Hacker News new | past | comments | ask | show | jobs | submit login
The Great Cannon has been deployed again (att.com)
1043 points by robbya 10 months ago | hide | past | favorite | 431 comments



Browsers really have to be a lot more skeptical about the code they run. Running code should not be able to randomly attack any IP address on the internet. Code from non-TLS pages should not be able to run at all. Perhaps that should also apply to code loaded from 3rd party sites.

Connecting to a web page should not be consent to allow the operators of that web page to make my computer/phone do whatever they want on the net. It certainly should not be consent to delegate that power to others, either via a embedded link or a MITM attack.


This sounds like a knee-jerk reaction that doesn't take into consideration the ramifactions of the suggested policy. It won't stop DDoS attacks, because those exist _because the internet exists_ and unless you dismantle the very concept of interconnected "everyone can reach everyone" networking, all you're doing is locking down access to more and more people until only technical experts or the people with enough money to hire those experts get to use it.

Advocate the other direction: more freedom, including the freedom to say "thank you, browser, for being locked down by default, but I trust this website and I am okay with everything it wants to do".

Instead of locking the web down, let's give users the freedom to put on or remove as many locks as they want to live with. And letting make mistakes with that, too: you don't make things better by taking away important life lessons, either.


This, on the other end of the spectrum, seems overly and naively liberal, when not being paired with a workable solution to the massive body of education required to provide adequate technical sophistication to (what has to be most of) 8 billion people.


>> a workable solution to the massive body of education required to provide adequate technical sophistication

The problem doesn't have to be one of education if it is tackled as a legitimate UI/UX problem and served by a WC3 that supports the needs of end users over corporate partners.


I have NoScript installed on FireFox, and when I visit sites, I individually grant temporary permission to anywhere from one to more than twenty javascript sources. I suspect that I am among the 1% of those willing to make that effort.

I haven't noticed NoScript distinguish between http and https sources for javascript, but perhaps I don't visit sites that pull in javascript via http.


I did this last summer and managed maybe 1-1.5 months until it drove me crazy having to fiddle to get (way too many) sites to work with a minimal amount of accepted JS. Which is a shame, because it's quite a fool proof method of rendering most malicious actors helpless.


That requires allowing web servers to blacklist all browsers known to allow http and therefore ddos....which is equivalent to banning http code.


TLS should be required, but it seems likely to me that the Chinese government can issue TLS certificates for MITM purposes that their browsers will trust.

As for the DoS aspect, maybe it's time to do a CORS preflight on ALL cross-origin requests, including images. (Webfonts, for whatever reason, already require a CORS preflight. Probably because Adobe is on the W3C and they sell a service where certain origins can legally use certain fonts from their servers. I hate it when user security features get turned into subsidies for large corporations, but here we are.)

Of course, if you have broken TLS I guess you can just forge the CORS response.

Edit to add: I have read more comments and better understand the attack now. China is modifying the Javascript on Chinese websites that are being viewed from outside China. Making TLS mandatory would be a big help here. China could say "all Chinese companies must buy certificates from the Great Chinese CA" and they could still do the MITM. But with evidence of the CA issuing fake certificates to DoS websites, browsers would probably stop trusting that CA entirely. I imagine China would like to avoid that, so I feel like this would have stopped the attack.


> But with evidence of the CA issuing fake certificates to DoS websites, browsers would probably stop trusting that CA entirely.

"Hey Tim Apple/Microsoft/Google, if you want to do business in China you have to put our CA on your devices/software...".

At least Firefox would still be free from that. And Apple already has China-specific iOS, so they'd just activate the bad CA on Chinese devices...


My guess is that Firefox and Chrome would push back. Apple probably has too much to lose, though.


> Connecting to a web page should not be consent to allow the operators of that web page to make my computer/phone do whatever they want on the net.

But that is literally what web users want.

Everything you named is a fine opinion, but runs contrary to the wishes of the vast majority of millions and millions and millions and millions of web users.

EDIT: That said, browsers have features for users such as yourself to disable JavaScript, and there are third party extensions for finer-grained control. Again, adding these limitations is unpopular among web users.


> But that is literally what web users want.

No it absolutely does not.

Just because a user doesn't understand what Javascript is or how to diagnose why their computer is slow (is it an app, website, update, virus etc) does not imply consent.

Pretty sure that most people just want to be able to visit a website without it causing problems to their computer or to others.


But a “website” isn’t an HTML page any more. It’s a network-deployed application. Most people want to run these applications.


To reiterate threeseed’s point: the user wants the website to work well and work efficiently. They don’t care if it’s HTML or an interactive app. In a lot of cases, the web works better when pages are served as plain static HTML.


Websites also work better, IMO, when every page doesn't use remote resources on 10 different domain names hosted by 3rd-party vendors. This is one of the reasons I use Vultr instead of Digital Ocean: instead of locally hosting their own JS pages, DO uses 3rd-party services. (Maybe they don't have a choice if the 3rd party requires it.) Whereas with Vultr, I only had to enable one or 2 domain names and the whole site worked. It's a much better experience for the user IMO.


Sure, a simple marketing site for a local restaurant can work with only HTML and CSS, but practically all of the top 20 most popular sites would cease to function without JS.


I think you'll need some evidence for that. Silence is not consent, and it's certainly not enthusiastic consent.

And even if you do want to take silence for consent, the fact that the vast majority of millions of millions of web users do not install an extension to route around Google AMP indicates that they do not want the operators of the web page to do whatever they want, they want to run a restricted subset of what the web designer might imagine. AMP is extremely popular among web users; approximately 100% of Google users use it. (The more defensible argument, of course, is that users don't really want AMP, at which point the question of what users really do want gets back on the table.)

Also, users did vote with their feet against downloading EXEs from the internet - which can actually do whatever the developer wants - and using JS on the web platform, which can make unrestricted GET requests (even if it can't see the responses), sure, but can't do anything near "whatever." It stands to reason that users would gladly accept even more restrictions on the execution platform.


> they want to run a restricted subset of what the web designer might imagine

For the kinds of places that AMP is used, I would suspect so.

> Also, users did vote with their feet against downloading EXEs from the internet

So....this CAN happen???

> users would gladly accept even more restrictions on the execution platform.

The recent popularity of clipboard permissions, geolocation permissions, notification permissions, etc. would suggest otherwise.

What makes you so sure that web users care so much about the uptime of lihkg.com ?


> The recent popularity of clipboard permissions, geolocation permissions, notification permissions, etc. would suggest otherwise.

What popularity? Do you have data that users tend to click "yes" on such permission prompts?

> What makes you so sure that web users care so much about the uptime of lihkg.com ?

I'm not sure I understand what you're asking or what you're responding to.


> I'm not sure I understand what you're asking or what you're responding to.

lihkg.com being down is the negative consequence of this code running, right?


That's one of the negative consequences. If you phrase it as "In order for you to use the web as you're used to it, lihkg.com will go down, do you care" then sure, users may say "no." But if you phrase it as "When you visit this website, a portion of your bandwidth and battery life will be used to suppress dissident communications in Hong Kong, would you like to use your bandwidth and battery life on it," do you expect users to say yes?


No, that is not what web users want. No one asked them and they probably don't even have an opinion on that. It's what web developers and browser makers want.


It's certainly not what browser makers want, since the browser makers dropped native extensions and Flash and Java, and it's not what many web developers want, given the popularity of Content-Security-Policy.


You don't need to inject scripts to make this sort of thing work. Just add img or style tags with the source set to the target you want to attack. The browser will happily go try to fetch the files from the server, adding to the request load.

You can see unintentional examples of this happening. Small sites get taken down occasionally when larger sites directly link to images or videos hosted there.


Each individual user isn't doing that much, just loading an asset from another site, which is fairly inconspicuous. It's when billions of users start doing it that it becomes a problem (the first D in DDoS), but any individual person isn't doing anything out of the ordinary.


Unfortunately there's a giant category of devices that can't serve TLS. Like pretty much every consumer router in existence that you connect to through a webpage. Someone needs to come up with a solution for that. Ideally one that works with free and open source projects and not just well funded companies.


Found out there's a w3 working group trying to come up with solutions

https://www.w3.org/community/httpslocal/


> Unfortunately there's a giant category of devices that can't serve TLS. Like pretty much every consumer router in existence that you connect to through a webpage.

Come on now. Of course those devices can use TLS - they just can't do so in the capricious constraints imposed by the system of "certificate authorities". It's not a fundamental limitation of the technology.

If we were using something like noise protocol, nobody would be saying that tiny devices are incapable of proper security at the transport layer. There's just no clear way to assess the validity of a self-signed cert in the browser given today's political constraints.


Why do they have to use self-signed certs? Ship the device with a valid cert for $last_three_octets_of_mac_address.$vendor.com to the device, and print it clearly on the setup instructions. Typing in something like d63d15.ui.com isn't onerous.

The CA/Browser Forum allows certs up to 27 months - do routers sit on store shelves for 27 months before being configured? Do they even sit for 12 months? (Once they're online, they can renew their cert, possibly with the help of the vendor who can track the private key or something.)


That would require significant effort for the vendor to set up and most internet devices such as routers are an absolutely minimal cost device. Literally every cent counts in production and vendors rather remove some features than shell out the 2 cents extra to add another 64mb of storage.

Furthermore, this would require either not being able to change the IP for your device (bad) or sending information about the layout of your network to the vendor (I wouldn't trust them with that info).

Very few people care about this and the effort of maintaining a custom DNS and a CA certificate system (which, by the way, would need to be subjected to rigorous security testing) just isn't worth it.

Lastly, what's the point? Adding a little padlock isn't worth it if anyone can get a certificate for the router ip anyway. How do you ensure that the router connecting to your IP really has the mac address it claims? It only takes one person to get root on their router to invalidate the entire security system and given how somehow router vendors are still shipping command injection vulnerabilities, I wouldn't assume that they can prevent that as much as they'd like.

What I want is the option to give a router my own security certificate instead of the self signed one. Let me use my own CA or let me mess around with letsencrypt, split-horizon DNS and Selenium scripts if that's what I need. Consumers don't care about TLS on their router and this would be the cheapest option to solve it for prosumers.


We sell industrial equipment which will live its entire life (20+ years) off the internet.

Browsers and the people who sit on these committees are understandably more focused on their own use cases, but there really does need to be a viable certificate solution for small embedded devices, preferably works with mDNS too. I'm not going to hold my breath, but until this happens any/all IOT devices will remain largely insecure. Big co's (like my employer) can develop and deploy a custom solution, most companies cannot.


That's a little bit of a different problem, since the client end of the connection isn't the general public. (At least for industrial equipment.) The router problem is that you need a normal, unconfigured web browser to be able to access the router's config page.

The immediate solution that occurs to me is installing a private CA, possibly one with name constraints for the vendor, because private CAs aren't held to the same rules about validity. I'm curious why this doesn't work - is it just that the tooling needed to make it happen isn't polished enough for small vendors?

I'm guessing that internet of things devices are, by their name, on the internet and can talk to a CA. Yes, this will require some way to give them a real domain name, but you could either give them names on the vendor's site or encourage people to get a domain name for themselves.


No need for even that. TLS should have an extension which says "I don't know how to verify my identity, but send this data to vendor.com and then they'll verify my identity".

Vendor.com can then look at the opaque blob forwarded from their hardware and decide if they want to deligate trust to it.


That doesn't quite work, because the premise of accessing a router setup page is that your internet connection doesn't work yet. So your router has to be able to prove its identity to the client entirely offline.

(You cannot special-case "This server is untraceable", else a repressive government could blackhole that server and trigger the relaxed validation rules.)


I'm not familiar with this problem, could someone explain? Thanks!


There is no problem. Routers can use a self signed cert.


Could you expand on that a little? What do you mean? Won't my browser complain if the cert if self signed?


Yes, it will complain and for good reason: it has no way of knowing whether the kid next door is spoofing your router's IP or Mac address and presenting their own self-signed certificate.

I wouldn't go as far as calling it «capricious constraints imposed by the system of "certificate authorities"» but at the same time, I agree that it's not a fundamental limitation of the technology.

Better protocols could be developed to allow a browser to trust a server without (all) the limitations of the current system.


My harebrained idea for this:

- let companies register a wild card domain in the .local (or a newlocal) namespace: .acme.local

- designate the acme company with the ability to issue certs that never expire for any name in ".acme.local" but the browser will refuse to use certs signed with that key for anything outside "*.acme.local"

pros:

- the acme company can now make equipment that the users browser can connect to over an encrypted channel with zero config on the user's part

- the equipment can live off the internet indefinitely

- if the acme company is breached, and their signing key is stolen, the attackers can only use that key to impersonate acme company, it doesn't allow them to impersonate any other domains

cons:

- the browser manufacturers don't care about this use case so its never gonna happen

- the cert on the device never expires... and can never be replaced automatically somehow. I think the only workaround is acme could enable users to load their own certs if they are so inclined, but that shouldn't be required.


You should only have to store the self-signed cert exception once, at least on a given device. Now, if you're being targeted by a state-sponsored actor they might somehow be able to get you onto a honeypot network within the 2-minute window between plugging in your router and making your first connection to its web interface, but for everybody else a self-signed cert that you accept once during initial setup should be plenty good enough.


> Running code should not be able to randomly attack any IP address on the internet.

How would you prevent this? What constitutes an "attack", and how would you make sure you're not interfering with non-malicious use cases?


JavaScript was a mistake


This is just another kneejerk. They could have just injected an <img> tag with randomized src="" directly.


That would not consitute such a problem. The script is what provides the amplification factor here.


This is a network protocol flaw not a language flaw


Can there be a list that come up so user who want control can see what pages the link they have selected to link implicitly. Just on the side perhaps. They can explicitly block or AI learn etc. It may have to a feature as deny or enable all is too rough to be useful.

For china need some way to handle that whole commerical-military-party all one entity.


> Browsers really have to be a lot more skeptical about the code they run.

I absolutely believe you, and wrote a document how to make improvement.

> Code from non-TLS pages should not be able to run at all.

Whether or not it is TLS is irrelevant. Either way the user may wish to put their own code, and either way the server operator can change things whether or not is what the user intends. (TLS does prevent spies from adding code, but not all unwanted code is from spies.)

> Instead of locking the web down, let's give users the freedom to put on or remove as many locks as they want to live with.

I agree. Furthermore, allow the user to override any behaviour they want to do, too.

Allow the user to examine and copy the script (possibly with modifications); if the script changes (whether due to MITM or due to the author altering it or due to some other company purchasing them), it no longer runs unless the user approves the new one, too. Extensions that only allow free software to run don't help either; just because it is free software does not necessarily mean it is a program the user wants their computer to execute. Or, maybe the user wants to execute a modified version instead!


It's called hyperlink and doesnt require any code or javascript to run. Maybe excessive requests to same IP could be throttled by a user agent.

An outbound browser firewall could helps also.


> It's called hyperlink and doesnt require any code or javascript to run.

Hyperlinks generally don't open themselves. There is an obvious exception -- img tags[1] -- and I think it's worth considering whether they should be allowed to have the behavior they do. As far as I see, img tags load themselves so that, if you're editing HTML by hand, you don't have to deal with binary image data in the middle of what was supposed to be a clean text file. That may not be the right tradeoff.

[1] The img model got extended to other external resource loads, like script and css. But both of those frequently do appear as part of the same HTML that uses them. Image data can, but usually doesn't.

Also, external script loads are such an obvious problem that we got the Content-Security-Policy just to deal with it.


HTML was initially intended as, and still largely is, a markup language. An HTML file provides a container and presentation for other types of content. If you saved all those types of content into the same file you'd have many of the problems HTML was specifically designed to avoid, like bloat, vendor lock-in, format incompatibility, and editing difficulty.


Iframes are popular for these things - also, dont require javascript to run.


Sites embedding said JS "analytics" files could have implemented HSTS and CSP with SRI, and this attack wouldn't exist.


You do know you’re suggesting that sites not be able to load assets from other sites right?


They are specifically suggesting that HTTP-only sites not be able to load from third party sites, which is quite a bit different than your interpretation of generally preventing any site from loading any external content. HTTPS ought to be the default and browsers can, and should, move towards that.

But to answer your question more directly, yes they clearly know what they are suggesting.


I note this language in the writeup:

> These attacks would not be successful if the following resources were served over HTTPS instead of HTTP:

> http://push.zhanzhang.baidu.com/push.js; or

> http://js.passport.qihucdn.com/11.0.1.js

This seems overly generous. I personally would not assume that the government of China couldn't persuade Baidu or qihucdn.com to serve government-provided JavaScript.

It also assumes that the end users ("victims") here don't trust any Chinese certificate authority.


I'll speculate that there are sufficient locations failing to use https that they haven't felt a need to use https. I further speculate that China is sufficiently entangled with the international internet that they would prefer not to have their certificate authorities de-listed by the major browser vendors.


> But to answer your question more directly, yes they clearly know what they are suggesting.

Highly unlikely, or else the suggestion would be to just ban http all-together. Http without the ability to load resources from other domains would break the majority of sites.


Tls sadly won't make a difference.


“a web site Lihkg.com” is really an understatement as its title indicated. Given the “be water” and no leader, lihkg is really the only way to try to have some sort of info among possible noise (which popo is likely also post their confused Messages). There were discussion to cut off access by hksarg and a rush to install vpn is promoted. Guess they cannot firewall hk given its financial centre status.

The evil empire and culture will try and try to harm liberty and human rights. If it is not so important you would not see many of hkers like me instead of posting in here and other places, but in concentration camp as northern Turks up north.


So, maybe firewall off China for a couple of days? Sure, it would hurt on both sides but at least it would be clear that abuse at this scale leads to being blackholed.


This doesn’t work. The DDoS requests actually come from outside China when oversea visitors are hit by the malicious js while browsing Chinese websites.


So it does work. It doesn't really matter where you break the chain as long as it gets broken.


It only works if you somehow remove entire China from the Internet.


That would be the kind of signal that would be hard for the Chinese to spin in such a way that it would make them look good, and the economic effect would be pretty much instantaneous.

There is plenty of historical precedent for this: spammers' IP ranges would be blackholed to send a message to their ISPs that such behavior wasn't tolerated. That the Chinese authorities decide to play this game at the nation state level should not give them a free pass, but should result in a nation state level response.

https://en.wikipedia.org/wiki/Black_hole_(networking)


I'm not sure 'We have the technology to censor the internet, and it's okay to deploy it' is the message you want to give the CCP.


That's not censorship.

https://en.wikipedia.org/wiki/Censorship

The criminal co-opting of networks and nodes on those networks is not speech by any definition.


There are innocent users outside China who like to view innocent websites inside China. If you block the connection, you make the innocent users, and the innocent websites, mad. They might very well interpret it as censorship.


That's not the issue. The issue is that there is speech accompanying the malware, which should not be systematically censored. (Though any individual is free to do so for themselves.)


> The issue is that there is speech accompanying the malware

I'm either misunderstanding what you're saying, or it doesn't make sense. If a bunch of people take signs (with legitimate messages, free speech) and hang them off a bridge over the highway (causing accidents), then those people go jail. The fact that their message is free speech is irrelevant. The source of the message is being punished/jailed, not the message.

Am I mis-representing your statement?


Another iteration of this and we'll have bullets with text on them and killing someone with those bullets will be an expression of free speech. The degree to which the 'free speech' analogy is contorted is amazing, more so because the original scope was quite narrow, both legal and geographical.


The problem is closer to a ne'er-do-well taking someone else's signs and hanging them off a bridge over a highway. The person producing the speech is having their speech hijacked for malicious purposes by an MITM; that doesn't mean that it's not censorship when the sign's/webpage's creator gets caught in the censorship crossfire during the attempt to take down the malicious actor.

To put it another way: if someone steals my car and uses it to rob a bank, even if that car is now evidence in a criminal investigation, it's still my car. The police have every right to confiscate it from the thief—it's not their car—but that doesn't mean that it suddenly belongs to them; it belongs to me. In both this case and the above case, I have a right to not be unduly punished for the actions of an unrelated third party (by having my website taken down; or by having my car permanently confiscated, respectively.)

The context here is very similar to a story that was on HN just yesterday (https://news.ycombinator.com/item?id=21671579). Banning a site from the internet for happening to be MITMed by China is very similar in its ethical implications to banning a site from the Internet for happening to have a domain-name that fits a pattern used by a botnet.


The point is that technology could _also_ be used for censorship.


I'm sure spammers feel very much censored when they are blackholed. Tools are usually dual use.


We're kinda already past this?

At this point we really need to start doing the "You wanted a Great Firewall? Enjoy. You now have no connection."

Removing China from the internet would also likely cause things that phone home to China to break. That would actually create some consumer awareness to boot.


Not really, it is more like "if you behave like a malicious actor similar to a spammer, we will treat you like one".


The spin would be "US cuts off global internet in a petty attempt to interfere with China's management of its own network". Justified by a technical backstory that approximately nobody understands, I don't think it would play well even outside of China.


Who cares? China is a net negative on the Internet, they can stay over in their intranet as far as I am concerned, nothing of value would be lost.


Ohh no! Human to human connections are far too important to maintain in today's glocalized world.


It is possible: De-peer AS4134 (China Telecom) and reject all of their routes. They are the only international ISP that lands into mainland China. They are extensively peered around the world.


It's not just them. AS4837 (China Unicom) and a few others who have intl permission to route in and out of China. That said, you're going to hurt a lot of non-china multinationals who operate there.


> That said, you're going to hurt a lot of non-china multinationals who operate there.

Not my problem. Figure out a better way than getting in bed with fascist countries and then complaining when the inevitable door swings shut due to rightful backlash.


No big loss.


Maybe for you, but there are millions of people that work with people in China everyday.


China can easily operate any number of servers outside China.


Seems like it could work, there would be no way to pull down the JS.


I agree that such bad behavior should be punished, but why just couple of days? This would be similar to UN trade sanctions that are imposed on bad state actors.

I think we generally overestimate the hurt on the outside and underestimate the hurt on the inside considering the massive trade imbalance that China enjoys with the rest of the world.

Personally I have already pi-holed entire .cn and other domains.


> This would be similar to UN trade sanctions that are imposed on bad state actors.

UN sanctions are not imposed on bad state actors. They are imposed on weak state actors. UN sanctions have never been imposed on the US, China, Russia, Britain and France easily the worst state actors globally - the biggest weapons sellers and the cause of instability all over the world. They also are the 5 permanent security council members with veto power.

> I think we generally overestimate the hurt on the outside and underestimate the hurt on the inside considering the massive trade imbalance that China enjoys with the rest of the world.

China doesn't enjoy a trade imbalance with the "rest of the world". The enjoy it with the US primarily. They are net importers of Japan, South Korea, Saudi Arabia, Brazil, etc.

Germany, Japan, South Korea, etc also enjoy trade imbalance with the "rest of the world". Do you support sanctioning them?

> Personally I have already pi-holed entire .cn and other domains.

That doesn't do much if you really think about it. It's not like chinese individual, company or government are barred from owning everything from coms to orgs.


> UN sanctions are not imposed on bad state actors. They are imposed on weak state actors.

That is a great point and I agree with it.

However, the way I look at it, a state sponsored attack like this is no different from a country firing missiles or shells on another country from over the border. And as such, such attacks should not go unpunished and there need to be consequences. In addition, the countries being attached have a right and a moral duty to protect themselves.

The mechanisms of such I leave to those with the power to make it happen.

And yes, blocking .cn doesn't do much, but it does some.


Google has had a lot of success blacklisting domains that spam. Getting blacklisted and losing 30-90 days worth of traffic because you wanted to bump your pagerank a bit is a bit silly.

We could potentially have sanctions that require Google to block commercial sites in China. That would definitely get their attention without massive financial implications on the economy.

This type of behavior CAN NOT be allowed to continue.


I would rather see more rigorous trade policy. Frankly fewer low-quality or fraudulent Chinese imports will probably be a net positive and even if it is more expensive, I would rather our trade dollars support countries with less corrupt governments and better ethics with respect to intellectual property, fraud, environmental protection, etc.

I’m sure this will garner plenty of whataboutism regarding how the west is imperfect (never minding that I didn’t say “the west”)...


The west is constantly pushing for stuff like this in every trade policy with China and others...

There’s a limit to how much leverage any one side has on a sovereign countries policies (and how much they actually enforce them when they agree).

There’s also the question of the benefits of having China at all in these deals, some concessions and a growing dependence on western markets from initial deals is better than no deals.

Plus a wealthier China is good for the world and the billion people coming out of poverty, getting educated, and slowly becoming an advanced economy.


> There’s a limit to how much leverage any one side has on a sovereign countries policies (and how much they actually enforce them when they agree).

I’m not advocating for anyone controlling sovereign Chinese policies. They can continue their awful anti-humanitarian policies, fraud, IP theft, etc. I just don’t want my country aiding and abetting it. At very least I want my fellow citizens to be able to make informed purchasing decisions.

And I’m all for lifting people out of poverty, but I’d rather do it in a country with some minimum base line respect for human rights and integrity, and where my purchasing dollars don’t end up propping up some dictatorial system that bullies other countries.


The UK kept trade with the US when slavery there was rampant. Any country will have hiccups throughout its development. It's convenient but counterproductive to categorize every argument against yours as "whatabouttism".


> The UK kept trade with the US when slavery there was rampant.

And we’re I a citizen of the UK in this tortured analogy (with my contemporary morals and all that), I wouldn’t want my money supporting that.

> Any country will have hiccups throughout its development.

Right, but we don’t have to support those “hiccups”. Anyway, China had 60 million hiccups in the last century. They’re all out of hiccup passes.

> It's convenient but counterproductive to categorize every argument against yours as "whatabouttism".

Not every argument, only the ones that start with suggest I can’t criticize China until <other countries that I presumably support> are completely without blame. Such as yours.


LIHKG requires a Hong Kong ISP to register anyway, so it's not like that site blocking mainland China would hurt it at all.


that's what they want. a bifurcation of the internet.


No they don't. They want to use it as a weapon against targets of their choosing and co-opt the rest of the net in doing so. The economic importance of the internet to China can not be overstated.


They want a semipermeable membrane that money can cross, but uncontrolled information can't.


I think what parent is saying is that (unrelated to TFA) China wants a separate information sphere, where only party-approved sites and services are available to their citizens. They have largely accomplished this.


I doubt it. China gets a lot of business from overseas via the Internet. Think about all those fabs where you upload a PCB design and for $2, they manufacture it and mail them to you. If Americans could not visit the Chinese Internet, those companies would be out of business overnight. When nobody has a job or money, people start questioning the government, which the government would probably like to avoid.

The reality of China is that they need the global economy as much as the global economy needs them. No one entity can really pick up their ball and go home, as much as China would probably love to.


I doubt that's what they want at least in the short term. The economic effects would be disastrous.


The web needs to start moving towards a strong same-origin policy for all embedded content-- require sites to proxy requests if they want third party content.

The first step could be sending CORS preflight, then requiring it, then just not allowing cross origin to different domains (but allow sub-/sibling- domains).


How would this be different than the CNAME cloaking[1] currently being used by data collectors to circumvent ad blocking software?

1. https://news.ycombinator.com/item?id=21604825


I agree that this is the next step in the ad-tech / spy-tech war.

uBlock recently found an approach for blocking cnamed origins: https://github.com/gorhill/uBlock/commit/3a564c199260a857f3d...


Can't the CORS preflight, by itself, be a DoS?


If you read the OP they say they were specifically crafting links that led to an image resizing webservice, so each load wasn't just requesting static content, it was consuming non-trivial compute cycles. Of course you can have a DDoS comprised of tons of requests for HTML or JPGs but the added overhead of performing a "resize" was at least a part of the plan. Failing a pre-flight would have eliminated that hit.


About a month ago we were discussing this and a few of us came to the conclusion that an eventually-required CORS header for cross-origin GETs would be a good thing. CDNs and SSO services could start sending this header so they can stay in business when the browsers turn off all cross-origin requests by default.

Unfortunately (from my perspective) that'll do nothing to stop third party ad tracking but you can't have everything, I suppose.


Not sure how much that would help... they could just have their own domain be a cname to the target.

Your defense idea might stop layer 7 attacks, but not lower level ones.


The problem right now is that the originating server sets an http response header. Given the MITM can modify that header.. it indicates things need to be done automagically in the browser. But that will break A LOT.


I'm curious: is it technically and politically possible for the operators of all internet cables receiving traffic from China to filter out malicious scripts?

AT&T's writeup says the injection is only possible because it's HTTP (not HTTPS), and that there are two specific JavaScript files which sometimes serve up the malicious code.

So in case of known malware like this being served from within a geographic region... is there any way to filter this out at scale? Or is that computationally infeasible at scale, so it would have to be built into the browser or something?

The article also doesn't make clear -- is this DDoS coming exclusively from outside of China? Or is it injecting the same malicious code inside of China as well, and they're just not bothering to distinguish between requests coming from inside or outside the country? (In which case, the DDoS will continue regardless, just not with the rest of the world's help.)


I'm not a huge fan of anybody (china or otherwise) performing content inspection or filtering on my behalf transparently. That's just another instance of the Great Firewall with other people at the reigns. If you chose to do that at your edge network, kudos for you. Just don't force it upon me.


>I'm curious: is it technically and politically possible for the operators of all internet cables receiving traffic from China to filter out malicious scripts?

Considering that the halting problem is undecidable, it's impossible to filter out the malicious scripts with complete certainty. The best you can do is use blacklists/heuristics which lead to an arms race.

>So in case of known malware like this being served from within a geographic region... is there any way to filter this out at scale? Or is that computationally infeasible at scale, so it would have to be built into the browser or something?

foreign ISPs can block port80 or http requests from coming into china. sure, it's going to break a lot of sites, but it's relatively simple for any site to get unblocked - all they need to do is set up letsencrypt.


> Considering that the halting problem is undecidable,

This doesn't mean that you can't prove a big subset of scripts safe.

> The best you can do is use blacklists/heuristics which lead to an arms race.

You can also allow the scripts that automatically prove safe, plus other popular scripts you decide to explicitly allow, plus other scripts that are low-rate enough that you don't believe them to be a concern.


Technically possible maybe, politically possible no.

Any ISP could force unencrypted traffic through a deep packet inspection system that looked for this kind of malicious behavior. That would be widely seen as a betrayal of the "big dumb pipe" expectation.

The computation itself is not infeasible at scale. But any ISP attempting this would see swift and brutal political pushback and almost certainly lose customers over it.


So if the cannon is created using the great firewall, how does the Chinese government establish any sort of plausible argument that this isn't state-sponsored activity?

Do they just not care?

Some day soon a war will not be started with an assassins bullet but with a tool like this. I wonder when we start looking at them the same way?


They don't need to hide anything. This type of activity is playing off of the success of the North Koreans and Russians in neutralizing US power in the face of a completely inept and corrupt government.

The audience is other Asian and African states. The message is "we can act with impunity". The US will probably do some tit-for-tat exchange, but the US scope to do anything is limited due to the potential for impact on US businesses.


Pretty sure they don't care.

They're also directing lasers at helicopter pilots, which is much closer to a actual war than mere bits.

https://www.abc.net.au/news/2019-12-06/chinese-fishing-vesse...


The protesters in Hong Kong were also directing lasers at police and police helicopters. I don’t think that should be considered an “act of war.”


[flagged]


Says a brand new account....


According to the article, the attacks are currently ineffective for a number of reasons, one being their js code is bugged. Imagine Gavrillo Princip's gun was prone to jamming consistently.


This... actually inspires very little confidence. The assassination of the archduke involved several assassins who each failed iteratively for ridiculous reasons on the motorcade route. Princip himself had decided to give up on the assassination, only to find out the cafe he had gone to ended up being directly on the motorcade path. The serendipity of his proximity was probably the only reason Ferdinand ended up dead that day.

The cannon doesn't have to work all the time, just once effectively, and possibly even accidentally.


The Merck attack seemed to be an accidental offshoot, and nothing on an international political scale happened from that. Until we have some more tech literate politicians, or an agency to explain what's happening in simpler terms, I don't see these kind of attacks being taken seriously, or even understood on a basic level.


In reality it was the setup of the triple entente by Edward VII that was most responsible for the WWs. The archduke may have been the match, but the triple entente was the detcord strung around Europe.


Well, Gavrillo and his co-conspiritors planned to kill Archduke Ferdinand with a thrown bomb, which the Archduke defected with his arm. The bomb exploded without doing much harm, and only later by pure chance the Archduke drove by Gavillo and was shot. It's a miracle that the assasination worked at all, the story is full of incompetence from the assassins. As such the parallel to the Great Cannon fits perfectly.


Given Gavrillo Princip's gun was only involved because the grenade missed and then everyone concerned made a series of unfortunate decisions that allowed a second attempt, that example isn’t bringing me any hope.


I’m wondering if there are actual bugs in their code or if AT&T is just saying that to make them spend time looking for something that isn’t there.


That's almost too clever for AT&T


Wait, didn’t that happen though? I thought the arch duke was originally supposed to be killed in a failed bombing, and the handgun was a second and happenstance scenario.


There was a royal procession to City Hall in Sarajevo, during which a grenade was thrown at the Archduke. It (barely) missed, they drove off, and had a meeting with some local magistrate.

After the meeting, Franz wanted to travel to the hospital to visit the civilians who'd been wounded by the errant grenade. En route, his driver, confused, took the same route from the morning procession. When they realized what was happening, they told him to turn around and get the out if there. When the driver stopped to turn around, they were ~1 block from the site of the first assassination attempt. One if the co-conspirators (who had lost his nerve the first time, and had been milling around and hoping that Franz would come back by), was standing where the car came to a stop. Two shots killed Fran's Ferdinand and his wife.

Fun fact about this--Franz Ferdinand's death was not the cause of the Great War in the way that people tend to think it was. The assassination caused the war in the sense that it was a convenient excuse for a war that the Austro-Hungarians already wanted, but not because (Austro-Hungarian Emperor) Franz Joseph wanted revenge or anything like that. In fact, Franz Joseph's secretary later said that he "almost seemed grateful" that Ferdinand (whose marriage was so problematic that he had been forced to proactively abdicate on behalf of his children) was out of the way.


My middle school history teacher always stressed the point about reasons vs. triggers for events, and it has stuck to me since then, as it makes looking at things like this much easier. Basically, there is a giant list of political reasons for the Great War, I am not gonna list all of them here, but I fully agree with you that the assassination was not one of them. Franz Ferdinand's assassination was the trigger.


Thought so, that (in much less detail) was my recollection. Thanks for that.


War seems to progress as follows:

0 - Peace 1 - Trade War 2 - Financial War 3 - Electronic War 4 - Shooting War

Note that 1 & 2 are different types of Economic war, and could be grouped together. The steps occur in order, but steps can be skipped.

From a US-centric point of view, North Korea and Iran seem to be at #3. China & Russia are at a limited version of #2.

Chinese/HK seem to be at #3 with each other.Given how invisible Electronic War can be, it's possible that they are deep in #3. It's also possible that #4 might be initially fought with HK Police forces as a proxy. Think of that as "4a".


I don't know who to attribute this to but I've heard a saying:

"Countries that trade with each other don't make war with each other."

As we isolate countries and disrupt trade we definitely are increasing the risk of conflict.


> "Countries that trade with each other don't make war with each other."

I'm pretty sure this was the prevailing thinking prior to World War 1. A large scale conflict would be so damaging on a human and economic level that most assumed the people in power would find away to stop a massive war from breaking out. Well, they were right about the first assumption, but very wrong about the second.


It's also why the EU was founded, and in that instance it worked great. European powers used to be constantly at war with each other, but in the last 70 years there was no large-scale war within Europe (except for Ukraine/Russia, both not in the EU), and war between EU states has become unthinkable.


This is surely a contributing factor, but being first-class citizens of Pax Americana US hegemony has been a larger one IMO (doubly so during the Cold War, when a common enemy on Western Europe's borders united them).

There's plenty of good things from a moral perspective about power being diffused away from a hyperpower hegemon, but stability and peace have never been among the side effects.


Yes, most famously put forward in Norman Angell's 1909 book The Great Illusion (https://en.wikipedia.org/wiki/The_Great_Illusion).


Yes, who cares about the forced labor camps and suicide nets around factories. I want my cheap plastic consumer devices!!


> Yes, who cares about the forced labor camps and suicide nets around factories.

Nobody really cares, except for those directly involved. Sad but true, nobody will ever go to war for that, for foreign citizens.

> I want my cheap plastic consumer devices!!

People do actually want that. And their cheap shoes and clothes and...


> suicide nets around factories

Foxconn's suicide rate is lower than China's, along with all 50 US states. They just employ a gargantuan amount of people (400k). I don't know much about the working conditions there, so I don't have a position, but it doesn't look like there's evidence to suggest that the working conditions have anything to do with the fact that some of their employees committed suicide.

To put it another way, there's roughly as much evidence of this as there is that working in a factory in Nigeria causes sickle cell anemia.


A car park in the UK closed off the top storey and it's common to see older MSCPs adding tall fences to the top floor, and for new buildings to have these designed in from the start.

Page 25 (but see also page 23) https://assets.publishing.service.gov.uk/government/uploads/...

Fencing off tall buildings is a useful short-term suicide prevention measure.


If people cared, there wouldn’t be a prison labor system in the US. Especially one that pays inmates in cents.


You are interpreting a correlation as a causality. More likely (IMO) is a common cause, countries that consider themselves enemies for whatever reason are both unlikely to trade with eachother, and likely to go to war with eachother.


The EU was founded with the explicit goal that increasing trade between European countries would prevent war.

It's impossible to prove causality, but Europe has never seen longer and more widespread peace than the last 70 years.


Europeans tend to credit the EU/EEC for the peace, but as an American, I find that totally implausible. The peace was because Europe was divided into two vassal regions and the actual superpowers decided not to go to war because of MAD. Now that the Cold War is over, we've already had a series of wars in the Balkans and various wars in the Russian periphery. True, France and Germany have taken a break from fighting each other for a long-ish stretch, but I think that trend would continue even with a Frexit because it's mostly built on memories of how bad the last two wars were.


MAD and the cold war prevented war between countries on either side of the iron curtain, sure.

But then you go on to claim that war among countries on the Western side was prevented by memories of war and not the EEC, without any reasoning as to why. I don't buy it. The first World War was already terrible, yet these countries were at each others' throats only a few decades later.


Russia and Ukraine are not EU/ECC members, and neither were the balkan states back when they balkanized. Wars outside the EU don't disprove that the EU plays a major role in bringing pace among its members. I would agree that it didn't necessarily bring peace to all of Europe, but that's a stronger statement than most people intend to make


only if you think that europe is eu, which it is not


China not wanting to mess with the amazing economic success is one of the strongest things pushing back against any military aggression by them.

Tons of CPP members are getting rich off the economy which includes a lot of trade and foreign debt.

There’s plenty of correlation here.


"When goods don’t cross borders, Soldiers will." -unknown (often credited to Frederic Bastiat)

Here's what Otto Mallery said though:

"If soldiers are not to cross international boundaries, goods must do so. Unless the Shackles can be dropped from trade, bombs will be dropped from the sky."

https://fee.org/resources/if-goods-dont-cross-borders/


https://www.telegraph.co.uk/news/worldnews/asia/china/955570...

This was a common argument as to why WWI couldn't happen, countries were far too economically dependent, everyone would be ruined.

Except it did happen, and everyone was ruined.


There were more guns and power mongers than economic ties. Plain and simple. Those arguments should have been qualified a lot more.


At best, that has held in limited places and times since WWII.

At worst, it was an affirmation repeated, as with most affirmations, in the hopes that the repetition would make it true, which it doesn't, and for the usual reason, that it generally wasn't.


So presumably you have evidence of most countries trading with each other while going to war with each other?


The United States and Germany during WWII, as evidenced by Ford, General Motors, IBM, Coca-Cola, Kodak, Chase Bank, Random House, Associated Press, Dow Chemical, Brown Brothers Harriman, Woolworths, Alcoa, AT&T, and others.

https://www.theatlantic.com/magazine/archive/2001/04/hitlers...

https://www.phactual.com/8-american-companies-that-worked-wi...

https://www.toptenz.net/top-10-american-companies-that-aided...


Doesn't seem to work between Russia and Georgia, Moldova or Ukraine.


I think, the principal argument is by Immanuel Kant in "Zum ewigen Frieden" (Perpetual Peace), 1795.


Sometimes known as the “Golden Arches Theory of Diplomacy”


> 0 - Peace 1 - Trade War 2 - Financial War 3 - Electronic War 4 - Shooting War

How many major wars in the last 100 years were preceded by trade wars or electronic wars (I don't know what a financial war is, trade embargoes? - embargoes are not trade wars)? Perhaps my view is a bit us-centric (there have been many small wars in africa that I don't know the history of), but I don't think that us conflict participation in Iraq, Yemen, Libya, Grenada, Vietnam, Korea, WWII, or WWI were preceded by those sorts of policies. To find a trade war that preceded a war I think you might have to go to the US fighting in central america (banana wars), or maybe the civil war.

Meanwhile the US has engaged in trade wars with plenty of countries it hasn't fought with, dominantly europe (via the banana trade wars, not to be confused with banana wars, e.g.), and Japan.


John Perkins has written extensively on this topic, as he has had a career conducting 2 and 3 for the US. His book Confessions of an Economic Hit Man is instructive.

https://www.amazon.com/New-Confessions-Economic-Hit-Man/dp/1...


Hobbes would say this is backwards, since the state of nature is a state of war.

"Peace" is built from war's stalemates. As the most violent (and therefore effective) means become ineffective, combatants shift towards less effective means, to the point that the war (which is still ongoing) continues through diplomacy and trade.

Hence, "war is diplomacy by other means."

Diplomacy and trade are means of gaining an advantage in the underlying (now "cold") warfare. They're maneuvers to defeat the existing stalemate. If either side is able to obtain an economic (or other advantage) sufficient to defeat their opponent in a more violent form of warfare, then they will return to violence because that is the basal state of nature.

The worst thing you could ever have in trade / diplomacy is a good working relationship that isn't balanced and equal. A trade failure is itself a stalemate which can strengthen peace, so long as it occurs before too great of an advantage is gained any group.


Can you cite examples of when it went from 3 to 4?


(not grandposter)

As the grandparent said - steps can be skipped. Since 3 is a relatively new medium for offensive actions, I suspect there are not a lot of well-known examples around. Would be interesting to see if any currently active conflicts were preceded by DoS (not necessarily Distributed, could be just a "cable cut" from outside), and how long before it escalated to active conflict.


Perhaps 3 could be rephrased as "industrial sabotage"


Pretty sure that this is only recent at most


Except for the great electronic war of 1315


What's wild is how at times the GFW will be abused to profit the operators of the GFW itself. Redirecting people to sites owned by friends to drive traffic/sales, etc. Due to the nature of the GFW, there isn't a lot of auditing or transparency there. Only the Chinese carriers can generally engage them and it usually involves a visit to a specific building in Beijing (no foreigners allowed).


The question is, you know I'm using it. Besides some words, what the heck are you going to do?


Why should they care, what's anyone going to do about it?


For one, we should all be making sure our websites use https all the time. If all you have is a personal website serving up mostly static content then it might not seem like you need to bother with a certificate but things like the Great Cannon are a great argument that you do. It's not unlike a public health argument for why everybody should be vaccinated.


HTTPS will help your users not getting infected by code that a 3rd party injected on your site. But it will probably not help against the cannon, because the Chinese probably have some china controlled certificate installed.


>But it will probably not help against the cannon, because the Chinese probably have some china controlled certificate installed.

The whole point of the cannon is that you can leverage the bandwidth of other countries. The CCP already controls the telecoms in China. They don't need to hijack Chinese computers for DDoS attacks when they can directly DDoS from their ISP's backbone.


They've done it before, with GitHub:

https://news.ycombinator.com/item?id=5124784


[flagged]


People care, however policy changes don’t happen overnight.

https://forward.com/opinion/424071/jews-are-speaking-out-aga...


It's not that nobody cares, it's that nobody can do anything about it.


Of course they could do something about it, they just don't want to because it would be economically painful. Unified trade sanctions against China would likely have effects pretty quickly, but would impact economies significantly more than the Trump-imposed tariffs that everyone is already freaking out over.


[flagged]


I don't think that last line is helpful. If you believe that the Chinese government is akin to the Nazi party, better to make the argument explicitly than to use a term like "Chinazis", which could be interpreted as overly broad and highly insulting in the best case.


The real question is if anyone would've even cared about the atrocities of Nazi Germany if it wasn't in their national interest to go to war.

The reason England and France got into the war is because of Germany's expansionist policies and not because of moral reasons at the time.


This. The Final Solution and the extermination camps only happened in 1942, after every major player already entered the war. Eugenics was reasonably popular at the time, so that wasn't a reason to go to war either, and while the concentration camps were immoral and at the start of the war they were comparatively humane and not much out of line with what was deemed acceptable at the time (US internment of Japanese, Russian labor camps and the current ICE camps come to mind). The conditions drastically worsened as the camps filled up, but by that time Europe was already at war.

What Hitler did was terrible, but that's not the reason we had a war. "Germany (or Japan) might invade us next" is what was really in everyone's mind.


[flagged]


Hitler didn't start exterminating jews until after Pearl Harbor: https://en.wikipedia.org/wiki/The_Holocaust#Final_Solution

That's 2+ years after the start of WW2.


Kristallnacht was in 1938


The "Final Solution" wasn't started at first.

As WW2 progressed the Nazis attempted to ship the jews elsewhere. Sadly countries refused to accept these refugees.

Nazis then started to pile up Jews into Ghettos. Note that these Ghettos are almost identical to the Uyghur's current situation.

As the Ghettos started to fill up, the Nazis needed a plan on what to do as the ghettos started to reach capacity. Their decision is known as the "Final Solution" or death camps.

https://en.wikipedia.org/wiki/Évian_Conference

https://en.wikipedia.org/wiki/Kristallnacht

https://en.wikipedia.org/wiki/Nazi_ghettos

https://en.wikipedia.org/wiki/Final_Solution


Hitler didn't start murdering jews in mass until after he invaded countries.


Although the Soviets certainly were mass murderers before WW2 and British and USA still sided with them.

Hitler was elected under the pretense that he represented socialism that was friendlier to the middle class and workers. This way people could get their socialist improvements to the economy (which was shit due to bad world-wide economy and war reparations) while still having defense against the the sort of upheaval and murderous destruction that the Reds represented.

The take-home lesson of WW2 shouldn't be that 'The other side was evil and we won'. Because the entire Eastern half of Europe and most of Asia was submitted to governments that were incredibly evil due to the Soviet victory.

WW2's lessons are meaningless without WW1. They really are effectively the same war. The treaty of Versailles and the humiliation of the German civilian government are directly responsible for the rise of power of the Fascism in Germany.

The take-home lesson of the 20th century wars is that massive murder and atrocities are only possible because people obey their governments. That 'The people' cannot discern true evil running the state until it's far too late.

Because evil doesn't show up saying "Elect me because I want to gas the Jews". They gain power by promising what you want. By telling you what you want to hear. And once they gain power then it is the average person's willingness to obey authority and carry out orders is what turns shoe makers, engineers, and doctors into mass murderers.

Which is the sort of thing that is happening in many parts of China.

Always remember that in Vichy France when they rounded up the Jews for the holocaust it wasn't the Germans troops that went around arresting them. It was the French police that rounded up people to be put on those trains. It was under the order's of the French politicians. This problem of obeying governments is not something that is limited by national borders.



en masse

adverb

_in a mass_; all together; as a group:


But wait, we'd get millions sending their hopes and prayers and everyone in power coming on broadcast news TV to talk about how awful the Chinese genocide is.

I can tell because that's how it already went down with the Tibetans and Uhgyrs. Because the CCP has already committed a multiple of genocides including their planned mass famines in 1960 that killed tens of millions of their own citizens.


[flagged]


The downvotes might be from the fact that the Nazi concentration camps only turned into extermination camps in the very last years of their rule, so the danger of extermination camps might be at least partially inherent in the concentration camps?


So what if China isn't running death camps per se? The problem is that it's running something of the magnitude of Nazi Germany and getting away with it. No sane government would go 100% Nazi overnight, but if they see that being 50% Nazi is OK, then they might raise it to 75% etc. It's a game like all authoritarian politics. They're probing ground, and many other authoritarians around the world are looking at the result. This is why it's important that China gets called out for its atrocities, and called out hard.


That is quite a big "per se" there. My point is there is a huge distinction between concentration camps and death camps. The Nazis progressed from one to the other, but that is not a guarantee (this is where that US reference might come into play). There is a large difference between "let's segregate these people" to "let's kill all of them" and we shouldn't blur the lines between either the Nazi's decision to make that leap or China's decision to as of yet not.

I wouldn't have felt the need to make my comment if the original comment was modified with "early Holocaust" rather equating it to the entire thing which inherently includes and is often more synonymous with the death camps.

Also what China is doing is not in the magnitude of the Nazis.

I am not saying any of this to defend China. I just want these things clear because this is the type of rhetoric that is often used by Holocaust deniers.


Correct me if I'm wrong, but these aren't segregation centers. There's a big difference between "let's segregate these people" and "let's re-educate these people." China seems to be well into the re-education process and while they may not have trains headed to death camps, I think it's more accurate to say that they are closer to those death camps than they are to Jim Crowe laws, having already surpassed cases like re-education boarding schools [1] which AFAIK are considered genocide by international law.

[1] https://en.wikipedia.org/wiki/American_Indian_boarding_schoo...


[flagged]


Some food for thought: In Tibet, people regularly self-immolate themselves to show to the world how desperate the situation of Tibetan is. Imagine in what circumstances you would need to live to see people around you self-immolate. It's not just one person, and just a dozen.


I'm not defending China at all, they have tons of shitty policies. I'm just saying it is nothing like the holocaust and it is pretty absurd when people do those kind of comparisons. It reminds me of just before the Iraq invasion when the propaganda was at it's highest (Freedom fries and Dixie Chicks).

If I again compare with the US as an example even if people don't like that. You have had many hundred if not thousands of suicide bombers that have stated that they sacrifice their life to strike against targets because of US imperialistic ways. Imagine the circumstances that lead to that.


The problem is you have two types of people, you have the guy that sees his kid get blown up and is like F'it I am going to detonate myself. I get it, I could be that guy under the right circumstances. The problem is the world is just as full of people ready and willing to exploit that guy and that is what happens. The situation is a lot more complicated than the American imperialist kills babies meme. The problem is though when you go after the other guys, who need going after, some good people get killed and it creates a newly exploitable class based on that anger and resentment.

The guy who just wants to be left alone is constantly pushed into a corner by the guy that wants to control and manipulate people and those are the two types of people in the world. The American revolution was filled with guys that just wanted to be left alone. Congress is now filled with guys that want to control and manipulate. They are naturally attracted to power. It will take them pushing the US citizen who wants to be left alone (AKA the silent majority) into the corner before anything changes.


The thing is when you write:

>The problem is you have two types of people, you have the guy that sees his kid get blown up and is like F'it I am going to detonate myself. I get it, I could be that guy under the right circumstances. The problem is the world is just as full of people ready and willing to exploit that guy and that is what happens. The situation is a lot more complicated than the American imperialist kills babies meme. The problem is though when you go after the other guys, who need going after, some good people get killed and it creates a newly exploitable class based on that anger and resentment.

That is also the exact motivation that China uses for its re-education camps. It is because of terrorism that they need to go after.


> I'm just saying it is nothing like the holocaust and it is pretty absurd when people do those kind of comparisons.

It's clearly not exactly the same as the Holocaust. But it's disingenuous to say it's nothing like the Holocaust either, because there are a lot of similarities.


Do you think they are more similar to the Holocaust than the US internment camps?


I think they're closer to Nazi internment camps (which rather quickly transitioned to death camps) than the various US internment camps, yes.

Are they death camps yet? Well, perhaps not. But there are none the less a hell of lot dehumanization. There are reports of forced abortions, rapes, medical experiments, and other tortures.

To be clear, the US internment of the Japanese is a horrendous stain, but it clearly is far less evil than these camps.


[flagged]


If you can’t distinguish between the Vietnamese War and the Axis Concentration Camps on a scale of atrocity, I’m doubtful there’s any intellectual exercise that’s going to clarify that for you.


Absolutely, there's no intellectual process to get there. [0] Rather it requires a lifelong immersion in "news" media committed to minimizing USA war crimes, coupled with an aggressively jingoistic ignorance of history.

[0] that is, one brutally murdered innocent child of innocent parents is not really different than some other brutally murdered innocent child of innocent parents.


I'm not comparing the Vietnam war to the Holocaust.

I'm comparing our oil grab under various guises, vs Chinas attempts at unification.

When both are causing murder, why is oil better than submission?


Calling the interning of over 1 million people an attempt at unification is blatant astroturfing and is wildly and viciously wrong.


I believe OPs reference to the Uighurs was to their placement in concentration camps. Calling that an “attempt at unification” is generous at best.


I didn't see this as a problem solved by war, honestly.

We need to weane ourself off a dependency on China for cheap goods. We need to decide that we value human life over a cheap phone.

China gets away with what it does because it feeds our need for shiney new trinkets. Frankly, it's disgusting. The world could stand up to China and say it doesn't want it as a trading partner. Maybe that wouldn't even help, but do we really want to be doing trade with a country that operates like China does?

Where are our values?


With all due respect - from a systems perspective, that's not a solution; it's a wish for a pony, no less so than complaining "where are China's values"? Solutions are required because people are selfish and shortsighted - merely pointing this out accomplishes little.

It's like saying that police aren't a solution to murder - what we really need is to stop killing each other.


The current president isn't wishing for a pony. He has aggressively, unilaterally changed USA trade policy with respect to China. One might suspect his goals in this exercise. Still, if he can do this in pursuit of his idea of "fairness", then some other president, perhaps with the cooperation of Congress, could have done similar with the idea of penalizing some of the more odious behavior of the Chinese state.

That hypothetical president who cared about e.g. Tibet or the Uighurs couldn't have expected any popular intellectual support for that effort, however, since our popular intellectuals act largely to feather their own nests with Panglossian tributes to how wonderful TPP could have been.


All kinds of bad things are happening in the world. This thread is discussing a bad thing being done by the Chinese government. That doesn't suggest that other bad things are any better or worse.

https://en.wikipedia.org/wiki/Whataboutism


It might not be. Does that mean we can't decry both?


[flagged]


Don't forget that the power behind the CCP's lies and violence is economic clout, both abroad and domestically.


Yes, absolutely. The economic clout gives them the confidence and means. That needs to be dealt with. Declaw!


Like how the world dealt with the US after Snowden's reveals?


I’m a U.S. citizen and I’m “dealing with the US” in my own way. But such a thing takes time. You don’t upset and entire economic regime in a year or even a decade. It takes the utmost patience, to the point of organizing for outcomes you may not even see in your lifetime.

One shouldn’t mistake a seeming return to the status quo as proof that the status quo is just as strong.


How do you "deal" with another country developing economically?


Bullets have been obsolete for decades. Wars are currently fought by selling shitty financial instruments en masse to your opponents while you sit and watch them implode from afar.


[flagged]


WW1 turned out to be far more deadly because the participants were stuck thinking of war in terms of old conflicts while technology advanced. I don’t see ground invasions working the same way against adversaries with nukes.


This should be mitigated by browser vendors by integrating HTTPSEverywhere as a core functionality of the browser that needs to be explicitly turned off (instead of the current state of affairs where we have a tiny minority on the web who are familiar with installing security add-ons). Visiting a HTTP site should come with a scary warning. I understand this throws old sites under the bus, but there could be other solutions here such as restricting 3d party resources as a second layer defense once the user clicks through the first warning to access the HTTP content.

and in case I'm totally wrong, what mitigations are feasible? More trade war such as by compelling ISP's to null-route Chinese businesses like Baidu.com as a form of sanction?


I recently (4 or 5 months ago) joined an online community of aircraft owners and pilots that is primarily focused around a single brand of aircraft (although it's not an official site of, property of, that brand nor is it endorsed by that brand).

When I signed up, they emailed me to welcome me to the site (they actually require manual authorization of users by an admin, which is... refreshing, but uncommon). The email ended by stating that if I lost my password, they could "recover it" and send it back to me.

I raised a thread about it in one of their off-topic sections, and got harassed - "How secure do you need your browsing to be?" (And hey, I mean, I was asking them to do more work)

But it stands out that most of the public doesn't know, and doesn't care to know. Even a site that's populated by people with net worths and/or incomes that average in the six-to-seven figure range, that they probably signed up for with the same email address and password that they use for their bank and brokerage accounts.

HTTP should come with a warning. Furthermore, it would be fan-fucking-tastic if there was some generalizable way to (automatically) audit a website's security practice. Like, a crawler that just runs standard OWASP-style attack-vector checks, and sends an email to the site's owners when one succeeds. And then put that data into a database and warn users (with a browser plugin) when they are creating credentials for sites with bad security.


I'll top that. I used TABCPermit.com to get licensed to serve alcohol in Texas. Their signup form says "no special characters in password". I used one anyway, putting in "password$1" for example. It accepted it, and I worked on the test.

Next day, I can't login. I use the "forgot password" link. They send me and email, and it has my password in it! Bad, right?

That isn't all. My password, they said, was "password1". They silently stripped out the special character.

I just about flipped a table at how security-shallow people who build websites can be.


Are you sure your password has a $ in it? What makes you think that they don't strip the $ when you set and enter your password?

If it seemed like they were doing a hash then compare, I would wonder if they are using the legacy unix crypt that truncates passwords at 8 characters.


I know when I registered and typed twice that my password had "$" in it. And they mailed me back my password without it. Finally, it wasn't just a truncate because there were characters after the position where "$" should be.

And if they did strip it out, that is bad. That's the point.


There's Plain Text Offenders which covers part of that.. https://plaintextoffenders.com/tools


I'd recommend using an OpenID Connect provider to authenticate if you're concerned about their practices but it's just as easy to improperly implement auth even with mainstream libraries to help you connect something like Auth.0 to your app.

e.g. Don't assume the email address is owned by the person making the claim. You can sign up for an account with an email and if it's not verified or the verification is mis-clicked or phished into being clicked the original account owner would never know the difference.

Still, at least with OpenID Connect you know your password isn't sitting in plain text.


Are there any sites that accept OpenID but that you still suspect of poor password/auth practices?


"How secure do you need your browsing to be?"

Perhaps explain to them that many people (unwisely) reuse passwords for many sites... possibly including their banking.


To which they respond, in essence, “their fault”


That response is pretty typical from the GA community.


What is "GA"?


General Aviation; the same people that lobby to keep using leaded fuels.


That's a bit too harsh. The GA people are lobbying to continue to be able to fly their aircraft. The FAA has been sitting on the problem of non-leaded avgas for something like 30 years now. The GA people don't like being exposed to lead any more than anyone else.


Yes, harsh on people literally choosing to spray a neurotoxic heavy metal compound over populated areas for their fun. Their advocacy is the roadblock to the adoption of safer fuels.


It doesn't actually accumulate in any particular area. There was a study done at at an airport that showed no particular accumulation at the airport. Leaded gas ends up poisoning the whole world a bit.

This "dilution is the solution to pollution" argument is the excuse the FAA uses for forcing everyone to use leaded avgas. This should be more of a scandal. The FAA is basically helping maintain a harmful oil company monopoly at the expense of the world.

This is not just about recreational aircraft. For example, 45% of the Canadian commercial fleet is piston engine based. Incidentally, Canada was involved in a test program with the FAA for leaded fuel replacements. The FAA recently dropped out of that program.


I think we'd all rather burn cheaper / more prevalent gas than a leaded fuel that is the output of specialty refining. We're not allowed to by regulation, though, and furthermore present solutions would also endanger safety in a big slice of aircraft. The fleet of general aviation aircraft is really old, after all.


General aviation.


> This should be mitigated by browser vendors by integrating HTTPSEverywhere as a core functionality of the browser that needs to be explicitly turned off (instead of the current state of affairs where we have a tiny minority on the web who are familiar with installing security add-ons).

We're talking about China, so that's probably not going to work: Chinese users are using Chinese browsers [1] to access Chinese websites. I don't think Chinese browser-makers and website operators are going to take action against their government like that.

[1] https://www.fastcompany.com/3058432/the-top-3-web-browsers-i...


That's fine. If the Chinese government wants to commandeer their own citizen's resources to DDoS other people, that's on them. They could very well also direct their state controlled ISPs to do the same. Doing either would be obviously be attributed to them and would be cause for them to be de-peered - solving the problem.


sure. but that would still limit the attack to only come from within CN (and possibly users outside with a CN browser) and not from every potential user who has Safari/Mozilla/Chrome.

It would mitigate attacks from inside China against outside entities, which for somebody not based in China is all I want.


The concern here is people using Chinese websites abroad. The Great Cannon rewrites javascript for a subset of remote users visiting Chinese sites, causing the users' browsers to participate in a DDoS against a target.


for anyone interested, Brian Krebs did an excellent article[1] on The Great Cannon after the Citizen Labs incident.

> [Nicholas] Weaver said the attacks from the Great Cannon don’t succeed when people are browsing Chinese sites with a Web address that begins with "https://", meaning that regular Internet users can limit their exposure to these attacks by insisting that all Internet communications are routed over "https" versus unencrypted "http://" connections in their browsers. A number of third-party browser plug-ins — such as https-everywhere — can help people accomplish this goal.

> But Bill Marczak, a research fellow with Citizen Lab, said relying on an always-on encryption strategy is not a foolproof counter to this attack, because plug-ins like https-everywhere will still serve regular unencrypted content when Web sites refuse to or don’t offer the same content over an encrypted connection. What’s more, many Web sites draw content from a variety of sources online, meaning that the Great Cannon attack could succeed merely by drawing on resources provided by online ad networks that serve ads on a variety of Web sites from a dizzying array of sources.

[1] https://krebsonsecurity.com/2015/04/dont-be-fodder-for-china...


I posted a top-level comment[1], but basically HTTPS-only, aside from throwing old sites under the bus, would not have helped.

[1] https://news.ycombinator.com/item?id=21726617

> and in case I'm totally wrong, what mitigations are feasible? More trade war such as by compelling ISP's to null-route Chinese businesses like Baidu.com as a form of sanction?

Probably something like this, but I'm afraid of where that would lead.


I think China's government requires websites to give them their private keys. HTTPS is useless then.


And what do you think happens to sites caught serving malware? They get put on safebrowsing blacklists. That problem solves itself.


If the Chinese government wants to man in the middle traffic to foreign sites they can just force PC vendors to install a CCP controlled CA root on systems and make it illegal and/or very difficult to remove it. Shit, they can require vendors include a hardware backdoor, especially since so much of that hardware is produced domestically.

Then they can view the traffic even going to and from foreign sites who would not comply with an order to share private keys and no safe browsing blacklist (like that would be accessible from inside the regime anyway) will help you.


>If the Chinese government wants to man in the middle traffic to foreign sites they can just force PC vendors to install a CCP controlled CA root on systems and make it illegal and/or very difficult to remove it.

Addressed here: https://news.ycombinator.com/item?id=21721843

>Shit, they can require vendors include a hardware backdoor, especially since so much of that hardware is produced domestically.

If they're only doing it for local computers, the consequences/response is the same as the previous paragraph.

If they're doing it for foreign computers on a mass scale required for a DDoS attack, if discovered will torpedo their entire electronics sector. All the "ban huawei" politicians will have a field day with that.


The Chinese government can do this for systems sold within China. They don't have the authority to do it for computers globally.

If I'm understanding other comments correctly, browser vendors installing HTTPSEverywhere cuts down the potential for this Great Cannon attack from 7.7 billion users to 1.4 billion. An 80% reduction seems significant.


I was under the impression that the other commenters were referring to HTTPS as a solution for those in China to protect themselves from their own government. Perhaps I was wrong.


No. It's to protect users outside China visiting Chinese sites from being coopted to participate in DDoS.


Not with (perfect) forward security:

> In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if the private key of the server is compromised.[1] Forward secrecy protects past sessions against future compromises of secret keys.[2][3][3]

* https://en.wikipedia.org/wiki/Forward_secrecy

There's still the risk of MITM identity spoofing of course.


Forward secrecy only helps you if the server private key is comprised in the future. If it's compromised already, and an active attacker can modify traffic between you and the server, forward secrecy doesn't help.

Ultimately, if an attacker has all your keys and controls all your traffic, there's nothing left that distinguishes the attacker from you. No security is possible in that scenario.


I fail to see how this attack has anything to do with http? The scripts can be served over https no problem, it’s the host that is compromised. Maybe you’re thinking of sub-resource integrity attributes?


It's injecting the malicious script into the source of http pages. With httpS, this is not possible unless you also change the root certificate of the computer.


From the article :

"Mitigations

These attacks would not be successful if the following resources were served over HTTPS instead of HTTP:

http://push.zhanzhang.baidu.com/push.js; orhttp://js.passport.qihucdn.com/11.0.1.js

You may want to consider blocking these URLs when not sent over HTTPS."


The cannon is injected into HTTP resources.


In most javascript sandboxes if you request a domain from an site you are restricted by the same content policy. This makes it harder to do things like make requests to sites for example that don't use https when your on one that does use it.

https://developer.mozilla.org/en-US/docs/Web/Security/Same-o...


I don't quite understand the mechanism after reading the article. Is the attacker (presumably the PRC) MITM'ing these CDN resources at the infrastructure level? If they had exploits in place within these CDNs (presumably within the PRC's capabilities) HTTPS wouldn't help, no?


More than likely they placed a phone call to Baidu and told them exactly what to do. I doubt it's a technological MITM probably just a social one. A totalitarian state can do that.


that's why probably null routing at ISP level is more likely. the time it takes to adapt to new defenses is much less than what it takes to come to an agreement in cabforum. When things escalate nobody will push vendors to agree on new security features when a blunt instrument like legislation is cheaper. If things escalate they'll just sinkhole all traffic going in and out of China.


The article says only HTTP traffic is affected. If they subverted Baidu at the server side ,https traffic would likely be affected equally.


I understood it so that if things escalate what would stop them from simply serving malware from Baidu. If CN sees these actors as an attack on their freedom and autonomy to shape internal policy then they could easily justify this (at least to themselves).


just for good measure:

  sudo echo -e "\n\n# Null route the Great Cannon:\n0.0.0.0 baidu.com\n0.0.0.0 qihucdn.com\n" | tee /etc/hosts
... but I know I'm only fooling myself.


(I strongly recommend tee -a :) as well as putting the sudo before the tee).


Notable reason (for those unfamiliar) is that tee will overwrite the file unless given the -a argument which will append the input to the end of the file.


:)

thanks (I admit didn't test it because I use `python3 ./updateHostsFile.py` to take care of /etc/hosts)


>and in case I'm totally wrong, what mitigations are feasible? More trade war such as by compelling ISP's to null-route Chinese businesses like Baidu.com as a form of sanction?

A slightly less broad measure that's just as effective would be to block unencrypted http traffic from entering China. Want to get unblocked? Get letsencrypt.

A even better (but slightly greyhat) route would be to inject HSTS headers with the maximum expiry date. This will cause any visitor's browsers to get "infected" with an unskippable warning, forcing them to upgrade no matter what.


> Visiting a HTTP site should come with a scary warning

Browsers are already moving to explicitly label HTTP sites as "not secure"


surprised the relevant powerful/time tested and highly technical participants at whichever appropriate layer of networking aren't just forcing https only. #studentquestion


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: