Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Hacked, May Pull Out of China

Posted by kdawson on from the now-you've-done-it dept.

D H NG writes "Following a sophisticated attack on Google infrastructure originating from China late last year, Google has decided to take 'a new approach' to China. In their investigation, Google found that more than 20 large companies had been infiltrated and dozens of Chinese human rights activists' Gmail accounts had been compromised. Google has decided to 'review the feasibility of [its] business operations in China,' no longer censoring results in Google.cn, and if necessary, to 'shut down Google.cn, and potentially [Google's] offices in China.'"

11 of 687 comments (clear)

  1. Re:So what will happen in practice? by Kalriath · · Score: 5, Informative

    What? The URL string is not available over an SSL connection. Here's a transcript, including headers, of an HTTPS request.

    AW#$GAWE$gae3gtraweRGEGaergaweRGTawerGTAWERGTW#trgse3ryg35g

    You get the idea. No URI string available. All they could detect is the destination server.

    --
    For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  2. Re:I want access to my logs by D+H+NG · · Score: 4, Informative

    You can check to see who've logged into your Gmail account by checking the last account activity link at the bottom of your Gmail screen.

  3. Re:Free trade of ideas, anyone? by phantomfive · · Score: 5, Informative

    It's not the first foreign company that had massive problems with China, even in the last year. The government arrested employees of the Australian Rio Tinto steel company a few months ago, after negotiations broke down with a government backed company (the government didn't want to pay as much as Rio Tinto wanted to charge). The government arrested the employees for industrial espionage and bribing.

    The scary thing is, it is essentially impossible for a foreign company to do business in China without bribes, even a small company. The Rio Tinto case wasn't publicized much in the mainstream media (at least in the US), but it was fairly well covered in the Wall Street Journal, and I guarantee executives of a lot of companies paid attention. Being arrested in China because the government doesn't like you is a risk that can outweigh a huge profit margin.

    I would honestly suggest that if you are considering outsourcing to China, that you do it instead to India or Eastern Europe, because the unknowns are much smaller.

    --
    Qxe4
  4. Re:Google, FTW!!! by Andy_R · · Score: 4, Informative

    http://www.google.cn/search?hl=zh-CN&source=hp&q=tianamen+square+massacre currently gives 1,350,000 results. If it's also doing that on the other side of the great firewall of China, then they have already done something BIG.

    --
    A pizza of radius z and thickness a has a volume of pi z z a
  5. Re:Is it? by sych · · Score: 4, Informative

    When google goes (and with that youtube etc etc) it will be noticed far more clearly then some dissident being locked up.

    I don't know that Google will be missed as much as you think it will be, and foreign websites disappearing from the Chinese internet is a regular enough occurrence that it hardly rates a mention anymore.

    YouTube has been gone (blocked) for a year+ now. Same with Facebook, which was blocked just as it was achieving some popularity in China.The average Chinese person doesn't use Google, YouTube or Facebook. They use the local versions: Baidu, Youku and Kaixinwang.

    That said, I would prefer to see Google stay in China, even with a little bit of censorship. The Chinese internet is already so disconnected from the internet that we know, but having a player like Google is at least a small bridge over the divide.

  6. Re:So what will happen in practice? by francium+de+neobie · · Score: 4, Informative
    Ok.. looks like the mods aren't convinced that the parent's method doesn't work in reality. Maybe I should put it in a more layman's language.

    So, what the parent proposed is this... you have a router that pretends to be an HTTPS server between you and https://www.bank.com./ So, when you connect to the website, you're actually negotiating an SSL session with the router while the router negotiates another SSL session with www.bank.com.

    This sounds all well and dandy.. except, how can the router in between convince your browser that it isn't really the bank's website?

    So the parent's argument is... the organization who owns the router, controls the CA who signed www.bank.com's certificate too. However, even this would give you problems...
    1. As I've said, the CA doesn't own www.bank.com's private key - the CA only has its own private key.
    2. The guy with the router still has to generate a different private key for generating the crack certificate - knowing the CA's private key doesn't help here.
    3. And thus, the crack certificate will end up with e different fingerprint.

