Slashdot Mirror

← Back to Stories (view on slashdot.org)

Evidence Weakens That China Did the Recent Cyberattacks

Posted by kdawson on from the reasonable-doubt-abounds dept.

click2005 notes an article in The Register calling into question the one piece of hard evidence that has been put forward to pin the Google cyberattacks on China. It was claimed that a CRC algorithm found in the Aurora attack code was particular to Chinese-language developers. Now evidence emerges that this algorithm has been widely known for years and used in English-language books and websites. Wired has a post introducing the Pentagon's recently initiated effort to identify the "digital DNA" of hackers and/or their tools; this program is part of a wide-ranging effort by the US government to find useful means of deterring cyberattacks. This latter NY Times article notes that Google may have found the best deterrence so far — the threat to withdraw its services from the Chinese market.

28 of 197 comments (clear)

  1. Don't Be Foolish by eldavojohn · · Score: 5, Insightful
    Let's check out the official Google word from the official legal chief officer of Google:

    Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists.

    Emphasis mine. Nowhere is he talking about a CRC algorithm or even fingerprinting the attack to a particular country. Instead, the obvious question is simply this: Who else would hack one of the most successful companies in the world only to read the e-mails of Human Rights Activists in China? What possible gain could anyone else have from this information?

    I'm not saying hard evidence has been provided one way or the other (I'm not even sure it could be proven one way or the other unless someone claims ownership) but the only evidence the accuser offered up was this. Not that the "algorithm was only known to Chinese" nor anything as simpleton.

    --
    My work here is dung.
    1. Re:Don't Be Foolish by TheKidWho · · Score: 5, Insightful

      Someone who is trying to discredit China?

    2. Re:Don't Be Foolish by Monkeedude1212 · · Score: 4, Insightful

      Exactly. Thread over. Nothing else to say.

      I certainly didn't think it was the Chinese because the attacks supposedly originated in China. I thought it was the Chinese because it was after the accounts of Chinese Human rights activists.

      Unless THAT part can get discredited, I will still point my finger.

    3. Re:Don't Be Foolish by hey! · · Score: 3, Interesting

      Let me play devil's advocate here for one second.

      You are assuming that the only party interested in following or harassing the human rights activists are the Chinese government. It's not hard to think up *other* persons or groups that might be interested. Judging from the ultra nationalist kooks we have, we can imagine private nutcases who think of themselves as more patriotic than the government, who think the Party is much too wishy washy on the issues of class traitors and much too interested in appeasing the West.

      That's just the second most likely scenario. Other, more exotic scenarios are possible as well. In a world with so many people connected to the Internet, virtually every kind of crackpot you can imagine is out there. All it takes is one with an Internet feed.

      I think we have a preponderance of evidence situation here. On the whole, the most likely culprit is the Chinese government. But it's not quite to the "beyond a reasonable doubt" stage. You look at the whole web of evidence: the motivations, track record of past behavior, known propensities to industrial espionage, methods used, means and opportunity. Virtually every single datum is likely to have an innocuous explanation. It's the overall picture that convicts.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    4. Re:Don't Be Foolish by DeltaQH · · Score: 5, Funny

      Someone trying to say that someone is trying to discredit China?

    5. Re:Don't Be Foolish by Anonymous Coward · · Score: 3, Funny

      Right, of course. I was framed! Poor Chinese, all they want to do is run people over with tanks and everyone has to keep bothering them.

    6. Re:Don't Be Foolish by sakdoctor · · Score: 4, Funny

      You just can't see past the end of your nose, to the possibility that it was someone trying to discredit someone who tried to say that someone is trying to discredit China.

    7. Re:Don't Be Foolish by pushing-robot · · Score: 4, Funny

      Truly, you have a dizzying intellect.

      --
      How can I believe you when you tell me what I don't want to hear?
    8. Re:Don't Be Foolish by lewp · · Score: 5, Funny

      Politics does have a tendency to produce gang-bangs.

      Go to school for Computer Science, they said... Get a good job, they said...

      --
      Game... blouses.
    9. Re:Don't Be Foolish by jank1887 · · Score: 4, Funny

      Wait til I get going! Now, where was I?

    10. Re:Don't Be Foolish by dgatwood · · Score: 4, Interesting

      Something about a land war in Asia.

