Hacker News new | comments | show | ask | jobs | submit login
Why Baidu Has Been Hijacked to Attack GitHub (archive.today)
254 points by RyanMcGreal on Mar 27, 2015 | hide | past | web | favorite | 194 comments

Hmm, I wonder if this could backfire. If it's an <iframe>, couldn't GitHub insert code that framebusts? If it's some other mechanism, couldn't they block by referrer? If it's CORS, couldn't GitHub deny CORS requests? If it's a <script> tag, couldn't GitHub do some nasty XSS?

Edit: ooh, take a look at the more detailed look from insight-labs: http://insight-labs.org/?p=1682

It's XMLHttpRequest ($.ajax), but with dataType: "script". Looking at the jQuery docs (http://api.jquery.com/jquery.ajax/):

"script": Evaluates the response as JavaScript and returns it as plain text. Disables caching by appending a query string parameter, "_=[TIMESTAMP]", to the URL unless the cache option is set to true. Note: This will turn POSTs into GETs for remote-domain requests.

Oh dear. If GitHub can detect this, GitHub can basically XSS all sites using Baidu's analytics.

Edit 2: Oh, the insight-labs article says the attack has stopped.

That's exactly what they did! At the moment of this writing they are sending back:

    alert("WARNING: malicious javascript detected on this domain")
when you're trying to reach: https://github.com/greatfire/ or https://github.com/cn-nytimes/ That's why other people have started to notice it (as the article describes).

Timeline of the attack looks something like this:

1. The Chinese firewall hijacks requests to http://hm.baidu.com/h.js and sends back a script that attacks GH instead.

2. Github notices that a huge amount of people are trying to reach https://github.com/greatfire/ and https://github.com/cn-nytimes/

3. GH figures out what's happening and starts replying with the alert javascript snippet.

4. Users are now getting noticed by the alert every time their browser runs the hijacked javascript.

5. The person that wrote this article writes this article after investigating what the alert message is about.

If I were Github I would redirect the attacker back at one of their own resources.

A attack reflection of sort.

Edit: You're technically not attacking you're reflecting if the attack stops there's nothing to reflect.

Just like in martial arts you don't just take a beating you defend and return the opponents attack back at them. Seems fair to me.

Who should they "reflect" the attack back at? Baidu, who seem to be a victim of HTTP hijacking in this case? Or the Chinese government? If the latter, then where exactly do you focus the counter-attack?


That will show them!


Baidu == Chinese Government

I don't know. If I were a private company, I'd go out of my way to avoid antagonizing nation-state level governments.

That does not seem wise. China vs. GitHub, China will win.

It would be interesting to know how important Github is for China's economy and how important China is for Github's.

China's GDP is 10 Trillion dollars. Github is not at all important to China, other than a source of tools to citizens use to circumvent their authoritative regime.

> Github is not at all important to China

If that were the case, I don't think they would have backed down and allowed access to Github again.

Or maybe by blocking it during the timeframe they did, they have accomplished their mission and there was no further need for blocking.

I sincerely doubt github is at all important to China.

again, then why did they unblock it? it is important, we're in a new paradigm for software where developing in the open leads to higher quality software written faster than previous ways

It's hardly a new paradigm, it's just a place with a lot of software that you'd otherwise have to write from scratch. It's merely software development catching up with everything else.

I'm sure Github and free software is a goldmine to the country that built its economy on copying other people's stuff.

On the other hand, the capitalists running the communist party might scoff at the idea of software that everyone is allowed to copy, because that offers no advantage to the unscrupulous. At least I'd imagine they would scoff at copyleft, just like Github does.

That is true, even Google can't fight against China.

I imagine they have the technical resources to – they just don't because as a public company they are obligated to maximize shareholder value.

I would put it more on the fact that attacking a foreign government is kinda usurping the role US government and they won't take kindly to that.

Google made a choice.

You can always fight, even if you believe you will lose.

...in China. Outside of China, my money would be on Google.

An eye for an eye makes the whole world blind?

Apart from one person with one eye left

As much as I love MLK and Gandhi, this assertion never made sense to me.

An eye for an eye would leave two people blind: the person who blinded the other, and the one that was blinded.

Once people start seeing the severe consequence of blinding someone (getting blinded back), they and everyone else would most likely stop, not continue blinding more people.

The reason it doesn't make sense to you is because you are assuming it is applied in an ideal perfect universe, while the statement is referring to the real world, where any retributive rule is applied by imperfect actors who make errors in the assignment of culpability (both in identification of who is responsible and in identify whether their act was justified in the first place.)

Such errors result in people who shouldn't be blinded themselves being blinded, and are themselves the subject of retaliation by the same error-prone process.

And there are many, many real-world examples of this in the form of multi-generational inter-family feuds.

Well said. It's your nuance that I like, and it's the lack of nuance in the original assertion that I find wanting.

>An eye for an eye would leave two people blind

Well under your reading wouldn't it just leave them each without one eye. They may be blind but in most cases they will still have one other functioning eye. /pedantry

"Who paid retribution for the second blinding? The second paid for the first, I demand a third eye" ... ergo the aphorism.

That's correct, the only problem is it takes thousands of years for humanity as a whole to agree that the consequence is too severe to stand. On this time scale, the idea of not fighting wars because they cause damage is relatively new.

>redirect the attacker back at one of their own resources

Why only one? :)

Because that’s not a DDoS anymore if you target a lot of traffic to a lot of different resources.

Yes, it is an amplified DDoS. The attack doesn't become weaker, it would only target more machines.

Just to clarify, did the DDOS stop due to GitHub adding that warning text making the hack reflect poorly on Baidu and hence the perpetrators being subjected to internal pressure? If not, GitHub would still have to serve that JS and hence would still be bombarded by millions of content request.

Even better, popping up a JS alert stops further JS execution, so this was a clever way for Github to throttle connections (rather than them being made every 2 seconds as per the hijacked Baidu JS)

I see; I missed the part where the resource request was executed every 2 seconds. The alert essentially would make the page unusable. From my understanding that Baidu is Google for china, the amount of productivity lost since people not being able to search, would mean the hack backfired spectacularly.

Well, except for the fact that it only impacts people who access Baidu from outside the Chinese firewall. People who access Baidu from inside China would not have their Baidu use interrupted.

they can do something better: they can put some javascript disabling the hijacked JS like

alert('......'); r_send = function(){}

window.top.location = "http://gov.cn";

It looks like what they did was change the url to only serve out the alert in plain text. Which is a lot less resources to use. I would also assume that they are willing to use those resources to fight back.

Imo they should have converted the targetted pages to a static cache and just document.body=page it, the users would notice (not able to access anything) and the pages would still be accessible on github.

Oh, I see, gotcha.

They already are, inserting a alert().

What would be much more interesting is replacing <body> with a multi-lingual message explaining what's happening and how to block the Baidu script.

Does anyone have a mirror of the original article? "Error establishing a database connection"

Edit: Google cached it here: http://webcache.googleusercontent.com/search?q=cache:CeVJaTq...

Edit 2: Here's an archive.today of Google's cache: https://archive.today/KtgpS

Thanks. Since your second link works while http://translate.google.ca/translate?hl=en&sl=zh-CN&u=https:... doesn't, and neither is an original source anyhow, we've swapped the URLs.

Heh, we DDoS'ed the article about the DDoS.

Assuming this is the Chinese government, what's their end game here? They must believe that GitHub will bow to their will and remove Greatfire or block it from China. Permanently? That seems incredibly naive. Also, have they not considered the Streisand effect? Also, assuming they see Baidu as effectively a state asset, why poison that brand for such a temporary gain? It doesn't make sense.

  They must believe that GitHub will bow to their will 
  [...] That seems incredibly naive.
Plenty of technology companies would. Of course, they would call it "complying with local laws in all countries in which we operate".

The only way to find out if Github is such a company is a few months of successful attacks.

That's true. I remember being incredibly disappointed in Google when they agreed to censor search results for China. Here's to hoping that GitHub is willing to stand up to this bully.

Censor but supply notice that they were censoring. And when China hacked into gmail, they left the country rather than continue to comply with their laws.

>Of course, they would call it "complying with local laws in all countries in which we operate".

If 'I was following orders.' isn't an excuse when you are in the military where disobeying orders can get you jailed if not killed, then no one should accept such reasoning when the pentalty is merely being unable to do business in an area.

Maybe torturing / killing people under orders is not the same as restricting access to information.

Yeah, the information restriction is much more severe in the big picture.

You think the people who did this should be executed by hanging?


Its not just Github though. There are a bunch of other companies who will take away the message that you don't mess with the Chinese gov't.

Github is powerful and funded enough that they won't succumb. Its all the smaller websites who might male changes because of this.

I wouldn't say they are powerful, but they are a subculture and subcultures can turn on a dime.

they got 100 Million in VC funding and are the epicenter of modern software development. That's kinda powerful.

GitHub was banned in Russia for less than a day and had started to comply with totally braindead removal requests. Why China would need months of attacks to make them do so?

I would be less inclined to oblige in the face of threats and actual attacks. Especially when done so publicly. I imagine companies like Facebook we quicker to oblige through actual negotiation and some sort of "business diplomacy."

did you get "complying with local laws in all countries in which we operate" from Cloudflare ?