    Add in the fact that you have plenty of people in China who have found ways to bypass the GFW, and that browsers seeing different fingerprints from the same website's certificates would give out red warning screens, your scheme is already not working well.

    Next, it's about the CAs themselves. Every major OS and browser comes with a list of trusted CAs. Do you see many Chinese names there? No? And seeing Green Dam's PR disaster - if the Chinese government bothers to "coerce" foreign CAs to give them private keys, you can guess what the response is.

    So, the reality is, even the Chinese government has no way of pulling out the already imperfect man-in-the-middle I described above. Yes, they can still give you a website with a different CA and probably with a self-signed cert, but again any sensible browser would jump up and down about it, which is definitely a strong motivator for anyone interested in privacy to somehow get foreign VPN access or simply just go to a Tor-like network.

    Next common question... the textbook version of DH can be man-in-the-middled. While it is theoretically possible to MITM basic non-authenticated Diffie-Hellman without touching all the cert related stuff, it's not really practical since anonymous Diffie-Hellman is disabled by most web servers (e.g. the !ADH SSL cipher suite option in default Apache config) and I think most modern browsers wouldn't allow it anyway. What most real web servers do during SSL key exchange these days is either fixed DH or ephemeral DH, which aren't known to be susceptible to MITM unless the authentication in question isn't meaningful (e.g. self-signed certs, again, which is guaranteed to give you browser warnings)

  7. Double standards ? by Anonymous Coward · · Score: 4, Informative

    Google appears to be a proud protector of the gmail accounts of China's Human Rights activists, when it says that "Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.".

    Is this the same Google which Hands over IP addresses of activists to Indian Police ?

    What about Google Sets Censorship Precedent In India ?

    Mumbai Cyber Sleuths are a law unto themselves, ordering Americans around: Mumbai Police Order American to delete Cartoon

    Why does Google co-operate so tamely with Mumbai Cyber police ? Why did Google hand over IPs in 2007 entangling an innocent man in the Police web ?

    And yet talk of Human Rights in China ? Don't the Indians have Human Rights too ?

  8. Re:Free trade of ideas, anyone? by DDLKermit007 · · Score: 4, Informative

    Oh seriously, you believe there is a market of over a billion in China? Only around 300 million of those people are considered above poverty (for China), and a very small percentage of that have what the average American would call an acceptable income. Yes it's an emerging market, but who cares when the guys down the street will just nockoff your product within a month? Sure it'll be inferior, but it'll be less than half the price of yours.

    Hell look at the current debacle with Cadmium. One of the excuses given that it's even used is that jewlery made of it is usually marked for sale only in China. At least people here have the ability to find out in retrospect lil-Jamie's necklace you gave her for X-Mas impairs brain function. In China that junk is sold all over without someone even thinking about it.

    I travel to China frequently, and see this kind of thing happening all over. Market of over a billion my ass. More like market of just over a billion waiting to see what they can copy next.

  9. Re:Guess what Baidu has already censored? by Game_Ender · · Score: 5, Informative

    Confirmed. This kind of stuff is pretty crazy.

  10. Re:Stereotype by interskh · · Score: 5, Informative

    I am a Chinese student.

    Thanks to Internet, we Chinese ppl these days could get these information easier than before. We know about these things like Tienanmen event, etc. Well we have some places to share these information(p2p rocks, doesnt it?) As far as i know, most student in my college have knowledges of what happened those years and sometime we chat about that.

    Admittedly, there is GFW trying to block some websites. But in the age of Internet, there is really nothing that could block us from the facts.

  11. Re:Free trade of ideas, anyone? by Puff_Of_Hot_Air · · Score: 4, Informative

    The irony is that Rio Tinto is one of the very few companies that have played straight up in China. They do not bribe in China, and this has angered no small number of officials. In this instance the Australian executive that has been detained was born in China. This is China's way of instilling fear into other similiar Chinese born to not f**k with the motherland. I have to imagine that it will work.