Hacker News new | past | comments | ask | show | jobs | submit login
China's Great Cannon (citizenlab.org)
264 points by acdha on Apr 10, 2015 | hide | past | web | favorite | 169 comments

> We remain puzzled as to why the GC’s operator chose to first employ its capabilities in such a publicly visible fashion.

This is the most important question here. I think it's fair to assume this must've been a deliberate choice by the Chinese authorities to conduct such a visible attack. The alternative, that they didn't realize what they were getting into, that they thought Github would cave quickly, seems much to simplistic and naive. And whatever else you can say about the Chinese government, you can't accuse them of being naive.

If you believe this was deliberate attack, it seems this is a parade demonstrating electronic warfare abilities. The message being sent seems to be, "don't mess with us, we can do everything you can do and possibly more."

> If you believe this was deliberate attack, it seems this is a parade demonstrating electronic warfare abilities.

Probably deliberate with a lot of incompetence mixed in.

Most politicians have zero understanding of the Internet. They decided to do this as a demonstration of force and may not have consulted the people who built the Great Cannon. Or, the people who built it don't have the clout to say not to use it except for important reasons.

They also probably didn't realize that Github could eat the attack.

The problem with having done this is that, I suspect, that a lot of ISP's now have null routes of China on standby along with bandwidth monitors that will choke traffic spikes from China almost immediately.

So, it didn't actually succeed. And people have now analyzed the attack and deployed coutermeasures.

Not a great result for China.

Wouldn't the attack on github not have resulted in any traffic spikes from China? If the DDOS scripts are injected into browsers viewing Chinese content outside the firewall/canon, the traffic spikes would be distributed from all over the globe where ever there are Chinese expats

That's correct. I work at a company in the US, and visitors to our website were giving the "Malicious Script" alert because we had Baidu analytics installed. Defending against this is much more nuanced than just blocking all traffic from China.

I'm curious what prompted installing Baidu analytics in the first place.

So block the Baidu analytics CDN and call it a day?

That would work, assuming there isn't a workaround. If they were really serious about the attack, though, it's easy to imagine ways around that, especially if you add the possibility of browser caching and exploits in the injected script.

I don't think DDoS is a real offensive weapon in cyber-warfare. It's just a noise-making attention-drawing machine.

What the paper calls targeted exploitation is the real weapon here. The main thing I took away from this paper is that the Chinese government now has the infrastructure to pwn anyone who visits websites hosted in China. This is pretty scary and simultaneously an amazing engineering feat.

Any advice for visitors of those websites hosted in China? As a Chinese, I am always wondering if there is a way to avoid this. Many of us are aware of the backdoors in the Chinese apps (across all the platforms). No matter how big names they are, they have to comply with the order from the ruling ones (I guess most of them cooperate with little guilty feeling). The best I can think of is to have different devices for visiting/using Chinese apps/websites. To a larger scale, I think average users have very limited resources to hide from big organizations. What average Joe could do is a more general question I have not figured out. Thanks in advance.

Some general advice, to decrease the chance any given browser exploit will work against you:

- Disable Java; disable or whitelist Flash; use a different PDF reader than Adobe.

- Use either Firefox with NoScript or Chrome. (Disabling JavaScript is highly effective at reducing attack surface, but on any sites you've whitelisted, Firefox is significantly less secure than Chrome due to the lack of sandbox, though they're working on it... I think that NoScript equivalents for Chrome don't work correctly, but could be wrong.)

- Don't use XP! It no longer receives security updates...

- For the same reason, on mobile, prefer devices that have up to date operating systems.

Not perfect, but that's the state of computer security these days.

Very detailed. Thanks for your input.

The ideal answer is to convince the sites you visit to use https.

If the Chinese government controls a single CA that's installed by default, couldn't they MitM any TLS connection that isn't pinning certs?

Are there any Chinese CAs in any browsers' default installs? If so, they should probably be removed immediately.

CNNIC is no longer trusted by Chrome due to recent incidents, and you can manually remove it from Firefox and IE. While you're at it, take a few minutes to browse the list and also remove anything that sounds Chinese.

If any website you visit legitimately uses a Chinese SSL certificate, you can whitelist it specifically. I actually do this for SSL certificates signed by my own country's CA (not China), and it works wonderfully.

I don't think, practically, we could expect anything positive from the other side. But still thanks.

Given that the Chinese government could inject malware into any insecure connection you make across the firewall, you may also want to do most of your browsing through a virtual-machine.

Thanks, note taken.

Most of China is running on outdated, no-longer-supported software with lots of vulnerabilities. Pawning those computers is easy as there is an abundance of well documented exploit vectors available.

I disagree. If the history of EW/SIGINT has taught us anything it's that denial of service through saturation is effective. E.G. "Jamming".

The question is if that truth transcends well from broadcast media (i.e. Radio) to packet based, routed networks such as the Internet. Esp long term effects.

Great points. The short term effect was costly, but was handled. But now the world knows that the capability exist and will start taking long term countermeasures. Thus the cost of developing GC has now to some degree been wasted.

But more scarily, the deployment showed that the method used worked (to some degree) and others will learn to implement similar tech. Thus the long term side effect is that more MITM tools will be developed and deployed.

This is the premise of cyberweapons: fairly ineffective, esp on long term against the intended target. But long term side effects is big since once deployed you hand over the knowledge about the weapon tech to others when deployed. Just like Stuxnet.

One big difference between the u.s. and china is that chinese politicians tend to have engineering backgrounds while american politicians tend to have law backgrounds.

I'm not completely disagreeing with you that chinese politicians may not understand the internet, but I don't think you can apply the same view of politicians you have in the u.s. to china.

"Username checks out"

It's too weak as show of force from state government. GitHub is after all, a small civilian service, despite its prominence within tech community.

Even DDoS itself is not really a serious cyber warfare measure -- you can't really take down any major government agency (except their public-facing website) or core infrastructure with it. What's the biggest damage caused by DDoS in all of Internet's history?

Here is how I believe it goes down:

1, the new chairman issued mandate that he wants to crack down on accessing illegal content on Internet.

2, different department heads make this top of their priority.

3, somewhere down the management chain, a manager found those tools that help people accessing illegal content on Intenet.

