> We remain puzzled as to why the GC’s operator chose to first employ its capabilities in such a publicly visible fashion.
This is the most important question here. I think it's fair to assume this must've been a deliberate choice by the Chinese authorities to conduct such a visible attack. The alternative, that they didn't realize what they were getting into, that they thought Github would cave quickly, seems much to simplistic and naive. And whatever else you can say about the Chinese government, you can't accuse them of being naive.
If you believe this was deliberate attack, it seems this is a parade demonstrating electronic warfare abilities. The message being sent seems to be, "don't mess with us, we can do everything you can do and possibly more."
> If you believe this was deliberate attack, it seems this is a parade demonstrating electronic warfare abilities.
Probably deliberate with a lot of incompetence mixed in.
Most politicians have zero understanding of the Internet. They decided to do this as a demonstration of force and may not have consulted the people who built the Great Cannon. Or, the people who built it don't have the clout to say not to use it except for important reasons.
They also probably didn't realize that Github could eat the attack.
The problem with having done this is that, I suspect, that a lot of ISP's now have null routes of China on standby along with bandwidth monitors that will choke traffic spikes from China almost immediately.
So, it didn't actually succeed. And people have now analyzed the attack and deployed coutermeasures.
It's too weak as show of force from state government. GitHub is after all, a small civilian service, despite its prominence within tech community.
Even DDoS itself is not really a serious cyber warfare measure -- you can't really take down any major government agency (except their public-facing website) or core infrastructure with it. What's the biggest damage caused by DDoS in all of Internet's history?
Here is how I believe it goes down:
1, the new chairman issued mandate that he wants to crack down on accessing illegal content on Internet.
2, different department heads make this top of their priority.
3, somewhere down the management chain, a manager found those tools that help people accessing illegal content on Intenet.
4, the said manager himself, or one of his analysts figure if they bully GitHub with some DDoS, they'd cave and take down those tools. Points for promotion!
I doubt if even the US government takes this seriously.
Maybe part of the explanation for this specific attack is incompetence - miscommunication, comparatively junior people exceeding their authority, subordinates afraid to object, and everyone doubling down rather than admitting defeat. I could definitely imagine that the people who devised and built out the capability being furious at it being deployed like this.
Dr. Strangelove: Of course, the whole point
of a Doomsday Machine is lost, if you *keep*
it a *secret*!
It aggravates me that other governments aren't making a bigger deal about this. This is a WMD where non-combatants are being unwittingly used to fight a computer war between countries they have nothing to do with.
We knew this was coming for 20 years![1] But instead of taking the high road and defending the internet from militarization, the governments of the world raced to become the first to make computer weapons and hasten the downward spiral to destruction. Sixty years ago we said "no weapons in space" and it was the right thing to do. It allowed the commercial use of satellites to grow without threat of being caught in the petty conflict of nations. The internet was supposed to be the next extra-national frontier and for a time it was. But now that there are weapons being fired why would I want to invest money in an internet business that may become the victim of a DDOS? My insurance doesn't cover acts of war, if I lose money because of it there's nothing I can do.
We've got treaties limiting the use of nuclear arms so innocent civilians aren't at risk of being irradiated. We've got treaties limiting chemical weapons so innocent civilians don't get their lungs burnt away. We've got treaties limiting land mines so innocent civilians don't get blown up when taking a hike through the woods. (Oh, and thanks for not ratifying that, Obama.) We need a treaty limiting computer weapons so innocent civilians don't have their computers hijacked and personal data put at risk.
I'm no policy expert, but it seems likely to me to be a demonstration of capability. The Chinese government has been arguing for awhile now for their right to "Internet Sovereignty", the ability to impose Chinese policy on Chinese users of the Internet. This attack seems to demonstrate they also feel the right to extend that sovereignty into other countries, to block services like GreatFire they think are harmful to their sovereignty. This attack is them showing the world they have the capability.
>I think it's fair to assume this must've been a deliberate choice by the Chinese authorities to conduct such a visible attack.
I think it is a fair explanation but I wouldn't assume it outright. The incompetence and ignorance of decision makers should never be underestimated when it comes to complex technology.
you can't accuse them of being naive I will.i am of the opinion that any country that thinks they can be a big player in the global economy and introduce open markets to their country whilst simultaneously limiting freedoms of speech and choice has a certain amount of innate naivety. This may be a silly notion, but is there any chance this was a mistake like the way Stuxnet broadcast itself to the world?
I remain convinced that there was some other reason other than cyberforce posturing for the DDOS. Past examples of highly visible international attacks (I'm thinking of SONY here) have been to punish and embarrass companies for being complicit with US foreign propaganda efforts (re leaked Bennett/State Dept./Lynton/RAND emails). I'm not saying the exact same motivation is in play, but as github hosts files - notably code - and many governments have been cracking down on files hosting and shares (like pastebin, etc).
This is speculation, but I prefer the explanation to cyberposturing, since this isn't something China needs to do, and as far as I can tell wouldn't benefit very much from.
The theory is in line with greatfire, as this organization is a "Civil Society Organization" funded ultimately by the US government to spread messages it wants within China. Github is more confusing.
"If you believe this was deliberate attack, it seems this is a parade demonstrating electronic warfare abilities. The message being sent seems to be, "don't mess with us, we can do everything you can do and possibly more.""
I think this is silly.
The bar is still set at stuxnet, in terms of computerized attacks on infrastructure. This is nowhere near stuxnet in terms of capability, destructive effect or ingenuity.
Also how the Chinese government show little regard for their tech industry and is prepared to trash Baidu reputation just to disturb some sites they find annoying.
It may not be as big and publicly visible as we think. Big would be targeting a stock exchange. Thinking at the nation-state level, Github is small potatoes. Who is going to know or care outside of the tech sector?
I mentioned this as a reply in the other thread on this topic, but just to make sure it is clear to those who may not have read or reasoned about the full report:
The reason it is powerful is not this particular attack. It's a demonstration that they are willing and able to inject malicious responses to any request going to a Chinese resource (web site, analytics service, ads, etc.). Imagine if instead of returning some DoS javascript they deliver a payload to silently exploit a vulnerability in your browser/OS (and they are surely capable of finding or purchasing those) to do whatever they want with it:
- Add it to a botnet
- Steal your personal data
- Infiltrate your corporate network
- Wipe your system (punishment for those accessing or producing GFW circumvention software)
Are you confident your browser never makes HTTP requests to Chinese servers? Are there tools we can install to prevent it?
[EDIT: It looks like two separate HN stories got merged, and the comments along with them. Didn't know that could happen, but this comment now appears twice here at different places.]
I hope that this drives home the need to be using HTTPS everywhere we can be. It would make this kind of wide scale man-in-the-middle attack much harder to pull off and easier for users to detect. If only getting a certificate was an easier (less costly) process.
Almost every app on my mac is trying to access some resource on the web, most of them over port 80 or a mix-and-match of both 80 and 443. And then the OS itself has a variety of services that does the same. My computer is like a beacon of light that shines it's position and personal information to everybody.
More than that, it drives home the need to disable JavaScript by default. To do otherwise is inviting every web site you visit (and every third-party site they load content from, and everyone who can compromise either) to run arbitrary code on your system.
And it drives home the stupidity of sites which demand JavaScript to view even simple content which could just as well be static.
I totally agree. I started using Cloudflare's free service to add HTTPS support to my most important sites. I have some concerns about routing my traffic through another company, but free is free and I really think people need to transition to HTTPS everywhere.
If China is responsible for this, it shows extreme recklessness on their part, a deep disrespect for the rule of law and the customs of the internet. The people in the chain of command responsible for this should be held criminally liable.
The lack of sophistication, ineffectiveness, and bluntness of the attack speaks toward a fundamental capability gap between China and the other "cyberpowers".
There is no rule of law of customs of the internet, however. That's been the big push for the last decade within the US: to develop an international norms framework for the internet. The problem is that many of the activities being performed by China, Russia, France, Germany, the UK, Israel, Canada, the US, etc are being performed by others - it's difficult for us to condemn China without equally condemning the others. (Those wanting to argue a straw man will suggest that the technical details of this attack are somehow above and beyond the pale of what other nations are known to do and make their argument about js injection.)
