This is the most important question here. I think it's fair to assume this must've been a deliberate choice by the Chinese authorities to conduct such a visible attack. The alternative, that they didn't realize what they were getting into, that they thought Github would cave quickly, seems much to simplistic and naive. And whatever else you can say about the Chinese government, you can't accuse them of being naive.
If you believe this was deliberate attack, it seems this is a parade demonstrating electronic warfare abilities. The message being sent seems to be, "don't mess with us, we can do everything you can do and possibly more."
Probably deliberate with a lot of incompetence mixed in.
Most politicians have zero understanding of the Internet. They decided to do this as a demonstration of force and may not have consulted the people who built the Great Cannon. Or, the people who built it don't have the clout to say not to use it except for important reasons.
They also probably didn't realize that Github could eat the attack.
The problem with having done this is that, I suspect, that a lot of ISP's now have null routes of China on standby along with bandwidth monitors that will choke traffic spikes from China almost immediately.
So, it didn't actually succeed. And people have now analyzed the attack and deployed coutermeasures.
Not a great result for China.
What the paper calls targeted exploitation is the real weapon here. The main thing I took away from this paper is that the Chinese government now has the infrastructure to pwn anyone who visits websites hosted in China. This is pretty scary and simultaneously an amazing engineering feat.
- Disable Java; disable or whitelist Flash; use a different PDF reader than Adobe.
- Don't use XP! It no longer receives security updates...
- For the same reason, on mobile, prefer devices that have up to date operating systems.
Not perfect, but that's the state of computer security these days.
Are there any Chinese CAs in any browsers' default installs? If so, they should probably be removed immediately.
If any website you visit legitimately uses a Chinese SSL certificate, you can whitelist it specifically. I actually do this for SSL certificates signed by my own country's CA (not China), and it works wonderfully.
But more scarily, the deployment showed that the method used worked (to some degree) and others will learn to implement similar tech. Thus the long term side effect is that more MITM tools will be developed and deployed.
This is the premise of cyberweapons: fairly ineffective, esp on long term against the intended target. But long term side effects is big since once deployed you hand over the knowledge about the weapon tech to others when deployed. Just like Stuxnet.
I'm not completely disagreeing with you that chinese politicians may not understand the internet, but I don't think you can apply the same view of politicians you have in the u.s. to china.
Even DDoS itself is not really a serious cyber warfare measure -- you can't really take down any major government agency (except their public-facing website) or core infrastructure with it. What's the biggest damage caused by DDoS in all of Internet's history?
Here is how I believe it goes down:
1, the new chairman issued mandate that he wants to crack down on accessing illegal content on Internet.
2, different department heads make this top of their priority.
3, somewhere down the management chain, a manager found those tools that help people accessing illegal content on Intenet.
4, the said manager himself, or one of his analysts figure if they bully GitHub with some DDoS, they'd cave and take down those tools. Points for promotion!
I doubt if even the US government takes this seriously.
Dr. Strangelove: Of course, the whole point
of a Doomsday Machine is lost, if you *keep*
it a *secret*!
We knew this was coming for 20 years! But instead of taking the high road and defending the internet from militarization, the governments of the world raced to become the first to make computer weapons and hasten the downward spiral to destruction. Sixty years ago we said "no weapons in space" and it was the right thing to do. It allowed the commercial use of satellites to grow without threat of being caught in the petty conflict of nations. The internet was supposed to be the next extra-national frontier and for a time it was. But now that there are weapons being fired why would I want to invest money in an internet business that may become the victim of a DDOS? My insurance doesn't cover acts of war, if I lose money because of it there's nothing I can do.
We've got treaties limiting the use of nuclear arms so innocent civilians aren't at risk of being irradiated. We've got treaties limiting chemical weapons so innocent civilians don't get their lungs burnt away. We've got treaties limiting land mines so innocent civilians don't get blown up when taking a hike through the woods. (Oh, and thanks for not ratifying that, Obama.) We need a treaty limiting computer weapons so innocent civilians don't have their computers hijacked and personal data put at risk.