      Which brings us to the second-most likely suspect: one of Google's competitors in China. Think about it for a moment:

      • If they successfully hack the servers, they give the info to the Chinese government and Google gets blamed for revealing data even if they didn't. The American public gets mad at Google, who loses market share. The dissidents hear about it through the underground and realize that Google is insecure and they lose more market share.
      • If they get caught, everyone blames the Chinese government, Google has a hissy fit and pulls out of China and loses all its market share.

      It's a win-win as long as it can't be pinned on them specifically.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    11. Re:Don't Be Foolish by dgatwood · · Score: 4, Insightful

      You think it's more likely that a CEO made a moral choice? Don't make me laugh. If morals had anything to do with it, they would never have gotten into China in the first place. It's not like Tiananmen Square hadn't happened yet....

      No, I strongly suspect it's more like "Betraying the trust of other people is okay as long as you don't betray mine." And odds are, in a few months, this will all be forgotten and it will be back to business as usual, censorship, spying, and all. I'd love to be wrong about my cynicism, but it happens so rarely these days....

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    12. Re:Don't Be Foolish by Aphoxema · · Score: 3, Insightful

      What possible gain could anyone else have from this information?

      *shrug* A loyal PRC citizen wanting to do the "right thing" or someone who'd like to sell the information for money to the Chinese government or someone else who might need leverage in negotiation with the Chinese government.

      --
      "Most people, I think, don't even know what a rootkit is, so why should they care about it?"
  2. Xenogooglia Run Amok by eldavojohn · · Score: 5, Funny

    This CRC-16 implementation seems to be virtually unknown outside of China, as shown by a Google search for one of the key variables, "crc_ta[16]". At the time of this writing, almost every page with meaningful content concerning the algorithm is Chinese:

    Oh. My. God. I just reran the search and it's changed. The top results are in English! It's the British that are attacking Google! Wait, one of the links is to a Blogspot site. Sweet Jesus, the attacks are coming from inside Google's own employee base! But wait, if you click crc_ta[16] enough times then Slashdot will show up in the list. Meaning Slashdot is the attacker on Google!

    Oh Great Britain, Slashdot and even Google themselves, why have you forsaken us?

    Google's pageranking engine returns a good enough set of available crawable webpages. It does not indicate guilt or scan all of human knowledge. Using it as any sort of evidence in a huge international scandal is less than prudent.

    --
    My work here is dung.
  3. digital DNA is years old by walkoff · · Score: 3, Informative

    We were using and describing digital DNA in the mid to late 80s although the terminology used was slightly different as we /stole/ the term FIST from ham radio to use for it. it's actually an interesting technique although we weren't that sophisticated as we only looked at command streams and lingustics to identify country of origin and style of attack and group M.O. rather than pin pointing the actual attacker. It was actually used successfully in a few virus and trojan incidents and I stil have at least a partial copy of the NARK database I collated at the time.

  4. Let's Be Foolish by weszz · · Score: 5, Interesting

    So... Throwing this out there...

      hypothetically could it have been the Human Rights groups in China?

    Yes it would be an odd move as it could put themselves and their friends in quite a bit of danger, but it could also be high reward, if other countries fall for it and do something about it (if they could)

    I know it's bad to think about the victim as possible being the one who set things up, but from time to time we need to at least explore the idea, or you will get played repeatedly.

    1. Re:Let's Be Foolish by Yvanhoe · · Score: 3, Interesting

      It requires someone with enough confidence and resources to attack about twenty US companies for months.
      It requires someone to anticipate the unusual move of Google on this attack.
      It requires someone confident enough to operate from China and escape the Chinese government's scrutiny, even after their operations have been revealed.
      I think that makes a lot of hypothesis.

      The Chinese government has spent hundreds of millions training a "cyber-army". Maybe they have spent so much in that toy that they are flexing their muscles a bit ? It is not that long ago that experts were warning about the hacking capabilities of China

      --
      The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
  5. weakened evidence... of what? by jdgeorge · · Score: 3, Insightful

    Evidence weakens that Joe Stewart's analysis shows that the CRC algorithm used in the attack was developed by Chinese programmers.

    As other folks have pointed out, this is NOT the basis of Google's or others' assessments that the attacks originated from within mainland China, and in no way does it weaken the evidence regarding the origin of the attack.

  6. The Chinese code matches _exactly_ by marcansoft · · Score: 5, Interesting

    As someone who has been reverse engineering quite a bit of software recently, I can tell you that the assembly code from the attack and the Chinese version of the algorithm match completely. In other words, the output looks like exactly what an (optimizing) compiler would've produced given that source code. Note the operations performed inside the loop and the use of stack allocation for the table (and therefore the required initialization every time the function is called).

    As far as I can see, none of the English versions are similar. Sure, they implement the same algorithm, but the chinese implementation matches the attack code, not just the algorithm,

    1. Re:The Chinese code matches _exactly_ by the_povinator · · Score: 5, Informative
      To add to this: the analysis on the original "research blog" was also more specific than the register article. He said:

      By decompiling the algorithm and searching the Internet for source code with similar constants, operations and a 16-value CRC table size, I was able to locate one instance of source code that fully matched the structural code implementation in Hydraq and also produced the same output when given the same input

      The Register people seem to have accepted similarity in code, without going to the trouble of checking the outputs.

      --
      The .sig is dead, and I believe I had a hand in killing it.
  7. This isn't a court of law by Sycraft-fu · · Score: 5, Insightful

    Google doesn't have to prove things beyond a reasonable doubt. More to the point they don't have to prove it beyond any and all doubt no matter what, which is the standard many geeks seem to use. Internally, they only have to prove it to their own satisfaction, which it would seem they've done.

  8. Re:Digital DNA? by Domint · · Score: 3, Insightful

    How hard is that? Parse /var/log/secure, do a lookup and see where the attacks are coming from.

    Right, because there's no such thing as proxies.

  9. Re:F-China by newcastlejon · · Score: 5, Funny

    How do you say "Propaganda" in Chinese?

    Quietly.

    --
    If God forks the Universe every time you roll a die, he'd better have a damned good memory.
  10. "Deterring" a whole class for the misdeeds of one by macraig · · Score: 3, Insightful

    Do you recall how unfair you thought it was when your third-grade teacher punished the entire class for the misbehavior of one student because she couldn't identify the perpetrator? That's exactly what Google is doing. It's not "deterrence" at all. At best it's indirect deterrence, since it doesn't affect hackers directly; what it affects is the entire Chinese "class" by withdrawing from its network and e-economy, hurting or diminishing the many in an attempt to change the behavior of just a few.

  11. Re:F-China by chiguy · · Score: 3, Informative

    Why all the pro-China posts lately on Slashdot?

    I've noticed this too. I try to be objective about Chinese and American relations. We're definitely frienemies, but lately I've noticed subtle push-back from the pro-China folks.

    Like my comment in a previous post got modded to +4 insightful but then ended back down to +2:


    Google should also check where all their laptops were manufactured. And make sure each BIOS is clean.

    There's a battle going on on /.

    --
    passetspike!
  12. Re:F-China by Sir_Lewk · · Score: 4, Funny

    Beware, the chinese astroturfers also have modpoints.

    --
    "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
  13. Re:"Deterring" a whole class for the misdeeds of o by tgibbs · · Score: 3, Insightful

    Except that the scale of the attacks, the targets of the attacks, and the fact that they went on in a country that is fanatical about monitoring internet use, strongly suggests that the Chinese government either conducted or encouraged the attack. So it is reasonable for Google to hold the Chinese government responsible. Clearly Google's view is, "We try to cooperate with your unreasonable censorship rules, we expect you not to try to crack into our systems. You didn't hold up your end of the bargain, so the deal is off. If you don't like it, we'll take our ball and go home."

  14. Re:Digital DNA? by Domint · · Score: 3, Insightful

    I suppose you'd argue in favor of holding the phone company responsible if you received a harassing phone call as well? You're right, that is a bit of a stretch.

    My point was that it's really easy to mask where you're coming from by bouncing through legitimate services provided by companies all over the world (who I'm sure would be quite reluctant to release their logfiles just because you asked for them really nicely). Looking at /var/log/secure will only catch the most amateur of 'hackers'. The topic at hand is what else one can do to determine who's ultimately behind it.