Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Why isn't the GitHub attack being covered by the news?
158 points by blamarvt on Mar 29, 2015 | hide | past | web | favorite | 95 comments
Why is this not in the mainstream news? Even if it's not the Chinese government directly it's a group with significant power inside China -- so why isn't this being considered a foreign attack on a US company?

Here's how to make this news interesting to the mainstream:

"Chinese hackers cost US economy $100,000 / h"

Well, replace random accusations and numbers by facts of course, but that's a valid question: How many employees can currently not to any meaningful work because they don't have access to what they're supposed to work on? This times salaries spent on them anyway is a good lower bound for the damage done to the economy (actual damage should be higher since employees should of course add more value to the economy than their salary).

Come Monday, here's what you'll get: "GitHub attack shows the dangers of relying on cloud." Or "Government software to protect children from Phil Robertson held hostage to attacks on a popular cloud service. This demonstrates the dangers of cloud. How can we be protected from the cyber criminals and pedophiles in their clouds? Here is are usual panel of people who didn't quite rate their own panel show. None of them know anything about computers, really and at least one uses their iPhone to prop up the short leg of their kitchen table. Panel, what do you think?"

"It's Obama's fault."

"It's the republicans."

"I make pee pee."

> Well, replace random accusations and numbers by facts of course

What mainstream news do you read?

New York Times, Washington Post, The Guardian, San Francisco Chronicle, and many others.

I'm sick of this mentality that old-media news is all evil. Fox News and MSNBC are not the industry.

Disclaimer: I do not work in journalism.

They're not evil, well some of them are, but more like lazy when it comes to fact gathering/checking.

I can almost guarantee that most of those outlets have more stringent policies regarding fact-checking and quotation than the "average" internet source.

"Lazy" might not be the right word...all of the tech journalists I have personally interacted with seemed to be pretty good at their craft overall and actually cared about what they wrote. However, this doesn't change the fact that almost all media companies and their journalists are woefully inept at fact-checking or writing stories concerning information security, including DDoS attacks.

That's one specific (and extremely counter-intuitive and complicated) area where reporters probably have weak domain knowledge. It's somewhat unfair to extend that criticism to every other part of human existence that journalists report on.

What are your thoughts on Al Jazeera America? I've been liking them as my replacement lately, but there seems to be some hate floating around for their main(?) brand Al Jazeera

I don't follow Al Jazeera America personally (I think they are mostly focused on TV?) but I know there are a lot of parallels to RT.

It's not blind "hate" for Al Jeezera as much as concerns that the parent organization is owned by the rulers of Qatar.

I've heard that their reporting is fairly good, so long as you don't look to them as a source of truth about matters regarding Qatar.

Due to git's distributed nature, there should be very few people who are not able to work on their code.

Also, it's Sunday, so very few employees are expected to be working today.

> Due to git's distributed nature, there should be very few people who are not able to work on their code.

Oh the irony! Actually I bet many developers are sitting on their hands when they can't access github.

I don't want to dump on github. It has been a great driver of open-source software. But by making itself a single-point-of-... so much, it kind of defeats the purpose of git sometimes.

Ideally we'd be able to download not just the repo but all the meta-info; issues, comments, pull requests, etc.

That would be true if enterprises had their own local git repositories, and if employees pushed against those local git repositories. But this is not what happens, when enterprises use github, employees directly push to github.

Continuous integration tools directly pull from github.

When github is down, all exchange of patches between employes essentially halts, as does continuous integration and testing.

Of course, this is not the fault of git.

This is the fault of people keeping using centralized servers, instead of setting up and using their own local servers.

The same goes for email (gmail anybody? Really???)

The Internet is meant to be a decentralized, peer-to-peer, meshed network. Not a centralized, star network!!!

You can just pull from someone's local copy, a git checkout is just like a remote (bare) repository that happens to have a tree.

If you're an enterprise you're using github's on-premise appliance and aren't affected at all.

In a pinch, you can always pull from a coworker's local repository.

I do all my work via Github and honestly haven't noticed a single burp in the service. Is anyone other than Github employees who have to deal with this even affected?

I had issues pushing with an application key that was not being recognized.

Now I don't know if this was directly related, but the timing raises an eyebrow.

Github pages is pretty sluggish right now. Github's actual Web interface is much slower than, say, pushing and pulling.

I've had troubles with the web interface and with pushing/pulling on and off since Friday

I pushed around 5-6 times and it failed only once.

I could not work for a few hours yesterday. push/pull/rebase was not working for me.