4, the said manager himself, or one of his analysts figure if they bully GitHub with some DDoS, they'd cave and take down those tools. Points for promotion!

I doubt if even the US government takes this seriously.

Maybe part of the explanation for this specific attack is incompetence - miscommunication, comparatively junior people exceeding their authority, subordinates afraid to object, and everyone doubling down rather than admitting defeat. I could definitely imagine that the people who devised and built out the capability being furious at it being deployed like this.

If it has lasted a couple hours I could see that. But as long as that attack continued, no way.

Well, once it started, terminating it requires someone to lose face. So, yeah, I can see it continuing.

    Dr. Strangelove: Of course, the whole point
    of a Doomsday Machine is lost, if you *keep*
    it a *secret*! 
It aggravates me that other governments aren't making a bigger deal about this. This is a WMD where non-combatants are being unwittingly used to fight a computer war between countries they have nothing to do with.

We knew this was coming for 20 years![1] But instead of taking the high road and defending the internet from militarization, the governments of the world raced to become the first to make computer weapons and hasten the downward spiral to destruction. Sixty years ago we said "no weapons in space" and it was the right thing to do. It allowed the commercial use of satellites to grow without threat of being caught in the petty conflict of nations. The internet was supposed to be the next extra-national frontier and for a time it was. But now that there are weapons being fired why would I want to invest money in an internet business that may become the victim of a DDOS? My insurance doesn't cover acts of war, if I lose money because of it there's nothing I can do.

We've got treaties limiting the use of nuclear arms so innocent civilians aren't at risk of being irradiated. We've got treaties limiting chemical weapons so innocent civilians don't get their lungs burnt away. We've got treaties limiting land mines so innocent civilians don't get blown up when taking a hike through the woods. (Oh, and thanks for not ratifying that, Obama.) We need a treaty limiting computer weapons so innocent civilians don't have their computers hijacked and personal data put at risk.

[1] http://fmso.leavenworth.army.mil/documents/chinarma.htm

The problem with cyberweapons non-proliferation treaties is that, unlike nuclear weapons NPTs, they are incredibly hard to verify and enforce.

Estimating the offensive capabilities in cyberspace of any government is incredibly difficult, as is attributing attacks. Governments can attack you in the internet without you realizing you have been attacked or without you being able to distinguish between a government attack and that of a small criminal cell (the GFW attack is noteworthy because it is very easy to attribute, and even then we can't know for sure it wasn't a third party trying to falsely implicate the Chinese govt... not that I think it was, the point is that even in this case we can't be sure). In fact, many of the capabilities that governments have in cyberspace are quickly matched by non-state actors, making the attacks even harder to tell apart.

And that is only about enforcing norms on the use of cyberweapons. Verifying that states are not hoarding vulnerabilities or attack technologies is basically impossible.

The only real alternative is to build safer systems, mandate higher security standards and basically assume that companies and individuals are going to be the target of government attacks (their own and others) on the internet. The role of a good government, should one exist, would be to provide support to their citizens to increase their security (via research, mandating stronger standards, monitoring the supply chain for sabotage, economic insurance, etc).

Does China respect the no-space-weapons treaty? Would China respect a treaty regarding cyber weaponry?

American politicians have little stomach for confronting China. If a treaty were put into place, they'd be in the position of having to confront someone they really don't want to.

A treaty might be useful in some ways, but the best defense is ... well, a good defense (i.e. educating the masses, improving browser security, etc).

> Does China respect the no-space-weapons treaty?

A quick search showed China followed the US's lead in not respecting the no-space-weapons treaty.

From http://en.wikipedia.org/wiki/2007_Chinese_anti-satellite_mis... ...

In January 2001, a (US) congressionally mandated space commission headed by Donald Rumsfeld recommended that “the U.S. government should vigorously pursue the capabilities called for in the National Space Policy to ensure that the president will have the option to deploy weapons in space to deter threats to, and, if necessary, defend against attacks on U.S. interests."

Moreover, the U.S. withdrawal from the Anti-Ballistic Missile Treaty in 2002 has allowed the United States to pursue missile defenses, including space-based.

In response to US weaponisation of space, the Chinese started a space defense program, including anti-satellite defense.

I'm no policy expert, but it seems likely to me to be a demonstration of capability. The Chinese government has been arguing for awhile now for their right to "Internet Sovereignty", the ability to impose Chinese policy on Chinese users of the Internet. This attack seems to demonstrate they also feel the right to extend that sovereignty into other countries, to block services like GreatFire they think are harmful to their sovereignty. This attack is them showing the world they have the capability.

More detail on China's Internet Sovereignty theory: http://blogs.wsj.com/chinarealtime/2014/06/23/chinas-lays-ou... http://www.huffingtonpost.com/lu-wei/china-cyber-sovereignty...?

Lets not forget the context that the Snowden disclosures brought into light. Borders and diplomatic relationships has been systematically ignored when it comes to developing and deploying offensive capabilities on the Internet. Sovereignty does not seem to exist in nations mind when developing malware, breaking into critical infrastructure, stealing information, or causing sabotage online.

>I think it's fair to assume this must've been a deliberate choice by the Chinese authorities to conduct such a visible attack.

I think it is a fair explanation but I wouldn't assume it outright. The incompetence and ignorance of decision makers should never be underestimated when it comes to complex technology.

It seems to be a common mistake of our age to assume that decision makers are "incompetent" or "ignorant" when it comes to tech. Individually it is unrealistic to expect these people to be universally competent in any field of expertise. It has always been thus, and that is why decision makers surround themselves with expert advisors.

I would suggest we should never underestimate the deliberate and meaningful consideration taken by decision makers when it comes to complex technology. Regardless of if you agree with the outcome or not.

We should never underestimate either competence or incompetence. Instead lets put very wide error margins on statements about the intentions and plans of leaders. It is too easy to fall into the trap of assuming total incompetence, or the other hand Dumbledore-like foresight. The truth is, most leaders have moments of both and luck plays a big role (See Steve Jobs or Winston Churchill).

>we can do everything you can do

Well, they couldn't take down Github.

you can't accuse them of being naive I will.i am of the opinion that any country that thinks they can be a big player in the global economy and introduce open markets to their country whilst simultaneously limiting freedoms of speech and choice has a certain amount of innate naivety. This may be a silly notion, but is there any chance this was a mistake like the way Stuxnet broadcast itself to the world?

I remain convinced that there was some other reason other than cyberforce posturing for the DDOS. Past examples of highly visible international attacks (I'm thinking of SONY here) have been to punish and embarrass companies for being complicit with US foreign propaganda efforts (re leaked Bennett/State Dept./Lynton/RAND emails). I'm not saying the exact same motivation is in play, but as github hosts files - notably code - and many governments have been cracking down on files hosting and shares (like pastebin, etc).

This is speculation, but I prefer the explanation to cyberposturing, since this isn't something China needs to do, and as far as I can tell wouldn't benefit very much from.

The theory is in line with greatfire, as this organization is a "Civil Society Organization" funded ultimately by the US government to spread messages it wants within China. Github is more confusing.

I am mystified by the puzzlement people have shown over what the CPC's motivation could possibly be. The Xi Jinping administration has been engaged in a ham-handed crackdown on civil society and anyone who engages in political activism or discussion outside the context of the CPC for several years now and that crackdown has recently intensified. VPNs have been disabled, universities have been warned not use Western textbooks or discuss Western ideas, activists and intellectuals have been detained en masse or prevented from returning to the country, etc.

DDoSing foreign websites that are actively attempting to undermine the CPC's censorship and repression campaign is completely in line with the priorities of the CPC's high officials, as well as their general level of subtlety.

Yes. So greatfire, VOA, etc make a lot of sense - but what of Github? I don't believe they are a CSO on their face. I can imagine CSOs using github to host code or information that challenges the country (let's say software to organize demonstrations or circumvent surveillance) - I'm not aware of specifics.

With regard to CSOs and weaponized NGOs - I personally have a sour taste for them (I recognize that they are 'legal', however 'loophole-like').

This is because I am not willing to affirm foreign covert influence on United States/Western and my own opinion. So I usually hardly know whether to cheer or mope in cases where CSOs are challenged.

Huh? The reason for attacking github seems completely obvious, given that the attacked projects were (1) a mirror of the nytimes Chinese edition (explicitly intended to counter Chinese government censorship), and (2) anti-great-firewall-of-China tools...

[Not that they hoped to actually keep github down in the long run, but rather were probably trying to send a message that "hosting info the Chinese government doesn't like will make your life annoying so better not do it"...]

Thank you - this is what I was asking for. :)

(Can you provide the links?)

"If you believe this was deliberate attack, it seems this is a parade demonstrating electronic warfare abilities. The message being sent seems to be, "don't mess with us, we can do everything you can do and possibly more.""

I think this is silly.

The bar is still set at stuxnet, in terms of computerized attacks on infrastructure. This is nowhere near stuxnet in terms of capability, destructive effect or ingenuity.

Also how the Chinese government show little regard for their tech industry and is prepared to trash Baidu reputation just to disturb some sites they find annoying.

Agreed. At only 1.75% of traffic, my guess is that they could pack a much bigger punch if they wanted to.

It's not something they could do very often.

Every time they do such they risk having one of their most important commercial sites (Baidu, QQ, TaoBao) null-routed by the rest of the world. That's not exactly a long-term strategy.

Honest question: why would China care if Baidu is null-routed by the rest of the world?

1. They lose the ability to use it as part of a similar attack in the future. They can't use the same trick too many times or it stops working, forcing them to work their way down a list of pawns.

2. It damages their relationship with Baidu and indirectly with other Chinese tech companies, in much the same way that NSA overreach affects US ones. There will be some internal political effects, depending on what stakeholders have political clout.

3. When external Chinese-speakers use Baidu, the government has some influence on what they do (or don't) see. If they are forced to other alternatives, the government loses a certain degree of information-control.

Because once it's nullrouted, it can no longer be used as a weapon. They only have so many cannons.

The GitHub attack apparently targeted sites using Baidu analytics visited from outside China, so outside visitors are weaponisable too.

They are, as long as their ISPs don't block Baidu.

perhaps targeting ads to the large Chinese diaspora provides an effective way of redirecting some of the wealth accumulated abroad back into China.

It may not be as big and publicly visible as we think. Big would be targeting a stock exchange. Thinking at the nation-state level, Github is small potatoes. Who is going to know or care outside of the tech sector?

I mentioned this as a reply in the other thread on this topic, but just to make sure it is clear to those who may not have read or reasoned about the full report:

The reason it is powerful is not this particular attack. It's a demonstration that they are willing and able to inject malicious responses to any request going to a Chinese resource (web site, analytics service, ads, etc.). Imagine if instead of returning some DoS javascript they deliver a payload to silently exploit a vulnerability in your browser/OS (and they are surely capable of finding or purchasing those) to do whatever they want with it:

- Add it to a botnet

- Steal your personal data

- Infiltrate your corporate network

- Wipe your system (punishment for those accessing or producing GFW circumvention software)

Are you confident your browser never makes HTTP requests to Chinese servers? Are there tools we can install to prevent it?

[EDIT: It looks like two separate HN stories got merged, and the comments along with them. Didn't know that could happen, but this comment now appears twice here at different places.]

> Imagine if instead of returning some DoS javascript they deliver a payload to silently exploit a vulnerability

It would be foolish to imagine that this is still theoretical. Tools this powerful are tempting to use. Unfortunately, the first publicly known use of a tool or method is often assumed to be the use in general.

Not only are you correct in that the GFW will be used for much smaller attacks that will probably go unnoticed, it almost certainly already has.

I hope that this drives home the need to be using HTTPS everywhere we can be. It would make this kind of wide scale man-in-the-middle attack much harder to pull off and easier for users to detect. If only getting a certificate was an easier (less costly) process.

When considering the effectiveness of HTTPS everywhere, we should assume the Chinese government will have the ability to create valid certificates.

This would allow them to perform MITM attacks against anyone who visits Chinese websites, even with HTTPS.

They need to sign those certs with a CA. If they do this, they create a cryptographic proof that they're abusing their trust and are removed from the trust store quickly.

In fact that happened about a week ago:


But if China chose to, they could simply require all Chinese websites to use government-issue certificates, forcing the world to choose between allowing Chinese MITM monitoring and losing access to China.

> But if China chose to, they could simply require all Chinese websites to use government-issue certificates, forcing the world to choose between allowing Chinese MITM monitoring and losing access to China.