It's true that China is much more crass and less developed in their cyber capability. It isn't that much less effective however.
I think the big difference here is that it's being used to launch attacks outside of the country. For too many years, the assumption was that these large scale attacks either didn't happen or were only limited to people already subject to a particular government.
And disable JavaScript. And complain loudly to any site that requires it when it doesn't really need to. That would eliminate 99.99% of the attack vector for injected payloads.
If this was meant as a demonstration of power it failed miserably. A nation state attacking a single corporation, and not even a very large one at that and all they managed to achieve was being blackholed in various spots and seeing their attack being consumed. Minor nuisance at best, and very much losing face, both in terms of goodwill and in terms of power.
If this was officially sanctioned heads will likely roll.
It is and it isn't powerful. I was pretty impressed by how they attacked GitHub (not why) and in doing so they showed the power of the tool.
However, the requests it made could have easily been turned back against Chinese business if Github so wanted. It couldn't be done because there was no reasonable who to turn the traffic back against. If non-Chinese companies simply said "If China uses these tools we will redirect the traffic at a number of large Chinese businesses" then a lot of the power in the tool is immediately withdrawn.
A bit far-fetched perhaps, but could it be that this attack on Github's front-end was a mere feint for a separate attack on their back-end?
If there's a repo hosted there that someone in China wanted to modify, perhaps they would use DOS as cover for a surreptitious maneuver which might otherwise get noticed.
This is likely just showing my ignorance of Git, but could an attacker having sufficient compute resources to arrange a Git hash collision and having back-end access to Github, modify sources without it being noticed by the repo owner?
Pretty much any country could perform this attack. The interesting thing about this, is that China thinks it can get away with openly attacking foreign companies. And it might even be right about that.
Anyone remember what happened when North Korea attacked Sony? Where are the sanctions this time?
Another weird thing about the whole situation, besides the reasons for the attack and reasons for it failing, there's a question - why github?
Seems like a weird choice for a target. Github is neutral, and githib is unambiguously good. Aren't there better targets attacking which would have at least a semi-plausible excuse?
I mean attacking github is like screaming "I'm evil".
Besides if you want to "demonstrate your power", github is the worst choice for that purpose. They are likely to successfully fend off the attack, yet at the same time even if China would succeed it wouldn't have much to be proud of either(country vs a small company). It's a lose-lose....
People talk of boycotting china's products, but has there ever been a real discussion about refusing to sell products in China? With the growing desire for western/external goods, cutting off the Chinese people's access to our[sic] trinkets and stuff might put real pressure on the State to back off on censorship and HRVs to forestall any popular movement...
I don't like the underlying assumption in all these articles that the Chinese government was behind the attacks, as if we had proof for anything.
Apart from the rather blurry technical analysis this particular article claims:
In recent public statements, China has deflected questions regarding whether they are behind the attack
But when you follow the actual citation[1] it refers to this rather underwhelming exchange, taken place on a chinese press conference:
QUESTION: [..] a report says that a US website was under
hacker attack, and the source of the attack was from China.
How do you respond?
ANSWER: [..] it is quite odd that every time a website in
the US or any other country is under attack, there
will be speculation that Chinese hackers are behind it.
I'd like to remind you that China is one of the
major victims of cyber attacks. [..]
So the chinese press lady gave her standard boilerplate response, to a less than specific inquiry (which she probably hears on every press conference), in between handling questions about illegal fishing in Somali waters and the Arab League Summit's commitment to a joint Arab military force.
And this is now "compelling evidence" for China being officially behind the Github attack?
The technical analysis pinpointing the attack to the Chinese government was definitely not blurry. TTL based tracing is very deterministic and easy to understand, and finding the injection point to be at the same spot with the Great Firewall is pretty much the closest thing to a smoking gun with regards to Interner attacks.
Of course, while the smoking gun was found from Chinese Internet censorship offices and was covered with fingerprints of Chinese Internet censorship officials, it still might be not perpetrated by the Chinese Internet censorship officials. It is only very likely that they were behind the attack.
Your comment is thoughtful so I'll reply in kind. Is there any other plausible actor who could be carrying on this attack for so long? And is motivated to attack GreatFire? The Chinese government controls their Internet connection to the world with a firm hand. Who else could it be?
I agree that more technical evidence of the attack's source would be welcome. But the analysis published here is pretty convincing. Specifically "the GC acted on traffic between hop 17 and hop 18, the same link we observed as responsible for the GFW". There's pcap files if you want to verify for yourself.
The leap to blame the Chinese government for this attack reminds me of the leap to attribute the Sony attack to North Korea.
It's possible that North Korea was responsible, but the primary evidence the FBI held up was that the malware used was similar to malware used by DPRK in previous attacks. As many researchers pointed out[1], that malware has been widely available outside DPRK for years.
Certain 3-letter agencies have claimed to have additional intelligence pointing towards North Korea[2], but don't go into significant detail. "We're the NSA, so just trust us"
In both cases, it's possible the attack was carried out by a state actor, but I'm personally unwilling to point a finger without better evidence than what I've seen.
Why would China only swap scripts for users OUTSIDE China? And why only 1.75% of the time? If they're willing to do this level of `cyber warfare`, why stop at it's own citizenry, or cap it at a number like that?
According to http://en.wikipedia.org/wiki/HTTP/2#Encryption and the browser support section this is already the case, at least for server<->browser communication. If unencrypted HTTP/2 gets any use at all it will only be for server<->server communication (RPC and such).
China has an authoritarian government that produces pollution that threatens the entire world, ignores human rights and free speech, and supports dictators in Russia and Africa. If China gets anymore powerful, the world is doomed. We need to curb commerce with China.
...and watch China flood the US with dollars (it has a few of those, y'know?), halt all Apple smartphone production and lobby hard and successfully to finally replace the petrodollar?
Maybe all-out war is not the fitting answer to what was, realistically, a tempest in a teapot.
[+] [-] wsxcde|11 years ago|reply
This is the most important question here. I think it's fair to assume this must've been a deliberate choice by the Chinese authorities to conduct such a visible attack. The alternative, that they didn't realize what they were getting into, that they thought Github would cave quickly, seems much to simplistic and naive. And whatever else you can say about the Chinese government, you can't accuse them of being naive.
If you believe this was deliberate attack, it seems this is a parade demonstrating electronic warfare abilities. The message being sent seems to be, "don't mess with us, we can do everything you can do and possibly more."
[+] [-] bsder|11 years ago|reply
Probably deliberate with a lot of incompetence mixed in.
Most politicians have zero understanding of the Internet. They decided to do this as a demonstration of force and may not have consulted the people who built the Great Cannon. Or, the people who built it don't have the clout to say not to use it except for important reasons.
They also probably didn't realize that Github could eat the attack.
The problem with having done this is that, I suspect, that a lot of ISP's now have null routes of China on standby along with bandwidth monitors that will choke traffic spikes from China almost immediately.
So, it didn't actually succeed. And people have now analyzed the attack and deployed coutermeasures.
Not a great result for China.
[+] [-] analyst74|11 years ago|reply
Even DDoS itself is not really a serious cyber warfare measure -- you can't really take down any major government agency (except their public-facing website) or core infrastructure with it. What's the biggest damage caused by DDoS in all of Internet's history?
Here is how I believe it goes down:
1, the new chairman issued mandate that he wants to crack down on accessing illegal content on Internet.
2, different department heads make this top of their priority.
3, somewhere down the management chain, a manager found those tools that help people accessing illegal content on Intenet.
4, the said manager himself, or one of his analysts figure if they bully GitHub with some DDoS, they'd cave and take down those tools. Points for promotion!
I doubt if even the US government takes this seriously.
[+] [-] alex-g|11 years ago|reply
[+] [-] whoopdedo|11 years ago|reply
We knew this was coming for 20 years![1] But instead of taking the high road and defending the internet from militarization, the governments of the world raced to become the first to make computer weapons and hasten the downward spiral to destruction. Sixty years ago we said "no weapons in space" and it was the right thing to do. It allowed the commercial use of satellites to grow without threat of being caught in the petty conflict of nations. The internet was supposed to be the next extra-national frontier and for a time it was. But now that there are weapons being fired why would I want to invest money in an internet business that may become the victim of a DDOS? My insurance doesn't cover acts of war, if I lose money because of it there's nothing I can do.
We've got treaties limiting the use of nuclear arms so innocent civilians aren't at risk of being irradiated. We've got treaties limiting chemical weapons so innocent civilians don't get their lungs burnt away. We've got treaties limiting land mines so innocent civilians don't get blown up when taking a hike through the woods. (Oh, and thanks for not ratifying that, Obama.) We need a treaty limiting computer weapons so innocent civilians don't have their computers hijacked and personal data put at risk.
[1] http://fmso.leavenworth.army.mil/documents/chinarma.htm
[+] [-] NelsonMinar|11 years ago|reply
More detail on China's Internet Sovereignty theory: http://blogs.wsj.com/chinarealtime/2014/06/23/chinas-lays-ou... http://www.huffingtonpost.com/lu-wei/china-cyber-sovereignty...?
[+] [-] EthanHeilman|11 years ago|reply
I think it is a fair explanation but I wouldn't assume it outright. The incompetence and ignorance of decision makers should never be underestimated when it comes to complex technology.
[+] [-] yAnonymous|11 years ago|reply
Well, they couldn't take down Github.
[+] [-] classicsnoot|11 years ago|reply
[+] [-] xnull6guest|11 years ago|reply
This is speculation, but I prefer the explanation to cyberposturing, since this isn't something China needs to do, and as far as I can tell wouldn't benefit very much from.
The theory is in line with greatfire, as this organization is a "Civil Society Organization" funded ultimately by the US government to spread messages it wants within China. Github is more confusing.
[+] [-] rsync|11 years ago|reply
I think this is silly.
The bar is still set at stuxnet, in terms of computerized attacks on infrastructure. This is nowhere near stuxnet in terms of capability, destructive effect or ingenuity.
[+] [-] JoachimS|11 years ago|reply
[+] [-] ddoolin|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] vinceguidry|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] ddlatham|11 years ago|reply
The reason it is powerful is not this particular attack. It's a demonstration that they are willing and able to inject malicious responses to any request going to a Chinese resource (web site, analytics service, ads, etc.). Imagine if instead of returning some DoS javascript they deliver a payload to silently exploit a vulnerability in your browser/OS (and they are surely capable of finding or purchasing those) to do whatever they want with it:
- Add it to a botnet
- Steal your personal data
- Infiltrate your corporate network
- Wipe your system (punishment for those accessing or producing GFW circumvention software)
Are you confident your browser never makes HTTP requests to Chinese servers? Are there tools we can install to prevent it?
[EDIT: It looks like two separate HN stories got merged, and the comments along with them. Didn't know that could happen, but this comment now appears twice here at different places.]
[+] [-] jonawesomegreen|11 years ago|reply
[+] [-] leereeves|11 years ago|reply
This would allow them to perform MITM attacks against anyone who visits Chinese websites, even with HTTPS.
[+] [-] zimbatm|11 years ago|reply
Almost every app on my mac is trying to access some resource on the web, most of them over port 80 or a mix-and-match of both 80 and 443. And then the OS itself has a variety of services that does the same. My computer is like a beacon of light that shines it's position and personal information to everybody.
[+] [-] alphapapa|11 years ago|reply
And it drives home the stupidity of sites which demand JavaScript to view even simple content which could just as well be static.
[+] [-] mark_l_watson|11 years ago|reply
[+] [-] seanmcdirmid|11 years ago|reply
[+] [-] EthanHeilman|11 years ago|reply
The lack of sophistication, ineffectiveness, and bluntness of the attack speaks toward a fundamental capability gap between China and the other "cyberpowers".
[+] [-] xnull6guest|11 years ago|reply
It's true that China is much more crass and less developed in their cyber capability. It isn't that much less effective however.
[+] [-] jgrahamc|11 years ago|reply
HTTPS everything.
[+] [-] acdha|11 years ago|reply
> HTTPS everything
… and with HSTS, too
[+] [-] alphapapa|11 years ago|reply
[+] [-] jacquesm|11 years ago|reply
If this was officially sanctioned heads will likely roll.
[+] [-] borgia|11 years ago|reply
However, the requests it made could have easily been turned back against Chinese business if Github so wanted. It couldn't be done because there was no reasonable who to turn the traffic back against. If non-Chinese companies simply said "If China uses these tools we will redirect the traffic at a number of large Chinese businesses" then a lot of the power in the tool is immediately withdrawn.
At least that's my interpretation of it.
[+] [-] lovemenot|11 years ago|reply
If there's a repo hosted there that someone in China wanted to modify, perhaps they would use DOS as cover for a surreptitious maneuver which might otherwise get noticed.
This is likely just showing my ignorance of Git, but could an attacker having sufficient compute resources to arrange a Git hash collision and having back-end access to Github, modify sources without it being noticed by the repo owner?
[+] [-] mike-cardwell|11 years ago|reply
Anyone remember what happened when North Korea attacked Sony? Where are the sanctions this time?
[+] [-] cinskiy|11 years ago|reply
[+] [-] rayalez|11 years ago|reply
Seems like a weird choice for a target. Github is neutral, and githib is unambiguously good. Aren't there better targets attacking which would have at least a semi-plausible excuse?
I mean attacking github is like screaming "I'm evil".
Besides if you want to "demonstrate your power", github is the worst choice for that purpose. They are likely to successfully fend off the attack, yet at the same time even if China would succeed it wouldn't have much to be proud of either(country vs a small company). It's a lose-lose....
[+] [-] classicsnoot|11 years ago|reply
[+] [-] moe|11 years ago|reply
Apart from the rather blurry technical analysis this particular article claims:
In recent public statements, China has deflected questions regarding whether they are behind the attack
But when you follow the actual citation[1] it refers to this rather underwhelming exchange, taken place on a chinese press conference:
So the chinese press lady gave her standard boilerplate response, to a less than specific inquiry (which she probably hears on every press conference), in between handling questions about illegal fishing in Somali waters and the Arab League Summit's commitment to a joint Arab military force.And this is now "compelling evidence" for China being officially behind the Github attack?
[1] http://www.fmprc.gov.cn/mfa_eng/xwfw_665399/s2510_665401/251...
[+] [-] wmt|11 years ago|reply
Of course, while the smoking gun was found from Chinese Internet censorship offices and was covered with fingerprints of Chinese Internet censorship officials, it still might be not perpetrated by the Chinese Internet censorship officials. It is only very likely that they were behind the attack.
[+] [-] NelsonMinar|11 years ago|reply
I agree that more technical evidence of the attack's source would be welcome. But the analysis published here is pretty convincing. Specifically "the GC acted on traffic between hop 17 and hop 18, the same link we observed as responsible for the GFW". There's pcap files if you want to verify for yourself.
[+] [-] rpedroso|11 years ago|reply
It's possible that North Korea was responsible, but the primary evidence the FBI held up was that the malware used was similar to malware used by DPRK in previous attacks. As many researchers pointed out[1], that malware has been widely available outside DPRK for years.
Certain 3-letter agencies have claimed to have additional intelligence pointing towards North Korea[2], but don't go into significant detail. "We're the NSA, so just trust us"
In both cases, it's possible the attack was carried out by a state actor, but I'm personally unwilling to point a finger without better evidence than what I've seen.
[1] http://www.cnn.com/2014/12/27/tech/north-korea-expert-doubts... [2] http://recode.net/2015/01/18/how-the-u-s-knew-north-korea-wa...
[+] [-] ck2|11 years ago|reply
What exactly is the world going to do - sanction them and stop buying nearly everything from their factories?
I fear the US is going to seriously regret building up China with all our economic business instead of building up all of Central and South America.
[+] [-] ddoolin|11 years ago|reply
[+] [-] vondur|11 years ago|reply
[+] [-] cooleng|11 years ago|reply
[+] [-] hacktavist|11 years ago|reply
[+] [-] eyeareque|11 years ago|reply
[+] [-] amaranth|11 years ago|reply
[+] [-] bkmrkr|11 years ago|reply
[+] [-] fown9|11 years ago|reply
[+] [-] Lorento|11 years ago|reply
[+] [-] newuser88273|11 years ago|reply
Maybe all-out war is not the fitting answer to what was, realistically, a tempest in a teapot.