Estimating the offensive capabilities in cyberspace of any government is incredibly difficult, as is attributing attacks. Governments can attack you in the internet without you realizing you have been attacked or without you being able to distinguish between a government attack and that of a small criminal cell (the GFW attack is noteworthy because it is very easy to attribute, and even then we can't know for sure it wasn't a third party trying to falsely implicate the Chinese govt... not that I think it was, the point is that even in this case we can't be sure). In fact, many of the capabilities that governments have in cyberspace are quickly matched by non-state actors, making the attacks even harder to tell apart.
And that is only about enforcing norms on the use of cyberweapons. Verifying that states are not hoarding vulnerabilities or attack technologies is basically impossible.
The only real alternative is to build safer systems, mandate higher security standards and basically assume that companies and individuals are going to be the target of government attacks (their own and others) on the internet. The role of a good government, should one exist, would be to provide support to their citizens to increase their security (via research, mandating stronger standards, monitoring the supply chain for sabotage, economic insurance, etc).
American politicians have little stomach for confronting China. If a treaty were put into place, they'd be in the position of having to confront someone they really don't want to.
A treaty might be useful in some ways, but the best defense is ... well, a good defense (i.e. educating the masses, improving browser security, etc).
A quick search showed China followed the US's lead in not respecting the no-space-weapons treaty.
From http://en.wikipedia.org/wiki/2007_Chinese_anti-satellite_mis... ...
In January 2001, a (US) congressionally mandated space commission headed by Donald Rumsfeld recommended that “the U.S. government should vigorously pursue the capabilities called for in the National Space Policy to ensure that the president will have the option to deploy weapons in space to deter threats to, and, if necessary, defend against attacks on U.S. interests."
Moreover, the U.S. withdrawal from the Anti-Ballistic Missile Treaty in 2002 has allowed the United States to pursue missile defenses, including space-based.
In response to US weaponisation of space, the Chinese started a space defense program, including anti-satellite defense.
More detail on China's Internet Sovereignty theory:
I think it is a fair explanation but I wouldn't assume it outright. The incompetence and ignorance of decision makers should never be underestimated when it comes to complex technology.
I would suggest we should never underestimate the deliberate and meaningful consideration taken by decision makers when it comes to complex technology. Regardless of if you agree with the outcome or not.
Well, they couldn't take down Github.
This is speculation, but I prefer the explanation to cyberposturing, since this isn't something China needs to do, and as far as I can tell wouldn't benefit very much from.
The theory is in line with greatfire, as this organization is a "Civil Society Organization" funded ultimately by the US government to spread messages it wants within China. Github is more confusing.
DDoSing foreign websites that are actively attempting to undermine the CPC's censorship and repression campaign is completely in line with the priorities of the CPC's high officials, as well as their general level of subtlety.
With regard to CSOs and weaponized NGOs - I personally have a sour taste for them (I recognize that they are 'legal', however 'loophole-like').
This is because I am not willing to affirm foreign covert influence on United States/Western and my own opinion. So I usually hardly know whether to cheer or mope in cases where CSOs are challenged.
[Not that they hoped to actually keep github down in the long run, but rather were probably trying to send a message that "hosting info the Chinese government doesn't like will make your life annoying so better not do it"...]
(Can you provide the links?)
I think this is silly.
The bar is still set at stuxnet, in terms of computerized attacks on infrastructure. This is nowhere near stuxnet in terms of capability, destructive effect or ingenuity.
Every time they do such they risk having one of their most important commercial sites (Baidu, QQ, TaoBao) null-routed by the rest of the world. That's not exactly a long-term strategy.
2. It damages their relationship with Baidu and indirectly with other Chinese tech companies, in much the same way that NSA overreach affects US ones. There will be some internal political effects, depending on what stakeholders have political clout.
3. When external Chinese-speakers use Baidu, the government has some influence on what they do (or don't) see. If they are forced to other alternatives, the government loses a certain degree of information-control.
- Add it to a botnet
- Steal your personal data
- Infiltrate your corporate network
- Wipe your system (punishment for those accessing or producing GFW circumvention software)
Are you confident your browser never makes HTTP requests to Chinese servers? Are there tools we can install to prevent it?
[EDIT: It looks like two separate HN stories got merged, and the comments along with them. Didn't know that could happen, but this comment now appears twice here at different places.]
It would be foolish to imagine that this is still theoretical. Tools this powerful are tempting to use. Unfortunately, the first publicly known use of a tool or method is often assumed to be the use in general.
Not only are you correct in that the GFW will be used for much smaller attacks that will probably go unnoticed, it almost certainly already has.
This would allow them to perform MITM attacks against anyone who visits Chinese websites, even with HTTPS.
But if China chose to, they could simply require all Chinese websites to use government-issue certificates, forcing the world to choose between allowing Chinese MITM monitoring and losing access to China.
The more likely outcome of that gambit would just be that the CA would be restricted to .cn domains, possibly with some sort of install-on-demand warning.
A reasonable compromise, but one which wouldn't prevent MITM snooping or alteration of communications with Chinese websites, like this attack.
And to allow snooping of outgoing communications, the Chinese could also require that all browsers used in China trust the Chinese government CA without that restriction.
That said, it would only matter if Baidu was doing something like serving the script only over HTTPS using HSTS which I imagine would incur a non-trivial backlash for them.
I'd also be surprised if they couldn't relatively easily move on to another similarly insecure script requested by many people outside of China.
Almost every app on my mac is trying to access some resource on the web, most of them over port 80 or a mix-and-match of both 80 and 443. And then the OS itself has a variety of services that does the same. My computer is like a beacon of light that shines it's position and personal information to everybody.
The lack of sophistication, ineffectiveness, and bluntness of the attack speaks toward a fundamental capability gap between China and the other "cyberpowers".
It's true that China is much more crass and less developed in their cyber capability. It isn't that much less effective however.
China, on the other hand, deliberately attacks anyone who criticises their government. In the US you are perfectly free to say the government are a bunch of fuckwits who should be kicked out of office, if that is your opinion.
I'm not necessarily saying that what the US does is legal or morally acceptable, just that it is more morally acceptable than what China does. It's like the difference between a private investigator illegally breaking into someone's house to gather information, and a gangster going in and shooting everyone.
> HTTPS everything
… and with HSTS, too
If this was officially sanctioned heads will likely roll.
And if this paper's allegations are accurate, China's government did this while only targeting less than 2% of the people who pulled down only a very small subset of scripts that will only exist on a small subset of pages. Imagine what would have happened if the Great Cannon were to inject this script into the <head> of every page?
Consequently, it is primarily Chinese-speaking users worldwide and web services that provide Chinese language services (and would be likely to use Baidu's or another Chinese service's scripts) that end up looking like the attackers. In this case, it appears most of the requests came from Taiwan, Hong Kong, and the US.
China could of course filter this further. With only 1.75% of requests being turned into DDOS attacks, they could throttle this up to ~100% and filter the IPs they target to, say, only US IP addresses. Now the attackers appear to be regular US citizens.
What will you do then? Black-hole the US? Beg consumer ISPs to black-hole China?
However, the requests it made could have easily been turned back against Chinese business if Github so wanted. It couldn't be done because there was no reasonable who to turn the traffic back against. If non-Chinese companies simply said "If China uses these tools we will redirect the traffic at a number of large Chinese businesses" then a lot of the power in the tool is immediately withdrawn.
At least that's my interpretation of it.
[EDIT: It looks like two separate HN stories got merged, and the comments along with them. Didn't know that could happen, but this comment now appears twice here.]
Or depreciate HTTP and enforce HTTPS only?
These days there's an active spec underway for "Subresource Integrity" at w3: http://www.w3.org/TR/SRI/, which is pretty much exactly that, so hopefully it'll happen eventually.
Note: Journalists whil always go for the sensational that's no reason not to do it.
'cause I immediately see headlines like:
"Github hacks China over censorship!"
If there's a repo hosted there that someone in China wanted to modify, perhaps they would use DOS as cover for a surreptitious maneuver which might otherwise get noticed.
This is likely just showing my ignorance of Git, but could an attacker having sufficient compute resources to arrange a Git hash collision and having back-end access to Github, modify sources without it being noticed by the repo owner?
And Git should migrate to something better than SHA1.
Anyone remember what happened when North Korea attacked Sony? Where are the sanctions this time?
Seems like a weird choice for a target. Github is neutral, and githib is unambiguously good. Aren't there better targets attacking which would have at least a semi-plausible excuse?
I mean attacking github is like screaming "I'm evil".
Besides if you want to "demonstrate your power", github is the worst choice for that purpose. They are likely to successfully fend off the attack, yet at the same time even if China would succeed it wouldn't have much to be proud of either(country vs a small company). It's a lose-lose....
Nobody cares. It's over there, it's not something we need to worry about.
It's not like the working conditions of those making our clothes, those making our smartphones, those pulling the materials for our electronics from the earth, etc. aren't unknown. They're very well known. We know damn well that there's children sewing together our shoes. We know that the people making our smart technology products are so miserable that their offices have anti-suicide nets in place around the building and throughout the stairwells.
We know this stuff and we don't care. We want our products and we want them as cheap as possible. The shareholders in these companies want the company to perform as best as they can to maximize returns, that means acting nefariously in many cases and we all know that.
People do not are and they will not care. If you gave people the choice, to be made anonymously and that nobody would ever know their choice, between paying multiple times what they pay for their technology or abolishing child labour and horrible working conditions they would choose the cheaper option. Or maybe not, maybe they would choose abolishing these things in an effort to delude themselves and make themselves feel better, but when it comes time to purchase a product they will still go for the cheaper one manufactured in horrible conditions.
People simply do not care so long as it is not them feeling the affects. That's the same damned reason nothing is being done about the NSA revelations, or the corporate corruption of the US government, or the torture allegations about the CIA and the list goes on.
Apart from the rather blurry technical analysis this particular article claims:
In recent public statements, China has deflected questions regarding whether they are behind the attack
But when you follow the actual citation it refers to this rather underwhelming exchange, taken place on a chinese press conference:
QUESTION: [..] a report says that a US website was under
hacker attack, and the source of the attack was from China.
How do you respond?
ANSWER: [..] it is quite odd that every time a website in
the US or any other country is under attack, there
will be speculation that Chinese hackers are behind it.
I'd like to remind you that China is one of the
major victims of cyber attacks. [..]
And this is now "compelling evidence" for China being officially behind the Github attack?
Of course, while the smoking gun was found from Chinese Internet censorship offices and was covered with fingerprints of Chinese Internet censorship officials, it still might be not perpetrated by the Chinese Internet censorship officials. It is only very likely that they were behind the attack.
If anything the attack was pinpointed to Chinese infrastructure, not the Chinese government.
TTL based tracing is very deterministic and easy to understand
It's only deterministic if you trust all hops between yourself and the target, as any of them could fake the remaining route.
I don't know about you, but my 'traceroute baidu.com' passes through AT&T, an american company that is mentioned first in about every article and lawsuit about the NSA mass surveillance.
So if you're willing to buy into the theory of China performing this attack just for a demonstration of ability (because there's no other visible benefit), how can we know it isn't exactly the other way round?
There's no meaningful difference.
That's not a very convincing theory.
For a proof of concept they'd only have to mangle a handful of requests without anyone noticing. There's no need to attract everyone's attention and inform your potential opponents about your capabilities.
I agree that more technical evidence of the attack's source would be welcome. But the analysis published here is pretty convincing. Specifically "the GC acted on traffic between hop 17 and hop 18, the same link we observed as responsible for the GFW". There's pcap files if you want to verify for yourself.
For me the more interesting question remains: Why would China be carrying out this attack? I have yet to hear a plausible motive.
Other plausible actors would be the people who have an interest in creating the perception of a "cyber threat", in order to implement more "protections".
Protections like an Executive Order "to target those attempting cyber attacks on US assets and infrastructure".
After all, with both China and Russia attacking us, who would argue against the urgent need for such measures?
And yet, technically either China or the NSA (via their control over Tier1 carriers) could be responsible for this attack. Perhaps it really was China. But considering we're talking about state-level secret agencies in any case it's a bit sad how reluctant many HNers seem to be to even consider any scenario other than the mainstream narrative.
Exactly this. Not to mention the hundreds (if not thousands) of sites the government is more likely to target, that are far less known than GitHub and that they could take off-line indefinitely, with little or no outrage from anyone in the West.
Well, if we're talking about government-level conspiracy, how about the NSA?
We know they have the capability to infiltrate telecom systems, we also know that following the Snowden leaks, there has been a large amount of negative feelings towards the NSA amongst programmers many of whom have been deciding to actively work against the NSA's attempts to collect and eavesdrop on everything.
So what better way to get a bunch of programmers and hackers back on your side and interested in hacking for you at a state level, than feigning an attack from a foreign power and stirring up "we need to fight back" sentiment, that gets mentioned (often near the top) of every single HN thread on this matter.
To me, that's a far more plausible motive than any of the motives being attributed to the Chinese government.
I also see that many of the assumptions made by people about the Chinese government's capabilities and motivations are obviously being made by people with little/no understanding and experience of the Chinese - both from a cultural and technological perspective.
That being said, I don't believe this attack had any real nation state involvement. It's far more likely to have been "patriotic" Chinese hackers (who often perform hacks on perceived slights against the Chinese nation) rather than any sort of explicit nation-state action.
It's far more plausible and fits in with exactly the sort and style of hacks that they've been known to do in the past.
It's possible that North Korea was responsible, but the primary evidence the FBI held up was that the malware used was similar to malware used by DPRK in previous attacks. As many researchers pointed out, that malware has been widely available outside DPRK for years.
Certain 3-letter agencies have claimed to have additional intelligence pointing towards North Korea, but don't go into significant detail. "We're the NSA, so just trust us"
In both cases, it's possible the attack was carried out by a state actor, but I'm personally unwilling to point a finger without better evidence than what I've seen.
How can we link this weapon with China? I don't know, but it requires deep access to the colocation of major servers in China for sophisticated man-in-the-middle hijacking, so it seems like the number of organizations that can, in an intentional fashion, compromise a Chinese baidu colocated server is very small.
When one considers the sophistication and access required for this attack, and the reality that China is developing cyberweapons, and the reality that China openly uses cyberweapons against the west in various capacities, it seems improbable to suggest that a third party is more likely the culprit than the state. It isn't as if accusing China is outlandish- we're merely saying that they're striving for cyberweapon parity with the USA...
As it happens the organizations who could do either that, or who could make it look as if the attack originated from a chinese baidu colocated server, are just the same and the only ones who have any stake in this game.
I agree with your notion that China is developing "cyber weapons" just as every other large nation. I just remain skeptical about the idea of them using their guns so incompetently and aimlessly as in this case.
What exactly is the world going to do - sanction them and stop buying nearly everything from their factories?
I fear the US is going to seriously regret building up China with all our economic business instead of building up all of Central and South America.
2) the limitation to external users might be a technical requirement (i.e. where traffic can actually be intercepted) or it might be a political choice to allow for deniability in front of internal public opinion.
The rights of US citizens, yes, but our track record on human rights and free speech worldwide is not so good.
Maybe all-out war is not the fitting answer to what was, realistically, a tempest in a teapot.
"Powerful New Weapon"? Pure clickbait.
Playing catch-up with Anonymous is neither new nor powerful.
Edit: I'll try to make this a little clearer. Consider that many of the most free and civilized countries you know will identify, round up and harshly punish consumers of child pornography. Imagine a China (or another state of your choice) that sets its mind to providing the deprived and opressed western masses with as much child pornography as they can download. Is the West's only admissible choice to dutifully round up and punish its own citizens? Is it clearer now?
To give yet another example: At some point in time, exporting an 128 bit symmetrical block cypher from the US may have been grounds for punishing you, the perp.
Let's counterfactually assume that China was successfully propagandizing tens of thousands of US citizens about both the ridicoulousness and the anti-freedomness of this law. Assume that thusly propagandized US citizens resisted and breached the law.
Again: Would you prefer that the US, assumed to be quite aware of the Chinese efforts, would have identified, rounded up and harshly punished US citizens having exported "munitions" in the form of 128 bit symmetrical block cyphers after having been successfully turned against perfectly patriotic (even if misguided) US policy by non-friendly Chinese propaganda, while completely not doing ANYTHING to stop that propaganda, even though PROVEN to put US CITIZENS IN JAIL??
At the very least, include Hainan, over which China's sovereign rights are in no way disputed. And for aesthetics and political honesty, show Taiwan in grey.
Then I discovered that "color revolutions" were not happening by chance and that it was a CIA "technology" to remove an unwanted leader from a target country.
Now I understand why they use censorship. I still think they'd better educate their people (like the Russians seem to do) though. Whatever wall you build there will always be cracks.
>Now I understand why they use censorship.
You're being downvoted for this but I understand where you're coming from. The west has shown that it regularly targets other countries in terms of information warfare. We know, for example, that the CIA tried to instigate a coup last year through a Twitter like application. We know JTRIG exists and what it exists for, etc. etc.
The West exerting influence through information/misinformation distribution, the corruption of online narratives, etc. is most certainly a threat to foreign entities.
I can understand why they would work to curb western influence in their countries and I don't blame them, and they use a very heavy-handed approach to deal with it.
There's an information/misinformation/psyops war going on every day on the internet and some entities have chosen to deal with it by filtering out anything that could be part of it.
Do I agree with them for doing so? Not really, I understand where they're coming from though. Do I think that they are actively fighting a threat? Yes, they quite likely are.
Things aren't as black and white as they would like us to believe.
But Chinese censorship is far from limited to preventing foreign espionage. How is the CIA more than a distraction or an excuse?
Not that subtle, e.g., http://www.bbc.com/news/world-europe-32137302
I meant they were educating them about "color revolutions" and that it was certainly better than just censoring the ideas that bring color revolutions.
Not even close to true. Propaganda can be lies. It can also be half-truths, carefully selected truths, or even full truths (should those truths put the organization issuing the propaganda in a good light). It can also be completely void of assertions (be they lies or truth) and contain nothing but emotional content. Humour is frequently used in modern propaganda. Funny internet videos that make fun of nations or their leaders, without actually making any sort of claim about them. Humour used as propaganda is particularly effective because anybody who argues against it will be told "Relax, it's just a joke. Stop taking it so seriously."
Russian here and having hysterical fit now.
Is it more free than any US news channel? No, I don't think so. The US mainstream media - Fox, CNN, MSNBC, etc. - are most certainly not free by any means and spend the majority of their time peddling a toxic, divisive narrative.
But RT? RT does the same, but for the Russian government. In fact, they go another step further and recruit westerners to present many anti-western shows to give their views more credibility here.
They do report the news on the west that otherwise gets brushed over or doesn't adhere to the narrative being peddled by mainstream US TV, but to say they're more free is something I would doubt.
While the US media spends its time dividing people and, for whatever reason, stoking the anti-Russian, anti-China and anti-NK flames the US government seem to want stoked at the moment, RT simply spends its time peddling an anti-Western narrative.
Both are ultimately propaganda machines. RT is somewhat interesting because it does give a different view on situations that we in the west are dominated by the western narrative with.
But when there's big, big money involved and close ties to government - as is the case with both the US mainstream media and RT - there is not much "freedom" involved.