The more likely outcome of that gambit would just be that the CA would be restricted to .cn domains, possibly with some sort of install-on-demand warning.

> The more likely outcome of that gambit would just be that the CA would be restricted to .cn domains, possibly with some sort of install-on-demand warning.

A reasonable compromise, but one which wouldn't prevent MITM snooping or alteration of communications with Chinese websites, like this attack.

And to allow snooping of outgoing communications, the Chinese could also require that all browsers used in China trust the Chinese government CA without that restriction.

Agreed, although it technically would have helped against attacks like the ones we just saw where most of the parties involved – including Baidu – are using .com domains. No question, of course, that this would only result in heavy pressure on everyone doing business in China to use .cn domains.

That would not necessarily prevent attacks like the GitHub attack, which used embedded analytics JS from Baidu, IIRC.

Actually, it would have stopped this particular variant because Baidu serves the script from baidu.com:


That said, it would only matter if Baidu was doing something like serving the script only over HTTPS using HSTS which I imagine would incur a non-trivial backlash for them.

I'd also be surprised if they couldn't relatively easily move on to another similarly insecure script requested by many people outside of China.

Remember to remove Chinese CAs from the Trust Stores in the OS and browser. Unfortunately this is not very easy in some cases. And next update might add them back again. We really need better Trust Store management as a user. We should be allowed to define what CAs _we_ trust.

Coincidentally, Google Chrome and Firefox recently blocked a Chinese root authority from issuing SSL certificates. (AFAIK, the only default Chinese authoirty). The stated reason has nothing to do with censorship attacks, but it is an interesting coincidence. http://arstechnica.com/security/2015/04/google-chrome-will-b...

Which underscores the need to use additional authentication measures like DANE [1] and key pinning. Making it harder for malicious entities to wriggle their way into connections seems vital here.

[1] http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Nam...

Just installed little snitch.

Almost every app on my mac is trying to access some resource on the web, most of them over port 80 or a mix-and-match of both 80 and 443. And then the OS itself has a variety of services that does the same. My computer is like a beacon of light that shines it's position and personal information to everybody.

Also a user of Little Snitch. (A great OSX tool btw). I've started to block all accesses that are not to 443, just to see what breaks. One of the worst offenders is iTunes.

Non-browser software is notorious for failing to fail when certs don't validate.

More than that, it drives home the need to disable JavaScript by default. To do otherwise is inviting every web site you visit (and every third-party site they load content from, and everyone who can compromise either) to run arbitrary code on your system.

And it drives home the stupidity of sites which demand JavaScript to view even simple content which could just as well be static.

I totally agree. I started using Cloudflare's free service to add HTTPS support to my most important sites. I have some concerns about routing my traffic through another company, but free is free and I really think people need to transition to HTTPS everywhere.

Well, they sometimes block HTTPS traffic; e.g. for Wikipedia (even just wikimedia right now).

Would they be able to block HTTPS traffic if it effectively meant that they were blocking the internet though? I think people would have a bigger problem with that.

If all websites went https, they would try to block everything, definitely.

If China is responsible for this, it shows extreme recklessness on their part, a deep disrespect for the rule of law and the customs of the internet. The people in the chain of command responsible for this should be held criminally liable.

The lack of sophistication, ineffectiveness, and bluntness of the attack speaks toward a fundamental capability gap between China and the other "cyberpowers".

There is no rule of law of customs of the internet, however. That's been the big push for the last decade within the US: to develop an international norms framework for the internet. The problem is that many of the activities being performed by China, Russia, France, Germany, the UK, Israel, Canada, the US, etc are being performed by others - it's difficult for us to condemn China without equally condemning the others. (Those wanting to argue a straw man will suggest that the technical details of this attack are somehow above and beyond the pale of what other nations are known to do and make their argument about js injection.)

It's true that China is much more crass and less developed in their cyber capability. It isn't that much less effective however.

And that is one of the reasons it would be a good idea for the US and other Western countries to dial down some of their more aggressive actions: those actions set precedence that encourage other countries like China to match the escalation.

There does seem to be a difference, though. The US monitors communications, adds backdoors to infrastructure to monitor communications, and injects malware into Iranian nuclear reactors that could be used to make weapons.

China, on the other hand, deliberately attacks anyone who criticises their government. In the US you are perfectly free to say the government are a bunch of fuckwits who should be kicked out of office, if that is your opinion.

I'm not necessarily saying that what the US does is legal or morally acceptable, just that it is more morally acceptable than what China does. It's like the difference between a private investigator illegally breaking into someone's house to gather information, and a gangster going in and shooting everyone.

I'm not even taking a position on whether action A is more morally acceptable than action B. I'm just saying, maybe so, but at the end of the day, not only are they both ethically dodgy but A creates an environment that encourages B, so that in itself is reason to think A should be dialed back a few notches.

State level injection is not new. Prior to the Tunisian revolution this was happening on HTTP Facebook pages: http://blog.jgc.org/2011/01/code-injected-to-steal-passwords...

HTTPS everything.

I think the big difference here is that it's being used to launch attacks outside of the country. For too many years, the assumption was that these large scale attacks either didn't happen or were only limited to people already subject to a particular government.

> HTTPS everything

… and with HSTS, too

And disable JavaScript. And complain loudly to any site that requires it when it doesn't really need to. That would eliminate 99.99% of the attack vector for injected payloads.

If this was meant as a demonstration of power it failed miserably. A nation state attacking a single corporation, and not even a very large one at that and all they managed to achieve was being blackholed in various spots and seeing their attack being consumed. Minor nuisance at best, and very much losing face, both in terms of goodwill and in terms of power.

If this was officially sanctioned heads will likely roll.

On the contrary, it sounds like this was just an initial test. It crippled GitHub for days, called into question the reliability of the service, and took a team of people to trace down the attack.

And if this paper's allegations are accurate, China's government did this while only targeting less than 2% of the people who pulled down only a very small subset of scripts that will only exist on a small subset of pages. Imagine what would have happened if the Great Cannon were to inject this script into the <head> of every page?

What will happen is simple: China will find itself in an internet black-hole.

The problem is that from GitHub's perspective, or that of GitHub's ISP, this would do little to avert the attack. That's because the "attackers" in this case appear to be users outside of China's great firewall who have accessed a service inside of China.