I agree that monetary loss is a big motivator, however I am still curious (US citizen) as to the political implications of doing nothing as a nation when companies are quite obviously being attack by foreign governments. Normally these kind of attacks are much less obviously perpetrated by nation-states.

quite obviously being attack by foreign governments

Nothing is "obvious".

For all we know this could be a bored teenager sitting in his basement in New York, Paris, Tokyo or Moscow.

It could also be a false flag operation by the NSA, to massage the western adolescent nerd's mindset into quietly accepting their next round of mass surveillance ("Must protect from the evil chinese!").

The Chinese openly attacking GitHub is the least plausible scenario, unless you think they are stupid.


Sorry but how would a bored teenager somewhere have control over injecting attacks in traffic passing through the "Great Firewall of China". This really doesn't seem like a typical attack to me but you are right in that I should not be claiming this an obvious attack by a nation-state without the facts.

how would a bored teenager somewhere have control over injecting attacks in traffic passing through the "Great Firewall of China

The same way a 15yr old once took out Yahoo, CNN, eBay, Dell and Amazon: Dedication.

Perhaps it's even a Chinese activist, looking to draw attention to the firewall or to spark a little diplomatic quarrel with the US?

At least they are keeping the attack going...

At least as guilty, imho.

How do you know what "they" do or not do?

And who is "they"? Baidu? The Chinese Government? The great firewall administrator himself?

I've had a fair number of press people contact me about this. I think the issue is: github isn't a consumer service, and the attack is novel enough, that explaining it requires explaining several things at the same time. Adding In the gfw/China aspect makes it even more confusing.

This is the kind of story where a tech individual should probably do a compressive blog post which gets syndicated, rather than relying on journalists. I can understand why no one at Baidu, GitHub, or Fastly is doing this, though.

The mainstream press also has an interest in operating on the ground in China. Promoting the attack on Github as newsworthy has some potential for making that work on the ground more difficult or impossible. It's as simple as a business decision that reflects the greater profit tweets about presidential contenders as the subject of journalism.

How many of us run websites that we can publidh this story ourselves on? http://www.blog.joelx.com/ddos-attack-on-github-could-be-act...

DDoS attacks and similar things are of very little significance to people who don't understand what they are. In their minds, all the damage is on virtual space and nothing is real. And they're somehow sure that all the damage done will be fixed soon.

Additionally a lot of non-tech people don't understand the cost implications of a DDoS.

If companies really want the media to get on board then create a figure for how many $/hour you're losing. Heck make a widget which counts upwards (e.g. we've lost $25,000 due to this DDoS since the start).

The downside is it might just encourage the DDoS-ers, the upside is the media might take it seriously.

I'm not sure anyone understands the cost implications of a DDoS, particularly one on a third-party service. Even if you absolutely need to make a change to something that has to be done by more than one collaborator and has to be deployed via github and it has to be patched right now and there's really no other way, how do you go about estimating the losses anyway? You can't just assume that whatever average income you would have collected over the last 72 hours has been lost forever.

Is anyone out there even attempting to estimate how much revenue they've lost as a result of this DDoS?

I'm sure a lot of companies have backup plans in place, for instance, Bitbucket repo clones or an internal copy

DDoS attacks are very common. Every large web based company will deal with an attack on this vector sooner or later and more than once. I think itwould be an issue if we started considering every single instance as a foreign attack.

It seems to me like you trying to make a parallel to the Sony hacking. These two instances are very different. The Sony hackers used a much more diverse toolset to inflict damage on a number of different vectors.

All I'm trying to say is that this DDoS is pretty obviously being perpetrated by the PRC. Regardless of the attack vector, isn't this an important global political issue? Most attacks are carried out by fringe groups, and while I'm sure governments carry out attacks like this all the time... normally they aren't so obvious.

I think it would be relatively easy to obfuscate the origin of a DDoS attack. Consider how easy it is to even spoof IP and MAC addresses. Now consider that a typical attack of this scale is most likely utilizing a botnet. It's pretty clear that much of the 'evidence' used in placing blame for attacks is just unreliable.

Perhaps because non-programmers (aka civilians) don't know what GitHub is, and it's difficult to explain.

Perhaps it's interesting to reframe in a language that affect most people:

"Linux development halted by ciberattack!!!"

That's not completely true and too linkbaity, especially with the three bang sings. Is there another huge mainstream project hosted there?

Another linkbait:

"Hackers break hackers site!!!"

Not so appealing to most people, but you can exploit curiosity. Also, you'll get a lot of complains about the incorrect use of the word "hackers" in both positions.

How about: "China Attacks US Rails System!!!"

Github still runs on Ruby on Rails, right?

Linux has a mirror on GitHub but they don’t use it for development.

"Who the Chinese hackers targeted this time might surprise you!"

"Massive blow to computer hobbyists as the Chinese government brings down their community website!"

While it may be difficult to explain to civilians what Github is, the issues of any government overreach into the Internet domain are easy to understand. For instance, a state does not like particular content on the Internet. It wants to force a company to get rid of it by attempting to hamper the company's service. Google's clash in China over censorship has been wildly covered by the media.

Billion dollar US company under attack by Chinese!

You could namedrop Facebook, Google and Microsoft without too much exaggeration.

"Critical US Cyber-infrastructure under attack"

Just have Buzzfeed cover it:

Top 10 ways to DDOS a code repository. Number 7 will surprise you.

Millions of people are now accessing github. Who they are will surprise you!

You've been DDOS wrong your whole life. Find out how to do it correctly.

Millions of people now unknowingly going to github. Find out who, and why you might be too.

Also don't forget WhiteHouse has a github account...."WhiteHouse code repository under attack by China"

As a follow up, WSJ is covering it. http://www.wsj.com/articles/u-s-coding-website-github-hit-wi...

They beat BuzzFeed to it!

One plausible reason: the story is a "slow burn" story that hasn't had time to gain traction. Mainstream news acts more like an aggregator of information that percolates out of various niche segments' echo chambers: give it time.

Another thing to consider: what is particularly newsworthy about it to the general public? Software technology focused people would find this very news worthy. I have little sympathy for a business of any size that uses github as its primary repository: the most-current source should be maintained on an internal server, in my opinion, and companies that require github to be fully available to operate are doing it wrong. I mean one of the primary advantages of a distributed repo is that there is a complete history for every node that has synced with the most recent commit. There shouldn't be a strong dependence on a central repo.

> There shouldn't be a strong dependence on a central repo.

Most groups are not setup like the Linux kernel where there is a "gatekeeper" who is a person that directly pulls from other people's repos (or from commits sent to an email list).

A central repository becomes "the truth" and once something is "the truth" it becomes the person that wants to push their code to this repo to do the merging. There is nothing about this that is inherent to Github in particular, but telling everyone to change their "origin" remote to point somewhere else can be an issue depending on how large your group is. And what if someone manages to get a push to (e.g.) master through the Github DDoS before everyone is on the new remote repo? Now Github and BackupRemote have branched, when you really want BackupRemote to be a superset of the copy on Github.

Because no one cares about GitHub. If it was Facebook...

I wonder if you created a page on FB for GreatFire and promoted it what would FB do? I imagine they are too big to be successfully DDOS'd but I would think they could kiss China goodbye forever. So I imagine they would simply ban it.

After a quick google search, it looks like last year they were brought down temporarily from what might have been a ddos.


I've heard that the outage was a screw-up by a junior programmer that was accidentally given too much access to the system by his/her supervisor. Apparently a bad configuration was applied to their servers. This seems to match up with the official Facebook announcement linked in that article.

how hard would it be for someone to do this attack to facebook? I'm guessing Facebook has already faced this kind of attack and designed its systems to be resilient to it.

The tech press should be covering it.

As should the net-based political press.

Never mind what "most people" care about -- this is news.

The "tech" press is pretty much buzzfeed-ish these days.

Some of the tech press is covering it.

Gizmodo, slashdot, the register.

WashPo also had a blog, as did a few other non-tech sites.

The reason they don't show as Github specifically is because it is reported as "Anti-censorship group is under DDOS"

To a first approximation, nobody cares. Inside particular segments of the tech community, lots of people care. But the tech community is very small on an absolute scale and its segments even smaller.

The other group of people who care are those engaged in ongoing cyber warfare. To them Github is probably not worth defending at the risk of escalating to a wider cyber and economic conflict.

Even should US government cyber warefare assets attribute the attack directly to an entity with a direct relationship to 中华人民共和国 diplomatic corps, why would the US deploy assets to protect a company that is knowingly violating 中华人民共和国 policy? Github is neither required nor prohibited from hosting projects that violate 中华人民共和国 foreign or domestic policy. It has made a business decision for business reasons.

Don't get me wrong, I am not defending 中华人民共和国 policies in regard to the dissemination of information and propaganda [or the US policies regarding the same]. Nor am I criticizing or praising Github's business decisions. I am just explaining what I believe is the case, not what I think should or should not be the case.

The U.S. is obligated to protect and defend individuals and corporations that don't violate U.S. policy. Not some foreign policy.

If the U.S. government is not going to protect us from this shit, then what is the purpose of our military?

What is the attack? Who is effected? How much is the impact? When did it start? Why is it being done? Answer those questions, create a blog post, and send a link to that post to your local news, the national news and any outlet focused on nationalism since it is China - think right wing political sites. Make the job easy and this will get more coverage.

So if I want a news outlet to pay more attention to a particular issue, the solution is to do the reporting myself and serve it up to them on a silver platter? Maybe that's true, but it hardly seems practical in general, nor does it answer the OP's question...

Essentially yes. If it's about your own business it's called PR: http://www.paulgraham.com/submarine.html

>So if I want a news outlet to pay more attention to a particular issue the solution is to do the reporting myself

Yes. Why not? People complain about it not being in the "mainstream" news, but then say, "well, that's someone else's problem to deal with".

The very basics I learned in ... grade school, in flyover county in the early '70s. As Wikipedia renders it, https://en.wikipedia.org/wiki/Five_Ws

Although I'll note that it's just now getting to be a big enough story for this, i.e. how long it's gone on and how clear it's become that it is a state action.

What percentage of the medias audience cares about GitHub?

Mainstream media only ever report a few categories of story regarding the tech industry.

- Hackers stealing information

- Billion dollar acquisitions

- Harassment scandals

- Apple announces anything

Google search for the article - click the first link to get past the paywall.


Well maybe no one at Github is allowed to contact local news sources, and if they can't get a quote or information from a reliable source at the company they won't run the story I guess?

There's a Lack of relevance outside our filterbubble.

Wouldn't such news coverage only worsen the problem? After all, the attackers would receive a kind of confirmation of their goals.

In this case the attack is motivated by desire to suppress knowledge of a project hosted on Github, publicity is what they fear most...

Now to get back to the OPs question:

1. Mainstream media might have too much to lose if they criticize China, just like in many countries where property bubbles burst the mainstream media suppressed any mention of bubble forming since they were making out like bandits from advertising property, could be something similar happening here.

2. The story is a non-story outside nerd circles, now if Facebook or Twitter was being DDOSed your sure would hear about it since journalists do care about these sites.

Only if github actually stopped hosting the attacked repositories. Otherwise it would be more of a Streisand effect, raising awareness of the workings of the great firewall and that there are effective tools that circumvent the filtering. The wider the attack is covered in the news the harder it is for censors to stop the flow of that particular information.

The same can be said for a wide range of criminal activities covered by the news.

this article on paid russian trolls makes me wonder if the chinese are employing the same tactic on this forum


Because it's totally irrelevant to someone who is not directly related, not to just programming but Github.

I'd like to ask back some questions:

1) What makes you think it's a worthy topic?

2) What makes you think China or any powerful group - not sure in what terms this group is supposed to be powerful - has anything to do with it?

"Why is this not in the mainstream news? "

Ironically, you realize of course that if something is mainstream news (or any news at all) then that's a trophy that creates a greater likelihood of future copycat events happening. Notoriety is certainly part of the buzz of doing something like this.

It's a developer oriented site. Why would a non-developer care that it's down? The main outlets want the attention of the majority - so we don't get alerts when HN, Github, etc go down or get attacked but we do when Facebook drops for 15 minutes

If there was an attack on the distribution network of American manufacturer would it matter what they produce? The precedent set by doing nothing politically here is pretty scary to me!

(Of course, political conversations could be going on but not publicized.)

That's a very different scenario than what's actually happening, and it's very interesting that you jump to "American company, defend it!" instead of pointing out that it's a valuable tool worldwide.

I'm sure it will be. Give them a minute. After all, I bet there are plenty of media folks reading this thread. And plenty of media orgs use GitHub themselves.

Because, simply, the ability for the Technorati to push and pull code from a website does not an act-of-war make, no matter how you and I may view it.

It seems almost certain, however, that in the coming week, this story will be told in the "mainstream news" (I don't really know what that is anymore tho, TBH)

I am sure, when things shake out, the attacks will be used in some political-posturing kind of way and by some politician who will judiciously use it to drum up support among an interested group.

Do we have any indication how big the attack is? If the attack volume isn't very big, this isn't news.

Who gives a crap about some dumb website for nerds. /s

How about this title: China suck the Internet since March 27th !!!

WSJ picked it up

What github attack?

>Why is this not in the mainstream news?

HackerNews, Reddit, Twitter, and Facebook aren't mainstream? I beg to differ.

If this event was reported on any other media, I'd have no idea that it was occurring.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact