Slashdot Mirror
Evidence Weakens That China Did the Recent Cyberattacks
click2005 notes an article in The Register calling into question the one piece of hard evidence that has been put forward to pin the Google cyberattacks on China. It was claimed that a CRC algorithm found in the Aurora attack code was particular to Chinese-language developers. Now evidence emerges that this algorithm has been widely known for years and used in English-language books and websites. Wired has a post introducing the Pentagon's recently initiated effort to identify the "digital DNA" of hackers and/or their tools; this program is part of a wide-ranging effort by the US government to find useful means of deterring cyberattacks. This latter NY Times article notes that Google may have found the best deterrence so far — the threat to withdraw its services from the Chinese market.
Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists.
Emphasis mine. Nowhere is he talking about a CRC algorithm or even fingerprinting the attack to a particular country. Instead, the obvious question is simply this: Who else would hack one of the most successful companies in the world only to read the e-mails of Human Rights Activists in China? What possible gain could anyone else have from this information?
I'm not saying hard evidence has been provided one way or the other (I'm not even sure it could be proven one way or the other unless someone claims ownership) but the only evidence the accuser offered up was this. Not that the "algorithm was only known to Chinese" nor anything as simpleton.
My work here is dung.
This CRC-16 implementation seems to be virtually unknown outside of China, as shown by a Google search for one of the key variables, "crc_ta[16]". At the time of this writing, almost every page with meaningful content concerning the algorithm is Chinese:
Oh. My. God. I just reran the search and it's changed. The top results are in English! It's the British that are attacking Google! Wait, one of the links is to a Blogspot site. Sweet Jesus, the attacks are coming from inside Google's own employee base! But wait, if you click crc_ta[16] enough times then Slashdot will show up in the list. Meaning Slashdot is the attacker on Google!
Oh Great Britain, Slashdot and even Google themselves, why have you forsaken us?
Google's pageranking engine returns a good enough set of available crawable webpages. It does not indicate guilt or scan all of human knowledge. Using it as any sort of evidence in a huge international scandal is less than prudent.
My work here is dung.
We were using and describing digital DNA in the mid to late 80s although the terminology used was slightly different as we /stole/ the term FIST from ham radio to use for it. it's actually an interesting technique although we weren't that sophisticated as we only looked at command streams and lingustics to identify country of origin and style of attack and group M.O. rather than pin pointing the actual attacker.
It was actually used successfully in a few virus and trojan incidents and I stil have at least a partial copy of the NARK database I collated at the time.
So... Throwing this out there...
hypothetically could it have been the Human Rights groups in China?
Yes it would be an odd move as it could put themselves and their friends in quite a bit of danger, but it could also be high reward, if other countries fall for it and do something about it (if they could)
I know it's bad to think about the victim as possible being the one who set things up, but from time to time we need to at least explore the idea, or you will get played repeatedly.
Evidence weakens that Joe Stewart's analysis shows that the CRC algorithm used in the attack was developed by Chinese programmers.
As other folks have pointed out, this is NOT the basis of Google's or others' assessments that the attacks originated from within mainland China, and in no way does it weaken the evidence regarding the origin of the attack.
Why all the pro-China posts lately on Slashdot?
We getting astro-turfed by Red China?
They claimed, of course they didn't do it, and seem to never mention by name the laws that Google must abide by.
Screw them.
How do you say "Propaganda" in Chinese?
As someone who has been reverse engineering quite a bit of software recently, I can tell you that the assembly code from the attack and the Chinese version of the algorithm match completely. In other words, the output looks like exactly what an (optimizing) compiler would've produced given that source code. Note the operations performed inside the loop and the use of stack allocation for the table (and therefore the required initialization every time the function is called).
As far as I can see, none of the English versions are similar. Sure, they implement the same algorithm, but the chinese implementation matches the attack code, not just the algorithm,
Please stop finding and posting evidence contrary to my preconceived notions! Enough already. As it is I am trying to contain my cognitive dissonance and I can do without all these pesky counter evidence, thank you. Next you will ask me to believe that Microsoft is not 100% evil and Apple is not 100% cool and Google is not 100% non-Evil (tm).
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Google doesn't have to prove things beyond a reasonable doubt. More to the point they don't have to prove it beyond any and all doubt no matter what, which is the standard many geeks seem to use. Internally, they only have to prove it to their own satisfaction, which it would seem they've done.
How hard is that? Parse /var/log/secure, do a lookup and see where the attacks are coming from.
Right, because there's no such thing as proxies.
Do you recall how unfair you thought it was when your third-grade teacher punished the entire class for the misbehavior of one student because she couldn't identify the perpetrator? That's exactly what Google is doing. It's not "deterrence" at all. At best it's indirect deterrence, since it doesn't affect hackers directly; what it affects is the entire Chinese "class" by withdrawing from its network and e-economy, hurting or diminishing the many in an attempt to change the behavior of just a few.
As an FYI, skip the NYTimes version of this story, I have had 4 users walk in today with infected systems. It appears that NYTimes has pulled another screwup in security land http://news.cnet.com/8301-1009_3-10351460-83.html
Except that the scale of the attacks, the targets of the attacks, and the fact that they went on in a country that is fanatical about monitoring internet use, strongly suggests that the Chinese government either conducted or encouraged the attack. So it is reasonable for Google to hold the Chinese government responsible. Clearly Google's view is, "We try to cooperate with your unreasonable censorship rules, we expect you not to try to crack into our systems. You didn't hold up your end of the bargain, so the deal is off. If you don't like it, we'll take our ball and go home."
I suppose you'd argue in favor of holding the phone company responsible if you received a harassing phone call as well? You're right, that is a bit of a stretch.
/var/log/secure will only catch the most amateur of 'hackers'. The topic at hand is what else one can do to determine who's ultimately behind it.
My point was that it's really easy to mask where you're coming from by bouncing through legitimate services provided by companies all over the world (who I'm sure would be quite reluctant to release their logfiles just because you asked for them really nicely). Looking at
I don't like China, and I think their government is insanely authoritarian. From Green Dam to pulling Avatar out of theaters to having no health standards on the toys they produce is only the beginning. I've heard so many bad things about the Chinese government I wouldn't even know where to begin. But it doesn't take a genius to realize China is NOT behind these attacks.
Let's look at the facts. First Google releases a statement saying they were attacked, and they think it was China, and as a result they are going to remove search restrictions on Google china. Almost immediately following this Hillary Clinton demands that China explain themselves and Obama somehow diverts the issue of the attack into a case against how we all don't like Chinese govt internet policies...which is really a separate issue.
The fact is, if the Chinese gov't were to hack into Google, they wouldn't make it so damn obvious. Secondly, after suspicion is squarely put on China, and China vehemently denies it, there is a DDoS attack against those Chinese human rights organizations...for 16 hours. Ok...denial of service for 16 hours....what does this accomplish? There was no extortion. It accomplished absolutely nothing. That is, absolutely nothing beneficial for China. All it does is make China look even more guilty to the idiots who buy into this little hoax. But China is not so stupid. If they had been responsible, and caught, they would be trying to lay low...not exacerbate the situation! The only purpose that those DDoS attacks served was to further frame China and make people angry at them. It wasn't China.
I don't know who it was, but my gut tells me it was more likely the US looking for an excuse to further degrate US-China relations. Why would the US want to degrate US-China relations? I don't know, but maybe it has something to do with the trillions of dollars we owe China and have no way to pay back. Just saying...