Consequently, it is primarily Chinese-speaking users worldwide and web services that provide Chinese language services (and would be likely to use Baidu's or another Chinese service's scripts) that end up looking like the attackers. In this case, it appears most of the requests came from Taiwan, Hong Kong, and the US.

China could of course filter this further. With only 1.75% of requests being turned into DDOS attacks, they could throttle this up to ~100% and filter the IPs they target to, say, only US IP addresses. Now the attackers appear to be regular US citizens.

What will you do then? Black-hole the US? Beg consumer ISPs to black-hole China?

It is and it isn't powerful. I was pretty impressed by how they attacked GitHub (not why) and in doing so they showed the power of the tool.

However, the requests it made could have easily been turned back against Chinese business if Github so wanted. It couldn't be done because there was no reasonable who to turn the traffic back against. If non-Chinese companies simply said "If China uses these tools we will redirect the traffic at a number of large Chinese businesses" then a lot of the power in the tool is immediately withdrawn.

At least that's my interpretation of it.

The reason it is powerful is not this particular attack. It's a demonstration that they are willing and able to inject malicious responses to any request going to a Chinese resource (web site, analytics service, ads, etc.). Imagine if instead of returning some DoS javascript they deliver a payload to silently exploit a vulnerability in your browser/OS (and they are surely capable of finding or purchasing those) to do whatever they want with it:

- Add it to a botnet

- Steal your personal data

- Infiltrate your corporate network

- Wipe your system (punishment for those accessing or producing GFW circumvention software)

Are you confident your browser never makes HTTP requests to Chinese servers? Are there tools we can install to prevent it?

[EDIT: It looks like two separate HN stories got merged, and the comments along with them. Didn't know that could happen, but this comment now appears twice here.]

Forgive my ignorance, if anyone knows of an initiative that does what I am about to suggest... It's an idea off the top of my head, without too much thought: Is it about time we start to sign our javascript so that browsers will only execute the JS if it can verify the signature? I know, there are so many drawbacks, especially for those of us who are developers, but I'd value security on the Internet over the additional development overheads.

Or depreciate HTTP and enforce HTTPS only?

It crops up occasionally, the issue has always been the effort of client support, and that it only anchors the validity to that of the document referencing the javascript (or whatever).

These days there's an active spec underway for "Subresource Integrity" at w3: http://www.w3.org/TR/SRI/, which is pretty much exactly that, so hopefully it'll happen eventually.

Thanks for the link :)

Yeah, if GitHub had used a 301 Moved Permanently to some Chinese website I think it would have been interesting [rather than responding with the alert message]....however that probably would be deemed "attacking" someone.

It would've been interesting if they had made the 301 point back to Baidu.

While fun, it almost certainly would have resulted in China moving to the Syn flood stage faster. That being said, I'm always a fan of the classics, and would have probably gone for a redirect to goatse or the like. Given that the script was giving github full control of the page, a bit of shock and awe would have been rather fun.

Not really it's technically deflecting the attack back at your opponent just like martial arts. I would more likely call it active defense. :)

Note: Journalists whil always go for the sensational that's no reason not to do it.

Do you honestly believe that is how the average journalist would report it and the general population would perceive it?

'cause I immediately see headlines like:

"Github hacks China over censorship!"

A bit far-fetched perhaps, but could it be that this attack on Github's front-end was a mere feint for a separate attack on their back-end?

If there's a repo hosted there that someone in China wanted to modify, perhaps they would use DOS as cover for a surreptitious maneuver which might otherwise get noticed.

This is likely just showing my ignorance of Git, but could an attacker having sufficient compute resources to arrange a Git hash collision and having back-end access to Github, modify sources without it being noticed by the repo owner?

This is actually a very good and interesting question. It would be good if Github started to at least show signed commits and on a per repo level block non-signed commits.

And Git should migrate to something better than SHA1.

Pretty much any country could perform this attack. The interesting thing about this, is that China thinks it can get away with openly attacking foreign companies. And it might even be right about that.

Anyone remember what happened when North Korea attacked Sony? Where are the sanctions this time?

AFAICR there is still no evidence that North Korea attacked Sony, but everybody seems to think they did.

There's tons of evidence that NK attacked SONY and the reason they did it was revealed when the Guardians of Peace leaked the Lynton emails.

Another weird thing about the whole situation, besides the reasons for the attack and reasons for it failing, there's a question - why github?

Seems like a weird choice for a target. Github is neutral, and githib is unambiguously good. Aren't there better targets attacking which would have at least a semi-plausible excuse?

I mean attacking github is like screaming "I'm evil".

Besides if you want to "demonstrate your power", github is the worst choice for that purpose. They are likely to successfully fend off the attack, yet at the same time even if China would succeed it wouldn't have much to be proud of either(country vs a small company). It's a lose-lose....

The reason they attacked github is because github was hosting greatfire and cn-nytimes.

People talk of boycotting china's products, but has there ever been a real discussion about refusing to sell products in China? With the growing desire for western/external goods, cutting off the Chinese people's access to our[sic] trinkets and stuff might put real pressure on the State to back off on censorship and HRVs to forestall any popular movement...

Every single time such action is taken, it's counterproductive. It makes the target country more bitter and paranoid, cements the feeling that they have to stick together against the external enemy, encourages their government to escalate in response. How many times does history have to teach that lesson before we learn it?

Exactly, if we can root people to become vegan, oragnic and not by fur etc. Why not have campaigns to not support products made by countries with oppressive governments.

>Why not have campaigns to not support products made by countries with oppressive governments.

Nobody cares. It's over there, it's not something we need to worry about.

It's not like the working conditions of those making our clothes, those making our smartphones, those pulling the materials for our electronics from the earth, etc. aren't unknown. They're very well known. We know damn well that there's children sewing together our shoes. We know that the people making our smart technology products are so miserable that their offices have anti-suicide nets in place around the building and throughout the stairwells.

We know this stuff and we don't care. We want our products and we want them as cheap as possible. The shareholders in these companies want the company to perform as best as they can to maximize returns, that means acting nefariously in many cases and we all know that.

People do not are and they will not care. If you gave people the choice, to be made anonymously and that nobody would ever know their choice, between paying multiple times what they pay for their technology or abolishing child labour and horrible working conditions they would choose the cheaper option. Or maybe not, maybe they would choose abolishing these things in an effort to delude themselves and make themselves feel better, but when it comes time to purchase a product they will still go for the cheaper one manufactured in horrible conditions.

People simply do not care so long as it is not them feeling the affects. That's the same damned reason nothing is being done about the NSA revelations, or the corporate corruption of the US government, or the torture allegations about the CIA and the list goes on.

people do not care and they will not care you may be right, but you are painting with an immensely broad brush. you care. i care. i bet many care. does that mean anything? time will tell. ...nothing is being done about NSA, Gubniment corruption, torture allegations, etc Jeez. What did you expect, a revolution? This country of mine [ours?] was built to do things slowly. The original idea was to make it hard for the central government to do things quickly, thereby weakening its power. It may have worked for a while, but it also severely handicapped anyone in the government to stand up to banking and commercial interests [there are some in the government, past and present, who legitimately care about people and earnestly try to do the right thing]. things take time. understand, i have said, verbatim, everything you stated more than once in many different situations. i agree, but i guess seeing it in writing from another person rustled some optimistic feathers i had not known i had. a personal story, so take it with a grain of salt: someone i know, very personally, works for no such agency. at the time of the Snowden Revelations, they were obviously mum. to date, they have said nothing about it, but i have watched the bags under the eyes deepen, the gray hairs multiply, the demeanor sag. Does this mean anything to anyone, does it mean there is hope? who knows such things. i encourage you to consider two things: 1) wedding bands serve the very important function of reminding a person what they already know; the effort is the point. the building is the amalgam of the bricks put into it. 2) no one changes their mind during an argument; it is only after silent and solitary consideration that a person's mind changes.

I don't like the underlying assumption in all these articles that the Chinese government was behind the attacks, as if we had proof for anything.

Apart from the rather blurry technical analysis this particular article claims:

In recent public statements, China has deflected questions regarding whether they are behind the attack

But when you follow the actual citation[1] it refers to this rather underwhelming exchange, taken place on a chinese press conference:

  QUESTION: [..] a report says that a US website was under
            hacker attack, and the source of the attack was from China.
            How do you respond?

  ANSWER: [..] it is quite odd that every time a website in
          the US or any other country is under attack, there
          will be speculation that Chinese hackers are behind it.
          I'd like to remind you that China is one of the
          major victims of cyber attacks. [..]
So the chinese press lady gave her standard boilerplate response, to a less than specific inquiry (which she probably hears on every press conference), in between handling questions about illegal fishing in Somali waters and the Arab League Summit's commitment to a joint Arab military force.

And this is now "compelling evidence" for China being officially behind the Github attack?

[1] http://www.fmprc.gov.cn/mfa_eng/xwfw_665399/s2510_665401/251...

The technical analysis pinpointing the attack to the Chinese government was definitely not blurry. TTL based tracing is very deterministic and easy to understand, and finding the injection point to be at the same spot with the Great Firewall is pretty much the closest thing to a smoking gun with regards to Interner attacks.

Of course, while the smoking gun was found from Chinese Internet censorship offices and was covered with fingerprints of Chinese Internet censorship officials, it still might be not perpetrated by the Chinese Internet censorship officials. It is only very likely that they were behind the attack.

The technical analysis pinpointing the attack to the Chinese government was definitely not blurry.

If anything the attack was pinpointed to Chinese infrastructure, not the Chinese government.

TTL based tracing is very deterministic and easy to understand

It's only deterministic if you trust all hops between yourself and the target, as any of them could fake the remaining route.

I don't know about you, but my 'traceroute baidu.com' passes through AT&T, an american company that is mentioned first in about every article and lawsuit about the NSA mass surveillance.

So if you're willing to buy into the theory of China performing this attack just for a demonstration of ability (because there's no other visible benefit), how can we know it isn't exactly the other way round?

[1] http://en.wikipedia.org/wiki/NSA_warrantless_surveillance_(2...

[2] https://www.eff.org/nsa-spying

Chinese infrastructure, not the Chinese government

There's no meaningful difference.

Governments can lose control of their infrastructure in the face of a well-equipped hacker.

Demonstration of ability is one way to put it. Limited weapons testing is another. You don't enter a fight with untested weapons.

Limited weapons testing

That's not a very convincing theory.

For a proof of concept they'd only have to mangle a handful of requests without anyone noticing. There's no need to attract everyone's attention and inform your potential opponents about your capabilities.

Your comment is thoughtful so I'll reply in kind. Is there any other plausible actor who could be carrying on this attack for so long? And is motivated to attack GreatFire? The Chinese government controls their Internet connection to the world with a firm hand. Who else could it be?

I agree that more technical evidence of the attack's source would be welcome. But the analysis published here is pretty convincing. Specifically "the GC acted on traffic between hop 17 and hop 18, the same link we observed as responsible for the GFW". There's pcap files if you want to verify for yourself.

Is there any other plausible actor who could be carrying on this attack for so long?

For me the more interesting question remains: Why would China be carrying out this attack? I have yet to hear a plausible motive.

Other plausible actors would be the people who have an interest in creating the perception of a "cyber threat", in order to implement more "protections".

Protections like an Executive Order[1] "to target those attempting cyber attacks on US assets and infrastructure".

After all, with both China and Russia[2] attacking us, who would argue against the urgent need for such measures?

And yet, technically either China or the NSA (via their control over Tier1 carriers) could be responsible for this attack. Perhaps it really was China. But considering we're talking about state-level secret agencies in any case it's a bit sad how reluctant many HNers seem to be to even consider any scenario other than the mainstream narrative.

[1] http://www.nationaljournal.com/tech/obama-declares-cyber-att...

[2] http://www.dailymail.co.uk/news/article-3029768/Russian-hack...

> Why would China be carrying out this attack? I have yet to hear a plausible motive.

Exactly this. Not to mention the hundreds (if not thousands) of sites the government is more likely to target, that are far less known than GitHub and that they could take off-line indefinitely, with little or no outrage from anyone in the West.

>Is there any other plausible actor who could be carrying on this attack for so long?

Well, if we're talking about government-level conspiracy, how about the NSA?

