like "the stranger going to places rarely visited by strangers". In China, even at touristy places there were mostly domestic tourists. Laos and Thailand are flooded with western tourists, so I was more like "the western guy going to places everyone else is going". Honestly, I felt much more comfortable with the first role. Malaysia was somewhat in-between. The most important thing I was looking for in this part of Asia was mostly nature and rainforests.

For the whole travelling with buses and trains, I was surprised that it was often much easier than expected. Maybe irrational, but when I planned this I often felt "travelling with a bus/train in a place I barely know anything about just must me difficult". If you have any questions about overland travelling in any of the countries I visited, feel free to ask me. But basically, it usually comes down to "write your preferred train, time, class and destination on a piece of paper and the people at the ticket counter will understand even without knowing your language". The only real obstacle I faced at all was that in China there are some train routes that are booked out early.

If you know me, you know that I try to avoid flying. But it was clear that doing this trip without would be close to impossible. So I flew back from Kuala Lumpur in Malaysia earlier this week.

While I've seen a lot and experienced a lot, at the end I was at a point where I really didn't want to continue any more. I have a lot of respect and get inspiration from people people who consider themselves digital nomads, permanent travelers or something alike and I though a lot about that during travelling and in the months before. I'll probably write some more about that at a later point, as I find it quite desirable to organize life in a way to be less dependent on a fixed living spot. But for me, this has limits and I know where they are.

After crossing Yunnan province, I finally left China to go further south into Laos. I travelled by bus from Jinghong to Medan and from there to Mohan, which is the chinese border town. From there, I just walked across the border. In Laos, EU-citizens can get a visa-on-arrival, which was easy. I just had to fill in a form and got my visa about 10 minutes later.

Right behind the border in Laos is the small town Boten. There's a quite interesting story behind this place. A couple of years ago, this was a place of casinos for chinese gamblers. In China itself casinos are forbidden, so this gained quite some popularity. A couple of luxury Hotels and other facilities for the chinese gamblers emerged. However, some conflicts were arising. The casinos sometimes held chinese gamblers unable to pay their gambling debt as hostages. Chinese authorities were unhappy with this and pressured the laotian authorities to shut the place down, which finally happened in 2011.

So today Boten is mostly a ghost town of abandoned hotels and casinos. The town is split. On one side of the street is what probably was Boten before the casino boom and were most of today's inhabitants live. Some simple houses, some shops and also a small and simple hotel where I stayed for one night. Although this is in Laos, everything is still very chinese. Everyone pays and sells in chinese Yuan, which came quite handy for me, as I didn't have any laotian Kip at that time.

On the other side of the street is the ghost town. It's not completely empty. One large hotel is still welcoming customers, some shops are still operating and also a couple of people live there. But there are a number of former luxury buildings in different states of decay. Probably the most weird thing was a former luxury hotel that's now used as a cowshed.

It was definitely one of the more interesting places on my trip.

Pictures from Boten

It made the news last year that in China, a copy of the austrian historic town Hallstatt was built. Not far from Guangzhou, and as I was there anyway on my way to Hongkong, I thought that's interesting and I'd pay it a visit.

It was a bit tricky to get there. I found only limited information online. The place is near Luoyang, which is part of an area called Boluo, near the town Huizhou. Getting to Huizhou was mostly hassle-free, there are many trains every day from Guangzhou and it takes about two hours. How to come to Luoyang/Boluo is another story. I had two bus numbers I found in some Internet forums, but I couldn't find them at the train station. So either the information was wrong or the buses with that numbers are departing from another place in Huizhou. I also had some GPS coordinates I found online of the copycat Hallstatt, but it turned out later that they were not very accurate.

