Slashdot Mirror
China's Great Firewall Infects Other Countries
angry tapir writes "A networking error has caused computers in Chile and the US to come under the control of the Great Firewall of China, redirecting Facebook, Twitter, and YouTube users to Chinese servers. Security experts are not sure exactly how this happened, but it appears that at least one ISP recently began fetching high-level DNS information, from what's known as a root DNS server, based in China. That server, operated out of China by Swedish service provider Netnod, returned DNS information intended for Chinese users, effectively spreading China's network censorship overseas."
And their firewalls didn't detect the melamine in the imported DNS records? Pitiful.
Fine Google you want to leave China. Where you going to go when we take over the whole internet.
The headlines now tell you absolutely nothing about the actual stories.
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
Question: Who controls the root?
Possible answers:
- the tree
- the tooth
- the administrator
- the problem
Misconfiguration of resolv.conf does not put China's firewall in your way. Add yourself to the tool belt.
(Firewall is subverted...)
Damn you cyber-Mongorians!
Bow-ties are cool.
Can't say that I'm surprised that it did happen.
Especially now when Google has decided to pull out. And China does have an urge to control any information that they don't like. Which would be the majority of the internet.
And still this has nothing to do with the Chinese government. It's the ISP's fault that erroneously configured their servers to use the Chinese root DNS server.
It's no secret in China that this square exists. It's just what happened there $%*+
NO CARRIER
The Tao of math: The numbers you can count are not the real numbers.
It's the other way around than what you're suggesting. Chinese didn't try do anything. ISP's elsewhere mistakenly configured their servers to use Chinese DNS servers.
They are keeping their shit for them. It's just that someone else is fetching it from them to elsewhere.
So if the entire world's DNS resolved to the Chinese firewall simultaneously would it DOS them to oblivion and end these shenanigans? I'd give up a day of using the internet to see that go down.
Get a web developer
US DNS servers magically start pulling DNS data from chinese servers? Uh huh. Completely an "accident".
moox. for a new generation.
Which, proves the point that perhaps China should not be allowed to have any DNS root servers.
I would say that if a DNS server does not return the same information as all other root servers in the world that it should not be allowed to be a root server.
I was wondering about that fortune cookie that said "All of your root servers are belonging to us."
"I'm not a quack, I'm a mad scientist! There's a difference." - Dr. Cockroach
Your rampant racism not withstanding, that was an idiotic post.
China cannot 'take our DNS down'. In worst case scenario, the world would just disconnect from China if that were to happen.
Well in fairness it has a little bit to do with China. That whole censorship thing.
So any wrongful destination now has a lot of passwords. Especially IMAP and POP and suchlike, not even a need to set up a misleading website, you can play totally innocent.
Prevention:
1) Don't have a root server in a country that wants to censor information
2) Implement free SSL certs so that it is no longer "normal" to just click through the SSL cert alert
3) DNSCurve, DNSSEC, whatever
4) Encrypt.
5) Even when using encryption always use auth schemes that cannot be replayed afterwards. Without certs I don't think you can stop MITM, but much too many people use only one password for a lot of different things, at least that one won't be in the sniffer's hands.
More?
Now will somebody tell them to keep their sh*t for them? Or are we too weak to talk frankly to Chinese authorities?
Well, I suppose it pays to talk real sweet to a country that pretty much owns us now.
American Third Position
Finally, a real choice!
It's funny, because the Reagan years spent more than compared to the GDP than Clinton or GWB but you I happen to like those kind of "facts". In the Clinton years spending v GDP went down quite a bit. The only time our debt has gone down since that giant "debt clock" thing was built was under Clinton.
Come on, are we really being that stupid? Of course it was a hacker attack. The chances of an IP address "accidentally" being pointed to a Chinese one is remote.
These Chinese hackers (and hackers in general) are getting more and more dangerous. If they hack the DNS servers, we're talking about a massive ability to steal passwords, since https is based on domain name and not IP address. If the DNS is configured to give incorrect DNS information, then we really could get hosed here.
Well, that's assuming that the ISP actually made that configuration. There are a number of other possibilities (Such as someone hacked those servers, someone silently redirect queries from the actual root server to the China one, etc). Regardless of how the issue came about, the fact that China had those systems in place makes them at least partially responsible (not from a legal perspective, but from a philosophical one) for people not reaching their destination...
If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
Heck, even Dell is pulling out.
So, because the Chinese persist in behaving badly it's time for internet war. Let's band together and shut 'em down. Close off internet to China and see how they like it - after all, the TLD's are controlled by the U.S. As to messaging etc. they can phone and fax.
Sorry for such a rant but there has got to be a consequence for the level and voracity of the issues and problems that emanate from China - especially when the government there is never responsible.
*** Don't be dull.***
What if every single router in the world is manufactured in China? Are you sure you know what's in that firmware?
If libertarians are so opposed to effective government, why don't they all move to Somalia?
Don't be so square.
"Never let your sense of morals prevent you from doing what is right" - Salvor Hardin
What if every single router in the world is manufactured in China? Are you sure you know what's in that firmware?
Yes, lead, melamine, and poorly documented programming.
China can have all the root servers they want - just don't configure your server to poll them.
Actually China is demonstrably incapble of having any working root servers at all. A DNS server that returns incorrect information is not a "root" server, if by "root" you mean "authoritative source of DNS information that resolves domain names properly."
It's really too bad that China is incapable of hosting DNS root servers. Hopefully by the end of the 21st century China will be a little less backward and isolated from the rest of the world, which would benefit greatly from interaction with so many people from such diverse cultural and political backgrounds.
Blasphemy is a human right. Blasphemophobia kills.
As far as I know, NetNod was not operating this i-root instance that was returning the censored answers.
I was following along with this on the dns-operations mailing list. This pertained to i-root in Asia, and various i-root node operators said "this is not our box". It was a rogue root server (whether installed by the Chinese government or an ISP guided by the government's hand) (as far as netnod/i-root is concerned) announcing the anycast block used by i-root. In doing so they basically advertised themselves as a root node for i-root and it doesn't seem like this was Netnod-affiliated at all. The summary (I didn't re-read the article to see if that said the same) implies that netnod was running this intentionally and serving up Chinese-censored results for affected sites. All this would take is a person with the ability to have their upstreams accept BGP announcements for the anycast block for i-root and run the server. Then any requests to i-root that are topologically "close" will start using this node.
Before anyone continually says that an ISP must have intentionally configured their servers to use this root, they should read up on IP anycasting and read the thread on the dns-operations mailing list instead of these 2nd/3rd/4th-hand summaries that are beginning to skew the facts.
https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005260.html