We know they have the capability to infiltrate telecom systems, we also know that following the Snowden leaks, there has been a large amount of negative feelings towards the NSA amongst programmers many of whom have been deciding to actively work against the NSA's attempts to collect and eavesdrop on everything.

So what better way to get a bunch of programmers and hackers back on your side and interested in hacking for you at a state level, than feigning an attack from a foreign power and stirring up "we need to fight back" sentiment, that gets mentioned (often near the top) of every single HN thread on this matter.

To me, that's a far more plausible motive than any of the motives being attributed to the Chinese government.

I also see that many of the assumptions made by people about the Chinese government's capabilities and motivations are obviously being made by people with little/no understanding and experience of the Chinese - both from a cultural and technological perspective.

That being said, I don't believe this attack had any real nation state involvement. It's far more likely to have been "patriotic" Chinese hackers (who often perform hacks on perceived slights against the Chinese nation) rather than any sort of explicit nation-state action.

It's far more plausible and fits in with exactly the sort and style of hacks that they've been known to do in the past.

The leap to blame the Chinese government for this attack reminds me of the leap to attribute the Sony attack to North Korea.

It's possible that North Korea was responsible, but the primary evidence the FBI held up was that the malware used was similar to malware used by DPRK in previous attacks. As many researchers pointed out[1], that malware has been widely available outside DPRK for years.

Certain 3-letter agencies have claimed to have additional intelligence pointing towards North Korea[2], but don't go into significant detail. "We're the NSA, so just trust us"

In both cases, it's possible the attack was carried out by a state actor, but I'm personally unwilling to point a finger without better evidence than what I've seen.

[1] http://www.cnn.com/2014/12/27/tech/north-korea-expert-doubts... [2] http://recode.net/2015/01/18/how-the-u-s-knew-north-korea-wa...

Considering that the USA has similar cyberweapon capacities that are publicly known, I believe it's naive to assume that China isn't developing similar weapons.

How can we link this weapon with China? I don't know, but it requires deep access to the colocation of major servers in China for sophisticated man-in-the-middle hijacking, so it seems like the number of organizations that can, in an intentional fashion, compromise a Chinese baidu colocated server is very small.

When one considers the sophistication and access required for this attack, and the reality that China is developing cyberweapons, and the reality that China openly uses cyberweapons against the west in various capacities, it seems improbable to suggest that a third party is more likely the culprit than the state. It isn't as if accusing China is outlandish- we're merely saying that they're striving for cyberweapon parity with the USA...

it seems like the number of organizations that can, in an intentional fashion, compromise a Chinese baidu colocated server is very small.

As it happens the organizations who could do either that, or who could make it look as if the attack originated from a chinese baidu colocated server, are just the same and the only ones who have any stake in this game.

I agree with your notion that China is developing "cyber weapons" just as every other large nation. I just remain skeptical about the idea of them using their guns so incompetently and aimlessly as in this case.

They did this because they have nothing to lose and can show off their technical prowess.

What exactly is the world going to do - sanction them and stop buying nearly everything from their factories?

I fear the US is going to seriously regret building up China with all our economic business instead of building up all of Central and South America.

Why would China only swap scripts for users OUTSIDE China? And why only 1.75% of the time? If they're willing to do this level of `cyber warfare`, why stop at it's own citizenry, or cap it at a number like that?

In this case, the goal was to attack GitHub. If you only use clients in one country, the target would have the option of simply having their edge routers drop traffic from the entire country. Using international clients removes that option and likely makes the attack more successful because it generates more traffic closer to the target.

Perhaps just an experiment. I doubt this greatfire thing really matters to them, but it'd be a great way to test offensive capability and mitigation strategies without provoking a serious response.

1) This is the first time they publicly use it, part of the objective was probably to gauge world reaction. Dropping an atomic bomb on a fishing village is different from sending a few gunmen to that same village.

2) the limitation to external users might be a technical requirement (i.e. where traffic can actually be intercepted) or it might be a political choice to allow for deniability in front of internal public opinion.

I wonder how hard it would be to take down the Great Firewall? I'd imagine that may cause some consternation within the ruling party.

Is there an addon/extension for firefox/chrome that can block all the website from China?

Crazy my friend Bill worked on this he's the one mention in the article

Is it too late for http2 to require encryption by default?

According to http://en.wikipedia.org/wiki/HTTP/2#Encryption and the browser support section this is already the case, at least for server<->browser communication. If unencrypted HTTP/2 gets any use at all it will only be for server<->server communication (RPC and such).

Is citizenlab down for anyone else?

China has an authoritarian government that produces pollution that threatens the entire world, ignores human rights and free speech, and supports dictators in Russia and Africa. If China gets anymore powerful, the world is doomed. We need to curb commerce with China.

Replace China with USA and see how it looks.

Much further from the reality. The US has huge flaws and gaping failures with these matters, but still compared to China it is objectively way less authoritan, and has a much better track record with respecting free speech and human rights.

> The US...has a much better track record with respecting free speech and human rights.

The rights of US citizens, yes, but our track record on human rights and free speech worldwide is not so good.

But when China is at par with what US has been, China's record of human rights and free speech worldwide will be much worse than that of US.

...and watch China flood the US with dollars (it has a few of those, y'know?), halt all Apple smartphone production and lobby hard and successfully to finally replace the petrodollar?

Maybe all-out war is not the fitting answer to what was, realistically, a tempest in a teapot.

The Great Cannon is basically a proprietary WebLOIC, which of course means Web-based Low Orbit Ion Cannon. You may have heard of LOIC; a DDoS tool being used by script kiddies and activists for the past 4 or so years.

"Powerful New Weapon"? Pure clickbait.

Playing catch-up with Anonymous is neither new nor powerful.

The new part is MitM:ing a popular site to use unsuspecting peoples computers in the attack.

Watering hole attacks and MitM aren't really new either. I know people who used hacked sites to drop slowloris.js payloads to coordinate "Anonymous-related" attacks. (Not really Anonymous related; quotes are sarcasm.)

Yeah, the only new part is the scale it operates on since it can MitM any site in an entire country and use legal means to guarantee its access.

Yep. Using legal means to maintain a privileged position to do malicious things to the rest of the Internet is an innovation that few can enact.

To play devil's advocate: If you had the choice between identifying all domestic users of GFW circumvention tools, rounding them up, and shooting them, or attacking some of the foreign devil peddlers of such tools, which is the more humanitarian and mild measure?