Checking the map, the place I wanted to visit was only about 10 kilometers away, so I took a taxi. About 15 minutes later and 100 Yuan poorer I arrived in Luoyang. It was already late in the evening, so I decided to take one of the few hotels there. The next day, equipped with the GPS coordinates I went to the austrian village in China. Starting from Luoyang, there's a street with a stadium that's mostly still in construction. I found out that the coordinates I had were about two kilometers off. But after asking some workers, I finally arrived. (correct coordinates for the entrance are lat 23.18112, lon 114.32656, I'll also add something to Openstreetmap)

What is interesting to know is that this place isn't primarily a tourist destination. It's a housing development, people are supposed to live here. However, I think nobody lives here yet, because except for the town's center, everything is still in construction. There are a number of similar projects in China. Tianducheng in eastern China, which rebuilts parts of Paris, has gotten quite a lot of media attention lately as an example for the Chinese housing bubble. Almost nobody lives there and it's mostly a ghost town. As the chinese Hallstatt isn't yet ready to house anyone, the future will tell if it'll fall to the same fate.

There were a number of things that made this place weird. The most obvious thing: You usually don't see tropical plants in an austrian town. I have no idea why they had a (fake/nonworking) red, british-style phone booth. Maybe for a chinese Britain isn't that far from Austria after all. Although this place isn't primarily meant as a tourist destination, it certainly attracts a lot of them. It was quite crowded. I haven't seen anyone who looked like being from Austria though.

After staying here for a while and having a coffee, I went back to Luoyang. There is a bus station in front of the entrance (line 6, but I don't know where it's heading), but no bus came for a while, so I walked back. Grabbing my luggage from my Hotel, I wanted to take a taxi again, but luckily, when I arrived at the main street a bus with Huizhou written on it just stopped in front of me (to be precies, it had 惠州 written on it, but I manage to recognize chinese characters well enough to remember the towns where I've been lately). So my way back was much cheaper and the bus - without a line number - brought me directly to the train station where I headed back to Guangzhou.

I'd like to finish with a quick comment. When reading western news commenting about this case and others, they're often quick in condemning this kind of "copycat" culture. I think one needs to be careful with that. The importance of the "original" is something that is deeply rooted in cultural norms and traditions. Sticking to the original is something that's probably more important in European cultures than in China. But I don't think either of them is right or wrong, it's just a different approach to culture. After all, it doesn't hurt anybody if someone is rebuilding Austrian villages in China. Also, there is almost certainly no legal issue at stake here. While it may be debatable if a town's layout can be covered by copyright, Hallstatt is a historic city. So if there is any copyright on it, it's already expired.

Pictures from Luoyang
Pictures from Chinese Hallstatt

Some Links:
Blog entry about Hallstatt / China on thechinachronicle.com
Blog entry about Hallstatt / China on liongrass.hk

The well-known way of getting from Europe to China overland is the transsiberian railway. However, I noted that the route through Kazakhstan I took is the quickest way to get to China by train and bus. I thought I'd write that up:

• Take train EC 43 from Berlin Hauptbahnhof (09:37 on Monday, Berlin time) to Warsaw Wschodnia, change to train D 10SZ (15:28). If you - like me - feel that the time to switch trains is a bit risky in case of delaqys, you can take the earlier Beriln-Warsaw-train EC 41 (06:37 until 12:08). There's also a direct Berlin-Moscow-train D 50472 (Berlin 04:28, Moskwa Belorusskaja 10:33), but it's often sold out early.
• Spend some time in Moscow and then take the Metro Line 5 (Circular Line) to Komsol'skaya (Metro of Kazasky railway station)
• Take train 090У from Moscow Kazansky (18:48 on Tuesday, Moscow time) to Petropavl/Petropavlovsk in Kazakhstan (09:46 on Thursday, Astana/Almaty time). Note that this only works every second Tuesday - you may choose other days where this train goes, but then other options may not work.
• Take train 152T from Petropavl (13:48 on Thursday, Astana/Almaty time) to Almaty (22:28 on Friday, Astana/Almaty time).
• Take bus number 100 to Sayran bus station and hope that they'll sell you a ticket late in the evening for the bus next morning. Find a place to sleep (but not very long).
• Take bus from Astana Sayran bus station (07:00 on Friday, Astana/Almaty time) to Yining (approx. 21:00 on Friday, Beijing time). You're in China.

With the transsiberian, you can leave Berlin on Monday (same options as above until Moscow) and take the D4ZJ direct train from Moscow to Beijing. You will enter China in Erlian on the next Monday at 00:47. So this makes almost 7 days vs. about 4 and a half days.

I wouldn't recommend anyone doing that. Better spend some time on the way and see some places in Russia or Kazakhstan. Also it should be noted that one obvious reason for being faster is that you'll enter China at a place much further in the west. And getting to the main part of china (the western part is much less inhabited than the eastern part and all big cities are in the east) can be somewhat troublesome. Still, I thought it might be of interest to document the fastest overland way from Europe to China.

I always assumed the starting point Berlin, obviously because I live there, adapting that to other starting places should be trivial. For example you can usually easily (and for a comparatively cheap price) reach Berlin by Eurolines bus in a day from other major european cities like Paris or London.

After another train ride, I arrived at Xi'an. This was releaving for me, because as I already wrote, I originally wanted to go directly from Urumqi to Xi'an, which wasn't possible. I finally passed that part now. The longer journey gave me the experience of now knowing various transport modes and train classes common in China.

Between Dunhuang and Lanzhou, I took what is called the "hard seat" class for a 14 hour ride (not overnight). I can quote Wikivoyage on that:
"Traveling in a seat (hard or soft-class) means you will share the car space with lots of locals. You will most likely encounter smokers, loud noise, and constant activity in the aisle while you try to sleep. *Do not* travel hard class if you are uncomfortable with these settings."

While I certainly was an interesting experience, it is not exactly one I'd like to repeat. It was challenging and I was quite happy when I finally arrived.

With my arrival in Xi'an, finally I noticed that I approach the warmer zones of China. While not really "summer-warm", I apprechiated not having to wear winter clothes all the time. Appart from that, Xi'an was quite different from the other cities I've visited before. It is in many small ways much more like a western city (and, to be not mistaken, in many ways this is a good thing - better hygiene, less dangerous traffic, no smoking in non-smoking zones). And regarding my last blog post, yes, coffee is usually available, although often expensive.

Xi'an is also home of one of Chinas most popular tourist attractions, the so-called terracotta warriors and - not that well known - the Chinese pyramids. I didn't know that there are pyramids in China, so found that worth seeing. Unlike pyramids in other places of the world, the chinese pyramids are not buildings, they are artificial hills. The biggest one, near the terracotta warriors, is the mausoleum of Chinas first emperor Qin Shi Huang.

My initial plan was to visit the pyramid and then decide if I still had time and motivation to see the terracotta warriors. I took the bus to the terracotta warriors and walked the roughly two kilometers to the pyramid. Turned out my planning was not really how one was supposed to do things. Going to the pyramid is only possible with an entrance ticket for the terracotta warrior museum - and you cannot buy it at the entrance of the pyramid area. There's a free shuttle service which I then took to get the ticket and drive back.

The pyramid doesn't look that spectacular and there's hardly a spot where you can actually see it's a pyramid. It once was much bigger, but during the centuries, the earth got compressed and it became smaller. I walked around a lot, the area around is a nice park.

As it is common amongst tourist destinations probably everywhere in the world, there is a huge amount of people who want to sell you things - from terracotta warrior replica in all sizes (including ones in original size and made mostly out of the same materials than the original ones) to the various tour guides. I refused all these offers and preferred to find my own way. One more thing notable: This isn't mainly a tourist spot for foreign tourist. The vast majority were domestic tourists.

As for accomodation, I stayed in the so-called "capsule hostel" in Xi'an. I read about these capsule hotels before (they're especially common in Japan), so I was curious. It is kind of a compromise between a dorm bed and a real hotel room. You get a small private capsule made out of plastic that contains your bed. They even have a television in every capsule (I fail to understand why no matter where in the world you are, a television in every hotel room seems to be standard). It was quite okay, although I would have one suggestion for an improvement: There capsule can not be locked, so you have to put your valuable private stuff into a separate locker every time you leave.

While writing this, I'm in the highspeed train from Xi'an to Guangzhou (taking only 8 hours). I've been to Guangzhou before, and I'm not going there not mainly because I want to see something there. I have a double-entry 2 x 30 days visa and from Guangzhou, I intend to make a quick hop to Hong Kong. Although part of China, in visa issues Hong Kong is like going to another country. So by going to Hong Kong, I have another 30 days to spend in China. Arriving in Guangzhou, I can also finally leave any traces of the northern hemisphere winter behind myself. It has comfortable temperatures all year round.

Pictures from Xian
Pictures from Guangzhou

I like drinking coffee and I usually drink quite a lot of it. And I'm pretty used to the fact that usually, you can get coffee just about everywhere. Well, at least so I thought.

When travelling, I usually have my own coffee making equipment, which consists of a couple of coffee filters, a collapsable filter holder, some coffee powder and some coffee creamer powder (which doesn't make a very delicious coffee and I prefer real milk or soy milk if possible, but it's a reasonable compromise when travelling).

I was running out of coffee powder shortly after I entered China. I really hadn't expected that it would be a problem. After all, the biggest international coffee chains, Starbucks and Costa Coffee, are flooding eastern and southern China with their restaurants and Chinese chains and independent coffee houses are trying to keep up with that. Well, the problem is that I entered China in the far northwest. And the Chinese love for coffee hasn't made it there yet.

I could hardly believe this, but between Yining and Dunhuang, I didn't find any coffee. None at all. Not in the form of coffee powder and not in brewed form. Yeah, supermarkets have a large collection of soluble instant coffee, most of it Nescafe and also some Chinese brands. But I refuse to call that stuff coffee. Most of it contains more sugar than anything else. When you get coffee in restaurants at all, you can bet it's also instant coffee. I checked where the next Starbucks is: In Xi'an, thousands of kilometers away. I checked for the next Costa Coffee: Also in Xi'an. (I'm on my way to Xi'an now - no, not just because of the coffee, it was my plan anyway.)

After all, I bought some non-sugared instant coffee. No, I wasn't happy with it, but it seemed it was the best I could get.

Lesson learned: There's just no coffee in northwest China.

I'm lagging a bit behind with blogging, so I'm trying to quickly recap the recent days of my journey in China. I already mentioned that I arrived in Yining, which is a town near the border to Kazakhstan. I was a bit surprised, because I more or less expected a small town, but I found out that Yining isn't that small. It has 430.000 inhabitants (at least Wikipedia says so, maybe it's outdated) and the distances sometimes were quite huge and I did a lot of walking there. The train station was a bit outside and walking there I passed a number of construction sites for new residential area. I first thought I found one of the "ghost towns" many western media lately reported about, a clean and new looking residential area. But a closer look revealed that it was probably just not finished - inside the buildings construction work was still going.

I took the train from Yining to Urumqi. My original plan was to move along quite fast and directly take the next train to Xi'an. But that didn't really work. I had to find out that all train tickets for the upcoming days to every location east of Urumqi were sold out. This was kind of a déjà vu. Last time I was in China I had the plan to travel this way in the other direction - and no tickets were available. Reading local news, this situation might improve 2014, when a new highspeed train line opens between Urumqi and Lanzhou. I didn't want to wait that long though.

However, this time I knew that there are alternatives - by taking the bus. I took a bus to the town Dunhuang, which is about 1,000 kilometers east of Urumqi.

Finding out the bus times in Urumqi was a bit tricky. At the bus station, there was a screen with scrolling departure times - but only in Chinese. While I am in theory able to recognize Chinese characters, this was much too fast for me (and there were a lot of buses). No paper or otherwise static timetable was available. My solution was to do many photographs of the timetable. That worked and afterwards I bought the ticket. I usually do this by writing down the time, date, the start and destination - usually that works quite well when language communication is limited due to language barriers. I took a bus the next day starting at 4 p. m., which arrived in Dunhuang at around 8 a. m., so it took roughly 16 hours.

The bus trip through the Xinjiang desert passed a lot of wind turbines. While China is often portrayed as the environmental bad guy, one shouldn't fail to recognize that it's also the world leader in building renewable energies. However, the many Xinjiang wind turbine fields also told the other not so green side of the Chinese renewable boom: Many of the turbines were just standing still. The most likely reason: China is building up wind power faster than it's caring for grid integration. I'm used to that look in Germany - wind power there is also often downregulated, because grid integration is not keeping up with the installation of new wind energy. But it was quite obvious that this problem is far bigger here in China's desert.

In Dunhuang I spend three nights. Dunhuang is not on the Urumqi-Lanzhou train line, so the scarce ticket situation there doesn't affect me here. But still, I didn't get a ticket for the train I wanted and had to stay one day longer. After having traveled through several huge cities, staying here for some time was okay and I did things a bit slower. Dunhuang is famous for the Mogao caves, which are a famous tourist attraction with buddhist statues and wall paintings. I'm usually not the person who has to see every tourist attraction on the way, but as I had more time than expected, I went there.

Tomorrow I'll take the train to Lanzhou.

Pictures from Yining
Pictures from Dunhuang
Pictures from wind power turbines in the Xinjiang province
Pictures from Lanzhou

When travelling from Kazakhstan to China overland, the common way is taking the train directly from either Astana or Almaty to Urumqi in northwestern China. The train takes about 30 hours and a significant part of that time is spend on the border, because the trains need to change their wheels for the different train track size.

I read at some places about a different possibility: A bus service from Almaty to Yining (伊宁 which, to make things complicated, has also a kazakh/uighur name - Kulja / Құлжа / قۇلجا - which, to make things even more complicated, can be written in many different ways using latin characters, cyrillic characters or arabic characters). The information was quite scarce. I basically only had a few forum entries mentioning it, so all the information I had seemed quite unreliable. And even the guy from the hostel where I stayed didn't know more.

I could find out that there's an international bus station in Almaty called Sayran (сайран). It is located somewhat outside the city and can be reached with bus number 100 from the Almaty 2 train station. I went there on Thursday and - although without language communication possible - could tell them what I wanted. They wrote me down a date and time for the next bus: Saturday at seven in the morning. Sadly, I didn't find out how often this bus goes. Saturday was fine for me so I bought my ticket for the bus.

Two days later I got up at 5 in the morning and took a taxi to the Sayran bus station. Although no overnight trip, the bus was a sleeper bus with beds. However, the bed I got was so small there was just no way I'd fit in there laying down. I spent, like most others, most of the time sitting on the floor which was covered with matresses. As expected, I was the only western traveller on the bus. Everyone got a plastic bag at the entrance for the shoes. The bus ride was quite okay, although really bumpy. The bus wasn't that full and there were larger, unused beds in the back, so I also layed down for some time. However, sleeping was impossible, it was just too bumpy.

We spend about an hour at a restaurant in the middle of the desert and also some time at the border. I was a bit worried about the border crossing, because recently there have been some conflicts in the Xinjiang province, which is the chinese province you enter when coming from Kazakhstan. But at the border everything was fine, except that my border crossing took a bit longer than the others.

Right behind the border a lot of people were trying to offer money exchange. I didn't do that, because at such points you usually don't get the best exchange rates, which later turned out to be a mistake. It seems not exactly easy to change Tenge into Renminbi in Yining and as I'm writing this, I still have some Kazakh money with me after having tried to exchange it in three different banks in Yining.

I first feared that I had lost my bus after the border crossing, because I didn't see it anywhere, nor did I see people I remembered from the bus. I wasn't too worried, because the border town Khorgas itself seemed large enough to provide a place to sleep and further travelling options, but after a while, I saw some people I remembered from the bus and finally, it came back and picked us all up. We arrived in Yining at around 9 in the evening, so the bus trip took about 12 hours. That was longer than I expected, as I read 7 or 10 hours at other online sources. If you wonder why it's 12 hours from 7 a.m. to 9 p.m., you have to consider the timezone change (but timezones deserve another blog entry anyway).

Hopefully this information will provide other travellers some help when they try to take this bus. To recap the important information:

• Bus from Almaty to Yining starts at Sayran bus station (reachable via local bus 100 from Almaty 2 train station).
• Runs at 07:00 a.m. on unknown weekdays, but due to my experiences probably on fridays and not on thursdays (If you have any info on that, e. g. a link to the bus company, please add it in the comments).
• Costs 4600 Tenge (thats about 21 € or 30 US$).
• Takes about 12 hours.
• Crosses border to China at Khorgas (霍尔果斯 in mandarin chinese, قورعاس in uighur, Хоргос in russian and Қорғас in kazakh language).

Pictures from bus trip

After Astana I went on to Almaty, which is the former capital of Kazakhstan. As I already wrote my previous two stops (Petropavl and Astana) were sharp contrasts, Almaty again was a completely different place. While also relatively expensive, it doesn't have the kind of "artificial" feeling that is present in Astana.

I spend two days here. Almaty has some mountains surrounding it. There are two hilltops that one can reach via cable car. One is Koktobe, which has something like a small amusement park on the top. But due to lots of snow, most things there were closed. For the free software fans upon my readers: I saw an arcade machine with Tuxracer there. Never seen Tuxracer in an arcade machien before (however, I have seen an arcade machine with the free software game Stepmania on my last trip).

The other cable car starts near the ice skating stadium Medeo (which can be reached via public bus line 6) and goes to the ski ressort Shymbulak. The ski resort was closed and sadly, this meant that also the second cable car, which could bring one even more up the hills, was also closed. Still I had some stunning views on the mountains. In the gondola, I talked to a local who spoke a bit of English. He said they call it the "little Alps". I found that quite described it well. It really looked like you were in Austria or Switzerland. To make this impression complete, the cable car was even built in Switzerland.

Pictures from Almaty

After staying in Petropavl I made it into Kazakhstan's capital Astana and stayed there for a few days.

I am glad that I've been both in an I assume average Kazakh city like Petropavl and the capital Astana. The contrast was pretty extreme. It wasn't like going to another city in the same country, it felt more like going to another world. Petropavl looked more or less like many post-soviet cities I've been before. Often a bit shabby, with waste laying around, broken or non-existent sidewalks and alike.

Astana is quite the opposite. Nothing here is old, large parts of Astana were build within the last two decades. Dirt or waste in the streets was almost zero and the traffic seems pretty civilized. Until 1997, Almaty was the capital of Kazakhstan, due to some complicated political compromises, it was moved to Astana and there began the growth of this boom town.

The city center is dominated by unusual and stunning architecture. It is build in almost perfect symmetry. For example, if you stand right in front of the Khan Shatyry shopping center in the middle (there's a wastebin so you can see where the exact middle is) and look to the Baiterek tower (Astana's landmark), it is perfectly centered in the archway of the KazMunayGaz company headquarter (a large state-owned oil and gas company). Same on the other side: If you stand in front of the presidential palace in the middle and look to the Baiterek tower, it's framed by two golden other towers.

One thing that's notably missing in Astana: It has only a very limited public transport system. There's no metro, no tram and no trolleybusses. Normal busses are the only way to get around. In the evening, they are so crowded that it can be a pain to use them. Also, it's a bit tricky to find out which busses you want to take. Bus stations have sometimes maps with bus lines, but they don't show all bus lines, only the ones starting at exactly that bus stop. I didn't see any complete bus map anywhere offilne or online. I've pictured a bus map (and another one) which features some of the more important lines linking the city center with the train station, maybe this is of some help for other travellers.

Astana is relatively expensive and features a bunch of large shopping centers (the biggest one being the Khan Shatyry, which they call the largest tent in the world). I think you get the idea what kind of place that is. Many describe it as "like a western city", but that really doesn't catch it. Others describe it as the Dubai of Kazakhstan. While I've never been to Dubai and can't judge, it feels to me that this describes it much better.

I originally planned to stay until saturday and take the train to China from Astana, but I found that the options of exploring the city were quite limited. You pretty quickly get around having seen all of its sights and there doesn't seem much around worth visiting. So I went on to Almaty.

A quick overview of things one can do and i did in Astana:

• Go on Baiterek tower: Not too expensive and nice view on the city with signs of distances to other relevant cities (e. g. Beijing 3656 km, Moscow 2280 km, Helsinki 3020 km).
• Ocenarium in the Duman entertainment center: Not that cheap, but nice and quite relaxing atmosphere. Biggest attraction are two large tunnels under a big aquarium, so you can watch the fishes from below.
• Pyramid (Palace of Peace and Reconciliation): Pyramid formed building containing an opera, conference centers and more. Not really worth visiting, it was mostly boring. I was the only english speaking person at that time, which didn't stop them from giving me a guided tour through the building.
• Khan Shatyry: Mostly a shopping center (so not thatwah interesting, except for the fact that it's a tent-like architecture). The upper floor contains a mix of an amusement park and an arcade hall. I saw a lot of those entertainment complexes, most other shopping centers in Astana have something alike. Also, there's a "Beach Club", which is a very expensive swimming bath.
• Watch unusual architecture: All over the city center.

Pictures from Astana

When I crossed the border to Kazakhstan I was told that I had to register my visa within 5 days. I read about that before, but I thought I had read somewhere that this wasn't necessary for EU citizens, so I was a bit surprised. But it turned out registration wasn't that difficult.

I did the registration on Monday in Astana. Registration needs to be done at the Migration Police office, which is located in the улица Сакена Сейфулина 29. I was there at 11:00 and the place was quite crowded and busy, so I already feared this might take some time. But it only took a couple of minutes, I gave them my passport, my migration card and a business card of my hotel (they wanted to know the adress). Then I was told to come back at 15:00. I was also told that they could only do a registration for a maximum of ten days. This wasn't a problem for me, because I don't intend to stay longer in Kazakhstan and my Visa validity ends there anyway. But for travellers wanting to stay longer in Kazakhstan this might be a cause of trouble.

After all, it wasn't that troublesome, but you should be aware of the registration when travelling to Kazakhstan. I don't know what to do if you're not passing a big city and thus have no way to visit the office of the migration police.

After a two-night train trip I arrived in Kazakhstan in the town Petropavl / Петропавл, also known under the name Petropavlovsk (which should not be confused with Petropavlovsk in Russia, where a town with the same name exists). There was no particular reason why I went there except that there's a relatively fast train from Moscow. Going directly from Moscow to Kazakhstan's capital Astana or the ex-capital Almaty would've meant a trip with at least three nights in a train, which I thought would be too much.

There's surprisingly little information you find online about Petropavl in English, although it's not that small (about 200.000 inhabitants). I can't add that much, as I only stayed for one night.

I had a booking for a hotel, which teached me a little lesson: Sometimes preparing to much may cause more hassle than it helps. I didn't find the hotel I've booked at the address where it was supposed to be. You may wonder how I fail to find a hotel, but you need to know that "hotel" here not necessarily means the same as you are used to be (big building with big sign "Hotel XY"). They're often hidden in flats inside normal buildings.

After checking the booking again I found out that it listed two addresses. One for the apartment and one as the contact address - and they were not nearby. No hint where I was supposed to go. While searching for my hotel, I found three other hotels which, by the way, were all much cheaper than everything that was bookable online. So finally I decided to forget my booking and just took one that seemed okay. Luckily, I could cancel my other booking without costs (I would've complained if I hadn't been able to do so) and ended up in a fine apartment, cheaper than planned and with a kitchen.

Notable in Petropavl was a huge outdoor market. Although it's quite cold, it was crowded and seemed to be the normal way of shopping here. Not only food was sold, but anything from clothes to tools or car parts.

After spending a night, I took the train to the capital Astana.

Pictures Train Moscow-Petropavl
Pictures from Petropavl