
Chinese Spies Got the NSA’s Hacking Tools, and Used Them for Attacks - tysone
https://www.nytimes.com/2019/05/06/us/politics/china-hacking-cyber.html
======
redwards510
So China ran a network sniffer and captured and reversed some 0day that the
NSA lobbed at them? I'd be pretty surprised if this sort of thing didn't
happen all the time in cyberwar, considering the NSA has a massive, worldwide
sniffing operation and China has the GFW. I feel like this story is omitting
some important fact that makes this a bigger deal.

~~~
fosco
Agree, this reminds me of a 'limited hangout' [0] where a small bit of the big
story was released for people to talk about so that the real story never gets
revealed.

[0]
[https://en.wikipedia.org/wiki/Limited_hangout](https://en.wikipedia.org/wiki/Limited_hangout)

~~~
dev_dull
Lately this seems to be virtually every story related to “spygate” from the
times. One persons “scoop” is another powerful person’s attempt to shape
narrative.

~~~
yeahitslikethat
The ufo conspiracies are an example of this. The government promoted ufo
stories to distract from the real stories.

~~~
Mtinie
As an insider please let us know, what are the real stories?

~~~
yeahitslikethat
"According to later estimates from CIA officials who worked on the U-2 project
and the OXCART (SR-71, or Blackbird) project, over half of all UFO reports
from the late 1950s through the 1960s were accounted for by manned
reconnaissance flights (namely the U-2) over the United States. (45) This led
the Air Force to make misleading and deceptive statements to the public in
order to allay public fears and to protect an extraordinarily sensitive
national security project. While perhaps justified, this deception added fuel
to the later conspiracy theories and the coverup controversy of the 1970s. The
percentage of what the Air Force considered unexplained UFO sightings fell to
5.9 percent in 1955 and to 4 percent in 1956. (46)"

Source: [https://www.cia.gov/library/center-for-the-study-of-
intellig...](https://www.cia.gov/library/center-for-the-study-of-
intelligence/csi-publications/csi-studies/studies/97unclass/ufo.html)

------
komali2
> Based on the timing of the attacks and clues in the computer code,
> researchers with the firm Symantec believe the Chinese did not steal the
> code but captured it from an N.S.A. attack on their own computers

Out of curiosity, I wonder who directed the NSA to attack Chinese computers?

~~~
hawaiian
Even though the NSA-style attack was conducted by Chinese hackers in March
2016 (comfortably before the Shadow Brokers' leak of NSA tools in August
2016), it's possible that the tools were circulating outside the NSA earlier
and thus used outside of NSA direction.

Edit: That was confusing. Basically, we don't know when exactly before Aug2016
the tools were leaked, so it could have been someone else probing the Chinese
server.

~~~
kermitismyhero
After the Wikileaks Vault 7 releases, specifically the details about how
Marble and Umbrage make it easy to implement a digital false-flag attack, I
don't see how anyone can be certain of the identity of a sufficiently skilled
attacker in the modern era. Any state security agency in any reasonably-
advanced country likely has their own equivalents of the Marble and Umbrage
tools at this point.

Was this attack from China? Was it from the US making it look like China to
justify US economic and diplomatic retaliation? Was it from Germany looking to
embarrass the US with a false-false-flag attack making it look like the US
made a false-flag attack on China after the US spied on Merkel's phone
conversations?

We could go down rabbit holes forever. Who can be completely trusted to speak
openly, knowledgeably, and honestly on specific instances of attacks? Every
last individual and organization in that world is neck-deep in their own
agendas.

------
olliej
Yet more evidence that you can't trust anyone with magic software that defeats
device security without making the devices insecure.

~~~
lopmotr
OS makers have that magic software and seem to keep it secure enough. They can
update your device and potentially hack if it they want to. If you think
that's a bad idea, what alternative would you propose for automatic security
updates?

~~~
leggomylibro
The "magic software" is, at its core, just strong encryption and an unbroken
chain of trust.

You trust your OS updates because your machine trusts the certificate it is
presented with. Your machine trusts that certificate because it is signed by
an authority which is in your machine's local list of trusted authorities.

If people mess up that list of trusted certificate authorities, it can easily
compromise the system. Remember this?

[https://en.wikipedia.org/wiki/Superfish#Lenovo_security_inci...](https://en.wikipedia.org/wiki/Superfish#Lenovo_security_incident)

Now imagine if, instead of having an identifiable certificate authority which
accidentally allowed third parties to intercept and modify your encrypted
traffic, that were an undetectable feature of the encryption algorithm.

If that were the case, no matter how much you trusted the entity that
understands the nature of the backdoor, you would not trust your OS.

~~~
lopmotr
So the problem is more about transparency and reliability of the software than
about government access? I don't think so though because otherwise anyone
proposing government backdoors would neutralize opposition by saying let's
make it a front door, we'll have our certificate trusted by those same CAs and
be open about it.

------
jlgaddis
This NYT article is paywalled but Symantec's blog post [0] (on which much of
the NYT article is based) is not.

\---

According to the blog post, "Buckeye", a group allegedly working on behalf of
the Chinese state, also used an "exploit of a previously unknown Windows zero-
day vulnerability. This zero day was reported by Symantec to Microsoft in
September 2018 and patched in March 2019."

So Symantec reported a zero-day -- _which was being actively exploited in the
wild by a state-based actor_ \-- to Microsoft and Microsoft _STILL_ didn't
release a patch for it until six months later?

[0]: [https://www.symantec.com/blogs/threat-
intelligence/buckeye-w...](https://www.symantec.com/blogs/threat-
intelligence/buckeye-windows-zero-day-exploit)

------
wallace_f
>the Chinese did not steal the code but captured it from an N.S.A. attack on
their own computers

I don't understand the US's relationship with China. The above seems to
possibly suggest some mild cold war scenario?

~~~
hangonhn
I don't know how much foreign relationships or China-US policy you follow but
when it comes to China-US, the term "Thucylides' Trap" gets thrown around a
bit ( [https://foreignpolicy.com/2017/06/09/the-thucydides-
trap/](https://foreignpolicy.com/2017/06/09/the-thucydides-trap/) \- a term
coined by this guy:
[https://en.wikipedia.org/wiki/Graham_T._Allison](https://en.wikipedia.org/wiki/Graham_T._Allison)
)

Rivalry between a rising power and an existing superpower is inevitable. How
it gets resolved though is not certain.

China is on track to overtake the US economically in a decade or two (if you
consider PPP adjusted GDP they've already surpassed us). That have
implications in other areas too -- strategic, diplomatic, cultural, etc. How
will the US respond to this? Will we simply let it happen or will we stop it
and perhaps violently? What will it mean for our agendas in different areas
since China and the US don't share the same goals in many areas. What's
especially frightening to me is that Xi seems to advocate a view that China's
rise is a return to a historical greatness and that China is destined to
dominate -- similar in some sense to the old "manifest destiny" idea of the
US. Xi's idea is now enshrined into the Chinese constitution along side Mao's
ideas. My view is on this rather bleak but I think the US needs allies more
than ever. Ironically I think two equally matched powers are more likely to
come to a peaceful coexistence than if one side perceives the other to be
weaker. Maybe a new cold (or cool-ish) war isn't so bad compared to a hot war.

~~~
pm90
Its not clear what the ideological lines are though. With USSR, it was a very
clear Capitalism v/s Communism ideological battle. Its not clear to me that
the rivalry would escalate to the same levels as it did during the Cold War.

There is one thing that does give a lot of hope to me personally: the close
economic relationship between the US and China has created a tight bond
between the countries even if they are unwilling to admit it openly.

Its not inconceivable for world powers to co-exist in peace. There will be a
lot more frontiers in the future that can be competed on without wanting to
destroy one another.

~~~
jackcosgrove
There need not be an ideological conflict. Ideology was a mobilizing idea in
the 20th century but has lost mindshare. France and Britain vied for centuries
having similar societies and economies. There can be a tribal aspect to
conflict, as well as simply a competition for the spoils of world dominance,
which are many.

~~~
adrianratnapala
> Ideology was a mobilizing idea in the 20th century but has lost mindshare.

Ironic then that it is called the Thucydides trap then, since the ideological
lines between Athens and Sparta were very stark indeed.

------
freeflight
So China pretty much pulled the reverse card in UNO?

~~~
function_seven
Sounds like it. They arranged to be rubber to our glue.

------
ackbar03
Do you think cybersecurity or ai is a better field to dive deeper into as a
career/business field? I feel like in some ways ai has already been hyped up
but cybersecurity tends to be quite niche in its demands?

~~~
Godel_unicode
Why only pick one?

~~~
danaur
Because one has limited time

~~~
gkilmain
But shouldn't you at least try both? They seem to me to be two very different
things.

~~~
ackbar03
I've already been dabbling in both but if Im to either start a business or
pursue a career in a single field I feel it's probably going to require more
more dedication to one thing, but thanks for the response

------
elihu
> Chinese intelligence agents acquired National Security Agency hacking tools
> and repurposed them in 2016 to attack American allies and private companies
> in Europe and Asia, a leading cybersecurity firm has discovered.

Does that open up the NSA to a lawsuit from those U.S. companies that were
attacked by the same tools the NSA created and used against targets in China?

It seems like there ought to be some liability for any organization that gives
this kind of technology to another organization who is likely to misuse it,
even if "give" in this instance means "use it against them".

~~~
lawnchair_larry
Of course not. The NSA didn’t put those vulnerabilities there. If we want to
start pointing fingers, the first point of liability would be with whoever
released the vulnerable software.

~~~
lapinot
I do and you probably do too. Of course we can fantasize that these vulns have
been planted, maybe even a couple have been. But most of them are probably
just uncaught mistakes and subtle semantic errors. I believe in proving
software (and other stuff) correct, but that doesn't mean we'll arrive at some
point to the one true software. The problem is about defining formally what it
is to be correct, having a model that encompasses all things you care about.
You can't blame people for writing faulty software and shipping exploitable
hardware, that's just what one does. I think it makes sense to blame people
for discovering exploits and not disclosing them properly tho. That's what one
is expected to do... Some wishful thinking: let's hope the US will see that
the only move with positive outcome is to start a global disarmament
initiative. We seem to have forgotten the days of fighting for de-weaponizing
encryption, this should apply to cyber-security in general.

------
anxman
Something about this whole article is bullshit. In fact, it could be a planted
story BY NSA.

The Shadow Brokers released _source code_ and the USA still doesn't know how
it was leaked. There's no source code in an "interception".

------
mLuby
If someone steals a gun and kills someone, I'm mostly mad at the murderer, but
I'm at least a little mad at the irresponsible gun owner.

~~~
TaylorAlexander
It’s more like one murderer stealing a gun from another murderer, since they
both use the tools against everyone else.

------
quotz
China is becoming an increasingly big threat to the west and it’s values, only
because it’s a communist dictatorship. With the rise of the middle class and
the ultra rich in China, I dont know for how long with the communist party
stay in power. It seems the government censorship and all the spying does work
for controlling the people into believing the government is doing good to
them...

~~~
rossdavidh
China hasn't actually been communist in a long time. I think the current
situation is that the growing middle class will give at least tacit support,
so long as they keep growing. With memories of the late 60's still hanging
over that nation, they prize stability more than nations that haven't lost it
in living memory.

Now, if the economy turns really sour, then like Indonesia in the 90's they
may discover that the populace gets restless very quickly. But, for now, I
think the Chinese middle class is not in the mood to make big trouble.

~~~
eternalban
The Chinese have found (or been given) the _modern Middle Kingdom_ under the
rule of the Communist Party. What is happening in China is what has always
happened in China. Certain invariables that even the Cultural Revolution could
not erase from the Chinese nation. What China dislodged during the reign of
Mao was out dated _forms_ of these invariables. Confucius is out, Party
Chairman's 'thoughts' are in.

The West is used to seeing the decrepit aspect of the Chinese and associates
that with its characteristic societal structure. But this nation also has an
aspect of splendor. This renewed splendor appears to bother some in the West.
In fact, any sort of renewal of Asia not under the control of the West is
"alarming" to the West.

Don't worry. Asians don't hold grudges .. ;)

~~~
tiredyam
every country has its history. That does not justify China’s human rights
violations. I am all for China overtaking the throne as the global hegemony,
if they cared about human rights outside of the Han people. Stopping the
genocide on the western part of China would be a start. Either way, US being
number two may give us a much needed gut punch. We can trim some of our
collective fat.

~~~
quotz
I mean, China only got where it's now by stealing tech from the US and EU.
Either with spies, or by letting foreign companies "compete" in China, only if
they partner up with a local company, and then for the government to clench
the foreign company so that they finally quit the market. Also, if the IP was
actually protected, Chinese companies would have to pay billions back to the
US and EU... I only like Trump because he sees the bigger picture in terms of
China being a threat, how much China is making a fool of the west, and also
due to the tax cuts.

~~~
age_of_stone
are you sure that you've gone through some critical thinking before saying
that?

~~~
quotz
Are you perhaps Chinese? All your comments are about defending China regarding
the same issues. Its funny. Have you heard of those government actors in China
that are paid to flag comments and write good comments about the government

------
bearmcbearsly
188 upvotes in 3 hours and already off the front page. Clearly people are
flagging this post. The question is why...

------
StanislavPetrov
Golly, who could have ever expected this? Hopefully everyone remembers this
when authoritarians cry about needing backdoors in all of our encryption.

------
mamon
Ok, so Edward Snowden runs off with few terabytes of NSA data. He briefly
stops in China, before finally going to Russia. Now NSA hacking tools are used
against US and we are supposed to believe that "Chinese did not steal the code
but captured it from an N.S.A. attack on their own computers".

Somehow I'm not convinced.

~~~
sexy_seedbox
> He briefly stops in China, before finally going to Russia.

Hong Kong is NOT China.

~~~
rossdavidh
Well, it is and it isn't. But I think any tools he had that long ago would not
be newsworthy by now.

~~~
jessaustin
Yeah that's what I was thinking. 4 years between Snowden's releases and Vault
7, and another 2 years from then until now. Most 0-days don't live that long.
Not to mention the fact that Snowden has always refused to work with
Wikileaks... The conspiracies that people treasure are quite revealing.