They must believe that GitHub will bow to their will and remove Greatfire or block it from China. Permanently?

Well, yes? Extraterritorial law enforcement works fine for the US, they're quite happy to shut down gambling, copyright infringement, and so on regardless of where you are in the world.

In this case, it's git. It's inherently distributed. It's fairly easy to force Chinese users onto a local equivalent and block all those suspicious outgoing https/ssh connections to github.

Sure, but the power differential is much more balanced in this case it would seem. The U.S. government has a history of giving asylum to Chinese dissidents. I'm not sure that forcing users onto a local equivalent would work, it's not git that's the scarce and valuable resource here, it's GitHub. It's the collaboration, being part of the conversation on PRs and Issues, etc. It's currently the center of the web development universe. Greatfire is a brilliant poison pill. I guess we'll have to wait and watch carefully to understand the end game. My prediction is that GitHub continues to mount a defense long enough for U.S. authorities to get involved and at that point the DDoS will stop. I'm either missing something huge (it's not China), or it's an incredibly naive attempt that will fail: just today's blip.

This particular content was hosted on github not because of git per se, but because github is an easy way to host some content and CN cannot block the whole github domain because the tech sector in CN relies too much on github.com, hence it would create a damage to a growing economic sector.

Github has been known to remove files and repositories simply because employees don't like them, despite them not actually breaking any ToS. They've also been known to block access to files/repos to users in certain countries. I wouldn't be surprised if attacks on those repos would cause it to get removed.

> Github has been known to remove files and repositories simply because employees don't like them, despite them not actually breaking any ToS.

Do you have any source on that?

Sure. The two most popular examples are the C Plus Equality repo and the Operation Disrespectful Nod repo, which were a satirical programming language and a Gamergate resource list for contacting advertisers, respectively.



Wait so Jake Boxer responding on Twitter to Nexxy is considered proof that he removed it? I don't think that holds up.

It's not proof that _he_ necessarily removed it, but considering it wasn't brought down by the actual repo maintainer, and that any repos created to replace it by other users at the time were taken down as well, it's a safe assumption that someone at GH did.

There's several more sources regarding this, but I'm on a terrible mobile connection at the moment. Googling around will get you a bit more info for the story.

All the sources I've seen just show the tweets and then go on to say how he went rogue and removed the repository. Seems like a really weak argument.

Github is a private company, and they have every right to remove misogynist content if they don't want to be associated with it.

Way to completely miss the point and spin it in a different direction.

The US's tech prestige was damaged by the revelations that of mass US spying. One could ask "Why did the US poison their branch for such temporary gain?"

Countries are different beasts.

GitHub was blocked completely by GFW. But many developers in China complained, because GitHub is too important. Now it becomes available again. I think they choose Baidu just because its scripts are widely used.

> Streisand effect

An American concept. Foreign to Chinese Legalism. Do note that "Free Speech" doesn't exist over there as a concept.

> Do note that "Free Speech" doesn't exist over there as a concept.

1. Free speech as a right isn't critical to the Streisand effect, and

2. "Free speech" as a concept certainly exists in China. The formal orientation of the government with respect to the concept (and quite possibly the public perception of the value of the concept) is very different than in Western liberal democracies, but the concept certainly exists, just as the concept of, say, "theocracy" exists in most places, even the places that don't practice it.

> Do note that "Free Speech" doesn't exist over there as a concept.

I think you're rather overstating that.

自由言論 - that's free speech in Chinese

no. It's 言论自由, or 言論自由 in traditional Chinese.

The US government should prohibit US companies from complying with censorship demands from China. It already does something like that to prevent US companies from complying with the Arab League boycott of Israel.[1]

[1] https://www.bis.doc.gov/index.php/enforcement/oac#whatsprohi...

Very interesting to look at the original content of https://github.com/greatfire/ and https://github.com/cn-nytimes. One appears to be a collection of resources for proxying around the Great Firewall [1] and the other has a number of clones of the New York Times translated in Mandarin [2][3].

[1]: http://webcache.googleusercontent.com/search?q=cache:X_4LmyL...

[2]: https://github.com/cn-nytimes/mirrors [3]: https://dtl1al4e74u07.cloudfront.net/

I didn't realize until now that part of the NYT's strategy in having a Mandarin version may be due in part to it's being blocked in China -- a reply to China's censors, of sorts.

I think GitHub should have added a more descriptive error message (since they control it thanks to how the attack vector works).

      "The site you are visiting contains malicious JavaScript.\n" +
      "Your computer is currently being used to attack Github.com."
or something...

The only thing the average web user would take away from such a popup is that github.com is annoying or spying on them, and then proceed to bombard github with messages to knock it off (reminds me of when a blog temporarily became the #1 search term for "facebook login", oh the hate that blog received for "breaking my Facebooks")

The average web user has no idea GitHub is behind the popup. You need to be a web expert and look at the Network tab to know this.

OP suggested adding "github.com" to the popup's message. That would be a Bad Idea.

Oh, right, silly me for not reading the context.

What about

alert("The site you are visiting contains malicious JavaScript. It uses your machine as part of a cyber attack. You must immediately alert owners of this website to remove Baidu analytics which distributes the malware.")

Or perhaps use it to advertise a Baidu competitor.

Okay, I'm guessing this isn't on Baidu so much as the Chinese governments, but incentivizing Chinese corporations to object to government attacks isn't a terrible idea.

And let's add some taunt in it:

"[...] Github.com, and more specifically the tools allowing to easily bypass the chinese government censorship."

I wonder what would happen with such a message.

Everone keeps saying "Chinese Governement", this has no accountability. The actual person in charge is Ji Xinping. Start naming names people.


From what I've read about Chinese leadership, it's incorrect to label Xi as "in charge", at least if you mean in a dictatorial fashion. The CCP seems to run by the consensus of top party leaders. Xi certainly has more authority/sway than the rest, but I doubt he's making all of the decisions alone.

Like every organization there is a need to maintain good relationship with others. This means you have to make compromise and make deal. This means people aren't always 100% in charge. You can choose to do things against the will of some powerful enemy, and you will face the consequence. So Xi can make all the decisions here. He can say "I want this to be done" and his officials will carry out. At this very moment, Xi is absolutely in charge of everything, especially given his popularity.

Witch hunting is a fun pastime, isn't it?

Uhm, I wouldn't call outing the de facto ruler of China witch hunting.

He's the de jure head of state. The de facto rulers of China are the "princeling" descendants of revolution-era party leaders (http://en.wikipedia.org/wiki/Princelings).

He is certainly one of them, and perhaps the most influential, but he is certainly not powerful enough to be "the ruler".

This is a very clever attack. I wonder if the same attack can be used on other sites or if it exploits something about Github.

Github's data is difficult to cache and many pages load piecemeal using turbolinks which itself creates lots of un-cacheable requests (cacheable only until someone pushes a new commit).

So it would appear to be next to impossible to stop a distributed attack.

> I wonder if the same attack can be used on other sites or if it exploits something about Github.

It doesn't exploit anything GitHub-specific! The way it's done is applicable to any site. The reason is that it uses the <script> loophole around the Same Origin Policy (<script> can be loaded cross-domain, thanks Eich...). They basically just inject this every two seconds:

  <script src="http://github.com/greatfire/"></script>
The browser will request that page expecting a script. And it'll get HTML, but that's not valid JS and just ignore it, but the DDOS is successful.

However, this also makes all sites with the malicious JS vulnerable to an XSS attack by GitHub, like GitHub is currently doing. If you visit that URL, you get this:

    alert("WARNING: malicious javascript detected on this domain")
Though I think the same trick could be done with, say, <img> or <style>, and those wouldn't allow XSS (though <style> could fuck with the page, certainly). Sloppy coding, Chinese Government employee...

I was wondering if you can prevent this by looking at the "Accept" header in the request but it seems accept is "/" for scripts. I'd expect the browsers rather to send "application/javascript".

Then the answer from my server will be 400 because I don't have a javascript representation of this url.

Well, you're still spammed with requests.

Yes, but it is not the same if I can reply with 400 directly without further inspection.

I imagine github can do this at the reverse proxy level, instead of doing 20 queries to mysql and overload the ruby application.

Well, GitHub is already returning a special response for those URLs.

> Though I think the same trick could be done with, say, <img> or <style>, and those wouldn't allow XSS

You can XSS with SVG "images" [1]. Though up-to-date browsers should be patched against this.

The other option is having an image which said the same as the alert() message. Again, using SVG, this needn't be much bigger file size than the JS response [2]

[1] https://www.owasp.org/images/0/03/Mario_Heiderich_OWASP_Swed...

[2] http://www.w3schools.com/svg/svg_text.asp

The image would definitely be user-visible.

Sadly you can't guarantee that. If it was an advert, then yes, most likely it would be visible (baring ad blockers, but then they should hopefully block the attack anyway so that's a non-issue). But if it was a tracking image, then the dimensions would likely only be 1px^2.

I use those two specific examples (ad and tracking) because that seems to be the two instances in which this JS was MITM'ed.

> They basically just inject this every two seconds:

Isn't that the difficult part, ie. to intercept a request to a server and inject malicious code. In this case as all request goes through the great firewall, the hack was trivial.

The retaliation from GitHub is quite clever although not great for the user or Baidu.

> Isn't that the difficult part, ie. to intercept a request to a server and inject malicious code.

Um, sure. But that's not GitHub-specific, which is what they were asking about...

Github's website is very easy to cache: read heavy, non-realtime. Especially if you consider they can go into a cache-friendly mode where they disable push notifications ("you just pushed to this branch", etc).

They look real time now, but that is best effort: they don't have to be. Nobody will lament Github suddenly saying "we're under heavy load, changes will take a minute to propagate and real time notifications are turned off".

Note that this attack is read-only; there's no creating new issues or PRs or any other write operation (that would be different).

It's comparable to Wikipedia, which has close to 100% cache hits on popular pages. (sorry can't find the source for this right now)

The git repositories are another story, but that's not so easily attacked through JS.

Still, with an attack of this magnitude, no matter how cacheable, you're going to feel it.

PS: I forgot about one thing; their HTTP interface to diffs. That's a huge surface of fresh data to request which will have to go to the backend. Like you could do with Wikipedia history diffs. Perhaps they would have to cut that off for users who do not have a cookie set from a project or user home page... Okay, I spoke too soon. Github has a huge amount of fresh data to request and a targeted attack on things like git diffs (let every user request a different diff) can't just be solved by HTTP caches.

> I forgot about one thing; their HTTP interface to diffs.

Right -- pretty much any page that uses pjax / turbolinks to load segments of the page: each is an expensive query going to the backend.

GH recently added a timeout for the diff page if it's too large which probably also caches the "too large" status. The sweet spot for an attack would be the pages that don't time out but still create a 95th percentile request.

This actually only says how GitHub was attacked, which was already clear this morning. It doesn't say why.

The JavaScript code instructs Visitors browsers to Request the Github Pages of Anti-censorship group Greatfire and the Chinese Language Edition of the New York Times . These groups turned to a developer source code control tool to host their information with the knowledge that China was unable to block Github because of the huge cost to its technology industry.

Seems like these groups hosted content that the Chinese government didn't approve of, and tried to put it on github to avoid it being blocked. The Chinese government responded by DDoS-ing the two repositories to bend github itself into removing/blocking the content.

> It appears to be an attempt to pressure Github, a non-news organization, to censor content that China objects to.

At what point will the US stop tolerating Chinese attacks on US companies?

What do you mean by "stop tolerating"? Declare war?

There are other diplomatic avenues besides declaring war.

What, sanctions? The US is totally reliant on China for manufacturing. You'd grind the West, and China, to a halt.

We can start with the US publicly blaming China for the attacks. Public consciousness does a lot by itself.

So we roll over to a bully?

One can still use a hammer even if I break his kneecaps with it beforehand.

China is just as reliant on the West as the West is reliant on China. The use of that as leverage doesn't have to be limited to one side of that equation.

I suspect at the time one or the other puts their foot in the sand, that it will escalate to a conventional war.

Let us hope that day never ever happens. It would be awful for both sides no matter the "winner". As I learned from spending a year as a UAV Pilot in Iraq from 2003-2004, in war, as soon as a single person on either side is injured, both sides permanently lose. There is no real "winner". Just one side that loses less.

That's quite clearly not literally true.

Unless you can make the case that risking commercial relations with the current largest economy in the world over these attacks makes sense... I would say never.

The US has regularly attacked non-US companies and people, mostly by spying on them.

I agree. It would be nice to see the president or some government official at least publicly acknowledge that a US-based company is currently under attack by the Chinese government.

Things will become worse before they become better.

GitHub should cut China off from all services until the attack stops. It is clearly something the Chinese government doesn't want, or they'd just block GitHub in the Great Firewall themselves.

You seem to think China (or the folks running the great firewall) would be unhappy losing GitHub. I don't think they'd care as long as those two repos were effectively invisible to users.

Redirect all visitors subjected to the GFC to one of those two repositories. China loses all of GitHub except the projects it hates the most.

The childish part of me says to alter the redirect code to be a bit more...shocking. I think the attack would stop a lot more quickly if baidu users were subjected to, say, goatse or 2g1c.

I made a good case that they do care, which you didn't address, at all.

Is google translate from Chinese (Mandarin presumably) always this good? I'm pretty shocked by how coherent the resulting article is.

In this case the original article is in English. https://iyouport.com/archives/25775 Not sure why OP put it through Google Translate ...

Google Translate has actually mangled the (English) text a bit by going from English to English.

I think they did it to try and take advantage of Google's cache, and failed.

Well that's just embarrassing.

Side note: the written language that Beijing requires all school children to learn is usually called "Standard Written Chinese" even though it's based on the grammar of Mandarin. Depending on the differences in grammar between the local dialect and Mandarin, it's more or less difficult to learn the standard written grammar. We usually don't say "written Mandarin", but less formal writing using the grammar of one of the other dialects would usually be called "Written Cantonese". etc.

My manager speaks a dialect that's pronounced differently, but has a grammar close to Mandarin. The majority of people here in Hong Kong speak Cantonese, which is grammatically more different and uses a lot more slang and references to popular culture. I'm told that growing up here, leaving at age 15, and coming back at 25 makes it very difficult to follow daily conversations and read certain types of publications for the first few months because of the amount of slang used and how rapidly Cantonese changes.

I thought the same thing, but then I checked the "Original" because I just couldn't believe it (considering that German to English isn't even that good) and it turns out it's in English

Humans can add custom translation for phrases in Google Translate.

Here is the original article: https://thenanfang.com/why-baidu-was-hijacked-to-attack-gith... (the one on iyouport links to this one)

If I understand correctly, there is almost no way to stop this attack because it uses client side JavaScript code. If Baidu doesn't remove this malicious js from its http response, github will continue to suffer.

Baidu is not doing anything wrong. The HTTP requests/responses are hijacked.

Baidu could make a switch to only support HTTPS though. That would require a more elaborate attack.

In hindsight, GitHub moving away from GitHub Pages from the github.com domain to github.io makes this whole situation less severe. Imagine all the GitHub-Pages-powered sites that would have been down at the moment.


Obviously the link above might not work at the moment.

I think I spoke too soon ... latest update:

"19:23 UTC The on-going DDoS attack now includes GitHub Pages. We are working to mitigate any service disruption."


It would be exceptionally epic if you didn't "speak too soon" but instead "gave them the idea" ;P.

Why wouldn't they make the pages in question serve window.top.location = "somewhere";?

Their solution stops the reloads for each browser and has the benefit of alerting the user that something's wrong, without hammering "somewhere".

But if users just click OK multiple times it still means more requests (since it was happening every 2secs).

They seem to push the DDoS from multiple fronts, for instance this repo has 100k random numbers commits: https://github.com/greatfire/z

I don't think that's DDoS. It's probably the authors of the project frequently changing it to evade Chinese censorship.

Because they can't just seize the servers the way the US does.

Would it be possible to use this and the CSS link color hack as a way to see which users had visited those Github URLs?

Could that be the real aim here?

That's why websites should stop including javascript from third party sources. For my analytics, I use liveinternet.ru because it runs the javascript locally on my website but passes the browser information via an image embed. Liveinternet has no ability to execute malicious code and yet I can still use them as a fully functioning analytics.

How much more difficult is using liveinternet.ru, out of curiosity? Google analytics got popular because all you had to do was paste a single line to the bottom of your site and google would handle the rest.

It's just as easy, it's a small snippet of code you paste at the bottom of your site. However, the site doesn't have a pretty design like Google but that's why I prefer it - it's simple and works with NoScript.

Is the best way to currently prevent this is via full ssl?

Additionally, how can a site like Amazon.com run non-ssl protected pages and prevent mitm-ing? (e.g. http://www.amazon.com/dp/B00TYBBNAW/ doesn't redirect to https, but only when ordering, etc.)

Chinese govt is telling the world with this attack that: (1) GFW can interfere with incoming traffic. (2) GFW can f* with people all around the world. (3) You can't block a Chinese cyber attack simply by cutting off Chinese users. (4) The Chinese govt is a d*head.

You can use swear words on the Internet.

You can also not use them.

And apparently you can partially use them.

LOL. I even used them wrong. I put in single line-breaks and three asterisks. Guess it's a markdown editor? ;)

He clearly used them.

That sums it up. Oh, and they're a danger to the internet itself.

So the logical solution is to block all of China and anyone who also doesn't block all of China. And so on...

Well, no.

The Chinese government is telling the world with this attack that, if you choose to interfere with Chinese sovereignty by means of the Internet, or to enable those who would do that, then there’s a cost.

Note the way the attack is targeted. It’s not just an indiscriminate DDoS of Github, although that’s been the effect — instead, they’re aiming specifically at two repos whose content, being designed and built with the aim of circumventing the technical means by which are implemented a significant goal of China's domestic policy, enables no more or less than a direct attack on the sovereignty of the Chinese government.

To use that content is to say: "You may not run your country in the fashion you choose, because it does not suit me that you should do so."

To host that content is to say: "In this matter, we take the side of those attacking the sovereignty of the Chinese government, by making it easy for them to share and improve the tools with which they do so."

What you're seeing, then, is the quite reasonable response of the Chinese government to these statements. Yes, it's annoying for those of us who use Github, and no doubt it's much worse than merely annoying for those who administer Github. That is the point. Github is being encouraged to consider how much it's worth to them to maintain the stance they've implicitly taken in this matter. I'm looking forward to seeing how they respond.

Wow. That was just a jokey comment about how angry I was about the Chinese govt.

As one of the billion people who live inside the Intranet "protected" by the GFW, I guess I can say I'm quite aware about how and why this happened. Let's start from the beginning.

For those who host things Chinese govt doesn't like, it usually just block the website altogether (Twitter, FB, and recently Google). But it had tried to block Github, twice. Each time there is a huge response from the Chinese webizens (mainly programmers) calling to unblock it.

Another way to block certain content from a website is to filter by keyword (like Wikipedia). But GH is encrypted so that's a no. The govt even tried to use some fake SSL certificates to MITM it. So some "smart" guys exploited this feature and created the repo greatfire/wiki and things like this.

Then some evil guys from GFW thought of this way, directing the attack at these user accounts, to warn GH to remove these accounts.

What I don't agree with you is the word "reasonable" (and the "no"). First, it's never "reasonable" to DDoS attack a website. Second, if you can't block the content, you have a choice to block the website and take the bitter from every single webizen against you. Finally, I believe it's the website owner's choice to choose who / what they want to use their website. Since GH is a U.S. company (I guess), it doesn't have to listen to a sh*t from the Chinese govt.

I totally agree with you - the Chinese government has some right to protect their sovereignty, but if github or the American way of life is so offensive, then block the website and tools outright. I live here too, and it's kind of offensive when (speaking generally now) Chinese people want cherry-picked access to Western technology, science, design, creativity etc. but then aggressively reject the culture that produced them.

Content blocking only does so much, as evidenced by the existence of tools specifically designed for its circumvention, and presumably effective at same.

And of course it's up to the website owner whose content they host. They don't have to take down those repositories. But, unless the DDoS stops, they have to choose between taking down those repos and continuing to stand the gaff.

No you think every piece of Chinese text written on the Internet belongs is under the control of Chinese government?

Github is a US company that hosts their service in US, Chinese government cannot possibly have sovereignty over that. If you believe there is righteous reason behind it, then you are supporting internet terrorism.

China has sovereignty over Chinese citizens. If you believe there is righteous reason to circumvent Chinese sovereignty with the collusion of some subjects of the Chinese regime, then you are supporting Internet terrorism.

(The problem with rhetoric is that it can point both ways. Study the definitions of "sovereignty" and "terrorism" in international law, then try again.)

China's sovereignty extends only as far as its borders. It has no legitimate say in the goings-on outside. GitHub is located outside of this domain, under the sovereignty of a nation that allows and condones its activity. It's really US sovereignty that's under attack here, if anything.

This is almost an argument. But when a given nation's citizens attack the sovereignty of another nation, and their own government declines to curtail such behavior, this qualifies as an implicit endorsement. That's why people call it "cyber-warfare"; what we observe here is a border skirmish with less than the usual quantity of gunfire. As I said earlier, I look forward to seeing who wins.

But GitHub has in no way attacked China's sovereignty, so as long as GitHub's servers are located within the territory of nations that allow their business to operate. If China has a problem with its citizens accessing content hosted on foreign servers, it certainly has the right to block access. If Chinese citizens then become perturbed due to their reliance on that foreign service, that's a Chinese problem, not GitHub's.

If I were to stand on a sidewalk outside of a church with signs saying "You're God is false, Heaven doesn't exist, you're going to die and disappear forever," and a parishioner decided to punch me in the face to stop me, they would be in the wrong, not me.

You think any country has the right to censor news from reaching the people who live in its borders? That that regime has rights that supercede the people? That free speech must succumb to the wishes of government censors?

How totalitarian.

I think the concept of natural rights, such as that to free speech, is a lovely idea, whose only drawback is that it's not in any sense grounded in reality. I think the Chinese government, being sovereign, has the power to legislate its subjects' rights, just as that of the United States has over that of its citizens. And I think that for the citizens of one nation, to act directly against enforcement of another nation's said legislation, qualifies as an attack against that other nation's sovereignty.

None of these thoughts is tremendously controversial in its own right, save where they conflict with cherished beliefs which I do not happen to share.

Just because might has made right for tens of thousands of years does not mean it should continue to do so tomorrow morning.

Reality is that political power extends from the barrel of a gun. But we also dream bigger and imagine better.