Edit: I'll try to make this a little clearer. Consider that many of the most free and civilized countries you know will identify, round up and harshly punish consumers of child pornography. Imagine a China (or another state of your choice) that sets its mind to providing the deprived and opressed western masses with as much child pornography as they can download. Is the West's only admissible choice to dutifully round up and punish its own citizens? Is it clearer now?

So you're comparing access to child pornography with access to news?

You were supposed to compare --- not the forbidden things AS SUCH, but (a) the abstract fact that they're illegal, composed with (b) SANE ways your OWN country can react to the fact of a NON-FRIENDLY FOREIGN power engages in ENABLING, ENCOURAGING and ENTICING your own citizens to breach same law.

To give yet another example: At some point in time, exporting an 128 bit symmetrical block cypher from the US may have been grounds for punishing you, the perp.

Let's counterfactually assume that China was successfully propagandizing tens of thousands of US citizens about both the ridicoulousness and the anti-freedomness of this law. Assume that thusly propagandized US citizens resisted and breached the law.

Again: Would you prefer that the US, assumed to be quite aware of the Chinese efforts, would have identified, rounded up and harshly punished US citizens having exported "munitions" in the form of 128 bit symmetrical block cyphers after having been successfully turned against perfectly patriotic (even if misguided) US policy by non-friendly Chinese propaganda, while completely not doing ANYTHING to stop that propaganda, even though PROVEN to put US CITIZENS IN JAIL??

An irrelevant rant, but the map of China looks really, really ugly without the two southern islands, Hainan and Taiwan. It looks like a rooster without legs.

At the very least, include Hainan, over which China's sovereign rights are in no way disputed. And for aesthetics and political honesty, show Taiwan in grey.

Taiwan is a separate country and has been for many years. Both the assertions of the PRC over Taiwan and ROC over the mainland are ridiculous.

For a long time I wondered why China was using censorship against outside information. I thought it was inefficient and probably useless, what they had to fear ?

Then I discovered that "color revolutions" were not happening by chance and that it was a CIA "technology" to remove an unwanted leader from a target country.

Now I understand why they use censorship. I still think they'd better educate their people (like the Russians seem to do) though. Whatever wall you build there will always be cracks.

>Then I discovered that "color revolutions" were not happening by chance and that it was a CIA "technology" to remove an unwanted leader from a target country.

>Now I understand why they use censorship.

You're being downvoted for this but I understand where you're coming from. The west has shown that it regularly targets other countries in terms of information warfare. We know, for example, that the CIA tried to instigate a coup last year through a Twitter like application[1]. We know JTRIG exists and what it exists for, etc. etc.

The West exerting influence through information/misinformation distribution, the corruption of online narratives, etc. is most certainly a threat to foreign entities.

I can understand why they would work to curb western influence in their countries and I don't blame them, and they use a very heavy-handed approach to deal with it.

There's an information/misinformation/psyops war going on every day on the internet and some entities have chosen to deal with it by filtering out anything that could be part of it.

Do I agree with them for doing so? Not really, I understand where they're coming from though. Do I think that they are actively fighting a threat? Yes, they quite likely are.

Things aren't as black and white as they would like us to believe.


It's no secret that the CIA (like many governments) engages in covert, propaganda, and information warfare against other nations.

But Chinese censorship is far from limited to preventing foreign espionage. How is the CIA more than a distraction or an excuse?

Russian TV is a great example of propaganda. Truths viewed from special angle plus subtle lies... The problem is that a lot of people still believe in everything that the see in the TV :(

Now just make the lies obvious and you have Fox News! Fascinating how a privately owned channel can be indistinguishable from propaganda in all respects except supporting its government. If the US annexed Crimea under a republican president, you can bet Fox would try to whitewash it.

> subtle lies

Not that subtle, e.g., http://www.bbc.com/news/world-europe-32137302

I never said they don't lie but that they educate their population about this "color revolution thing".

Certainly the CIA supports some revolutions, but it's absurd to suggest that every revolution is a CIA plot.

Grandparent wasn't suggesting that.

It depends, I stand by the statement that every COLOR revolution is a CIA thing.

Are you sure the Russian education is not propaganda lies?

Propaganda is by definition a lie.

I meant they were educating them about "color revolutions" and that it was certainly better than just censoring the ideas that bring color revolutions.

> "Propaganda is by definition a lie."

Not even close to true. Propaganda can be lies. It can also be half-truths, carefully selected truths, or even full truths (should those truths put the organization issuing the propaganda in a good light). It can also be completely void of assertions (be they lies or truth) and contain nothing but emotional content. Humour is frequently used in modern propaganda. Funny internet videos that make fun of nations or their leaders, without actually making any sort of claim about them. Humour used as propaganda is particularly effective because anybody who argues against it will be told "Relax, it's just a joke. Stop taking it so seriously."

I do not know if the CIA was involved in the color revolutions but why would you trust what the Kremlin says? Do you believe the Kremlin has no interest in propaganda?

>educate their people (like the Russians seem to do)

Russian here and having hysterical fit now.

Parent probably thinks RT is free media

RT is certainly more free than any US news channel ... and this for someone that remember the first cold war, this is really worrying.

Interestingly, from traveling and having limited TV options in certain places, I've had broad exposure to RT.

Is it more free than any US news channel? No, I don't think so. The US mainstream media - Fox, CNN, MSNBC, etc. - are most certainly not free by any means and spend the majority of their time peddling a toxic, divisive narrative.

But RT? RT does the same, but for the Russian government. In fact, they go another step further and recruit westerners to present many anti-western shows to give their views more credibility here.

They do report the news on the west that otherwise gets brushed over or doesn't adhere to the narrative being peddled by mainstream US TV, but to say they're more free is something I would doubt.

While the US media spends its time dividing people and, for whatever reason, stoking the anti-Russian, anti-China and anti-NK flames the US government seem to want stoked at the moment, RT simply spends its time peddling an anti-Western narrative.

Both are ultimately propaganda machines. RT is somewhat interesting because it does give a different view on situations that we in the west are dominated by the western narrative with.

But when there's big, big money involved and close ties to government - as is the case with both the US mainstream media and RT - there is not much "freedom" involved.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact