
U.S. Coding Website GitHub Hit with Cyberattack - lambtron
http://www.wsj.com/articles/u-s-coding-website-github-hit-with-cyberattack-1427638940
======
conradk
Interesting how this article came out at about the same time "Ask HN: Why
isn't the GitHub attack being covered by the news?" [1] was trending on HN.

I can't read the article without going through a subscription process first.

[1]
[https://news.ycombinator.com/item?id=9284688](https://news.ycombinator.com/item?id=9284688)

~~~
sheetjs
Go to google news and search for the headline.

~~~
manojlds
How does that work? Referrer?

~~~
ikeboy
Yes. [http://www.jongales.com/blog/2014/02/13/how-to-get-around-
th...](http://www.jongales.com/blog/2014/02/13/how-to-get-around-the-wsj-
paywall/)

------
ikeboy
Anyone having problems viewing, click
[https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&c...](https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CB8QqQIwAA&url=http%3A%2F%2Fwww.wsj.com%2Farticles%2Fu-
s-coding-website-github-hit-with-
cyberattack-1427638940&ei=0yAYVbTbNceoNqu6hJAL&usg=AFQjCNEA_qnPu8LObRFwO5yE5oPzTQ4HhQ&bvm=bv.89381419,d.eXY)

~~~
PeterWhittaker
Thanks, tried it, but with or without cookies, this still tells me I need to
subscribe or login.

------
rawnlq
Hypothetically, if another "U.S." company with higher economical consequences
got cyberattacked, would it be considered an act of war? For example if
Facebook got shutdown for a few days/weeks. Or does it have to be
military/government/infrastructure related tech?

[http://en.wikipedia.org/wiki/Cyberwarfare#Cyberwarfare_in_th...](http://en.wikipedia.org/wiki/Cyberwarfare#Cyberwarfare_in_the_United_States)
"The new United States military strategy makes explicit that a cyberattack is
casus belli just as a traditional act of war."

~~~
enraged_camel
It most likely wouldn't be considered an act of war, for several reasons. Most
cyber-attacks are difficult to trace to a source, and even when they are
traced, it's basically impossible to prove (beyond a reasonable doubt) that
the attack was state-sponsored. Countries let more serious transgressions
slide, because wars are costly and they cause orders of magnitude more damage
than any cyberattack.

In the grand scheme of things, economic damage resulting from cyber-espionage
or cyber-sabotage is regarded -- or at least _should_ be regarded -- as a cost
of doing business on the Internet. Companies should treat DDoS attacks the way
banks treat robberies: inevitable and expected. And just like banks, they
should simply buy insurance to cover the costs and damages.

~~~
BetaMechazawa
I honestly feel that in this case we can say that beyond a reasonable doubt
this is a state-sponsored attack. This is because of both the target and the
fact that traffic is manipulated at the "great" firewall to initiate this
attack.

------
jessaustin
_Specifically, the traffic was directed to two pages on GitHub... the other
linked to a copy of the New York Times’ Chinese language website... A
spokeswoman for the New York Times declined to comment. It isn’t clear who
controls the GitHub site that contains the copy of the paper’s content._

[EDIT: Apparently this is a copy.] Notwithstanding the actions of some in
China, reposting newspapers doesn't seem like a service GitHub really wants to
provide. Would anyone complain if GH were to pull this content?

Incidentally, TFA was quite informative; good job WSJ!

~~~
allochthon
It's a reasonable tactical move, and GH can't be expected to bear the cost
indefinitely. But it would ultimately hurt freedom of speech _outside_ of
China if GH capitulates. (Asked HN about this yesterday:
[https://news.ycombinator.com/item?id=9282950.](https://news.ycombinator.com/item?id=9282950.))

------
eliben
Silly question: Can Github just carpet-block all Chinese IP addresses? Would
this mitigate the attack? Or is it that GH doesn't want to punish real Chinese
users (some of whom may well be paying customers) for their government's
tactics?

~~~
blamarvt
The DDoS tactics may have changed but the initial attack [0] was from all non-
Chinese IPs who were visiting Chinese websites. That's what makes this attack
so difficult to block -- requests aren't being made from Chinese IPs but
rather from everwhere else.

[0] - [http://insight-labs.org/?p=1682](http://insight-labs.org/?p=1682)

~~~
hifier
Maybe a naive question, but in the original attack, couldn't the 'bad'
requests have been identified using the referrer?

~~~
madlag
Yes, that's one of the method that was used: from
[https://news.ycombinator.com/item?id=9284226](https://news.ycombinator.com/item?id=9284226)
:

> The first round was cross-domain JavaScript, stopped with an "alert()".
> Second round was cross-domain <img>, stopped with referrer. Third was DDoS-
> ing GitHub Pages. Fourth is the ongoing TCP SYN Flood attack.

~~~
hifier
In that case, why is
[https://github.com/greatfire/](https://github.com/greatfire/) still returning
the alert(..) js when not coming from Baidu?

~~~
pyre
> > The first round was cross-domain JavaScript, stopped with an "alert()".

> Second round was cross-domain <img>, stopped with referrer.

It does not mention that the alert() used the referrer.

~~~
hifier
Apologies if I'm being dense, but is there some technical reason why it does
not use the referrer to selectively block this traffic rather than blocking it
for everyone?

~~~
jurre
Parsing the referrer would still require some work from their servers right?

~~~
hifier
Sure. I suppose that could be the reason. However, something like HA proxy[1]
and (IIRC) CDNs like Akamai can be configured to inspect the headers and take
various action.

[1] [http://cbonte.github.io/haproxy-
dconv/configuration-1.5.html...](http://cbonte.github.io/haproxy-
dconv/configuration-1.5.html#6)

------
camhenlin
While it's nice to see a large news organization reporting the attack, it
would still be nice to see a political figure aknowledge that an American
company was cyber attacked by the Chinese government

~~~
teamhappy
Not happening, because:

    
    
        1. You need facts to back that claim
        2. $1.3 trillion debt
        3. Stuxnet et al.
    

Nobody gains anything from opening that particular door.

~~~
ikeboy
Ahem.

[https://en.wikipedia.org/wiki/Cyberwarfare_in_China#United_S...](https://en.wikipedia.org/wiki/Cyberwarfare_in_China#United_States)

[http://www.nbcnews.com/tech/security/fbi-warns-u-s-
businesse...](http://www.nbcnews.com/tech/security/fbi-warns-u-s-businesses-
china-backed-cyberattacks-n226821)

[http://www.darkreading.com/risk-management/china-cyber-
espio...](http://www.darkreading.com/risk-management/china-cyber-espionage-
threatens-us-report-says/d/d-id/1085047)

[http://www.investing.com/news/technology-news/chinese-
hacked...](http://www.investing.com/news/technology-news/chinese-
hacked-u.s.-military-contractors,-senate-probe-finds-309836)

~~~
teamhappy
You should read the articles before you post them.

> The United States has _accused_ China [...] China has denied accusations of
> cyberwarfare, and has _accused_ the United States [...]

> The FBI warned U.S. businesses on Wednesday that hackers it _believes_ to be
> backed by the Chinese government [...]

> [...] Chinese espionage and cyber espionage activities may be carried out by
> individuals _without obvious government ties._

(Emphasis is mine.)

That seems to be the game we're playing. Everybody is super concerned but
nobody's actually doing anything for the aforementioned reasons.

// ↓ Fair point (the accusation bit) If an accusation is all the OP wants, I
don't see why anybody would doubt that will happen tomorrow.

~~~
ikeboy
OP wanted "a political figure acknowledge that an American company was cyber
attacked by the Chinese government"

That's an _accusation_ , and that happened many times. What OP wants already
happened.

>Hackers associated with the Chinese government have repeatedly infiltrated
the computer systems of U.S. airlines, technology companies and other
contractors involved in the movement of U.S. troops and military equipment, a
U.S. Senate panel has found.

>In May U.S. authorities charged five Chinese military officers, accusing them
of hacking into American nuclear, metal and solar companies to steal trade
secrets.

------
EdSharkey
Seems very shortsighted of China to do this. Don't they expect reprisals if
not from our government, then github itself?

Although it probably goes against their corporate policies, Github really
ought to block access to all China IP addresses for all repos OTHER than
greatfire and the nytimes until the offending DDoS codes are removed from
baidu.

~~~
AYBABTME
Reprisal of this sort would have no effect other than worsening Github's
stance in front of China.

Reprisal from corporations against a large state are pretty useless. The best
and smartest thing a corporation can do is complain to their local diplomacy.
Nations are sovereign, if you hit them back as a corporation, they'll just
block you and there's nothing you can do about it.

------
w_t_payne
I would imagine that there are some interesting legal avenues that could be
pursued here.

~~~
darkhorn
Yes, like bringing back East Turkistan and Tibet. Sertainly you are going to
win this legal action and China will pay Github.

------
randiantech
Github is "a US Coding Website"? What? Theres thousand of non US code repos
there.

~~~
ta82828
Grammar ambiguity: the site is in the US. So a "US Website" -> what kind of
website? A coding website -> US (Coding Website) -> "US Coding Website"

------
nvk
Paywall

------
dba7dba
I go check wsj.com site and the ad on top is one from HUAWEI.

------
dujiulun2006
Doesn't matter to us Chinese people because WSJ is evil and we are protected
by the mighty GFW from it too. [sarcasm sign]