In what way is it “reasonable” to force a policy of censorship on a non-consenting population?

Why did GitHub not just put a Bitcoin miner or a BOINC client instead of the alert? The Chinese is not going to care about the warning anyway, it would be more educational to peg their CPU to 100% usage and make some spare change while you're at it.

This DDoS is mainly punishing people who are using VPN to skirt The Great Firewall (and people who use GitHub). What is the point of 'punishing' people who aren't doing this on purpose?

That's a fairly neat attack, to be fair to them. I don't see why Github, upon receiving these requests, wouldn't just do the same back to China and absolutely hammer some of their resources in return?

Github generates no where near the amount of traffic that Baidu does.

While Github is receiving a fair percentage of Baidu's traffic, though...

>While Github is receiving a fair percentage of Baidu's traffic, though...

Yeah that's my thinking on it. They're being handed traffic, or more correctly having it thrown at them maliciously, which they could in turn redirect back at some point in the Chinese infrastructure.

Who do they reflect the attack to though? Baidu? They might not even know this is happening (well they probably do now, but not sure what they can do). The GFW infrastructure itself certainly isn't publicly addressable.

Probably because the Chinese government has more ability to absorb these requests.

They could just mirror all the git repos minus what they find objectionable. github isn't immune to pressure. They would probably like to sell a lot of github enterprise and whatnot in China.

Its not lab grade testing, but there is the old standby https://dancesafe.org/

I'm bored of Chinese hackers attacking Western companies... Let's mix it up a bit and hear about some Western hackers attacking Chinese organizations.

Well there is plenty to read about western governments hacking chinese organizations. Google edward snowden china for starters :)

Could be we are on the wrong side of the firewall for that, although I agree.

>"Requests to Baidu’s content data network are being intercepted and sending back some javascript code instead of the original requested file. The javascript code instructs visitors browsers to request the Github pages of anti-censorship group Greatfire andthe Chinese language edition of the New York Times."

I must be misunderstanding - is there a salient piece of info missing?

It makes no sense for the Chinese government to attempt to foil censor bypassing by sending all users of Baidu a link to a project on GitHub that enable censor bypassing.

As an outcome is to inform all affected Baidu users of bypass tools and a non-government controlled newspaper this looks more likely to be a rogue element to me.

It doesn't even look like what I'd call DDoS - sending genuine users to your site who might be interested in your product, isn't that an unpaid affiliate scheme?!?

The attack is fairly simple:

The Great Firewall intercepts requests to Baidu's CDN from outside China, specifically HTTP requests for Baidu's analytics scripts.

Users from outside China who visit web properties that use Baidu's analytics get malicious JS that injects <script> tags every two seconds to spam github.com with requests.

Nobody would notice that attack, except GitHub cottoned onto this and replaced the github pages with JS that spawns a little alert() popup.

So it was the firewall itself acting as a MITM?

That puts the blame strictly on the Chinese government. And specifically the military that controls the firewall.

Sounds to me like an act of aggression by a state army against a non-combatant on foreign soil. What if a helicopter with a red star on it flew into California in the middle of the night and set fire to Github's offices? What's the difference?

This was worded misleadingly. This is indeed a DDoS: code has been injected to load the Github pages in the background using XHR without the user's knowledge. The host page itself is not redirected (or visibly affected in any way[1]).

Furthermore, only people outside of China are affected by this -- Chinese citizens don't have this code injected.

[1]: Actually there is a mistake in the injected code that causes the result of the XHR request to be interpreted as JavaScript, and then executed. Hence GitHub has tried to mitigate the attack by replying 'alert("WARNING: malicious javascript detected on this domain")' to notify the user that this is happening.

> Actually there is a mistake in the injected code that causes the result of the XHR request to be interpreted as JavaScript, and then executed

That's not a mistake. GitHub, like 99.99% of the Internet, doesn't allow cross-origin XHR for their pages (that's a security vulnerability). So they have to use <script> which doesn't follow the Same Origin Policy.

Though that's a bit silly, given they could've also used <img> which wouldn't be vulnerable to XSS.

Ah, that clears things up. Thanks for the info.

Thanks for the clarifier.

So the text I quoted should say something like [with appropriate expansion and fact checking]:

"Requests from other countries to Baidu's CDN in China are intercepted by the government firewall - the returned web pages load content from GitHub or NYT that is hidden from the user. Each affected Baidu user outside China's browser sends content requests to those content suppliers whenever they follow a link in Baidu's search results. With Baidu's immense popularity this is causing a DDoS of the content suppliers servers preventing genuine user's browser requests from being handled."

What's the actual injected code? Presumably one can get it by requesting a link on a Baidu SERP?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact