Slashdot Mirror
For 18 Minutes, 15% of the Internet Routed Through China
olsmeister writes "For 18 minutes this past April, 15% of the world's internet traffic was routed through servers in China. This includes traffic from both .gov and .mil US TLDs." The crazy thing is that this happened months ago, and nobody noticed. Hope you're encrypting your super-secret stuff.
The crazy thing is that this happened months ago, and nobody noticed.
Odd, Slashdot reported the day afterward: Chinese ISP Hijacks the Internet (Again).
My work here is dung.
All my emails started showing up with fortunes and free eggrolls.
SJW: Someone who has run out of real oppression, and has to fake it.
...that one internet isn't really enough.
I had just finished torrenting a 10gig 1080p mkv and 18 minutes later I was hungry for more downloads.
Dear China:
Please Log all N.S.A. intercepts.
Thanks in advance.
Yours In Akademgorodok,
Kilgore Trout
Isn't that what the Internet was designed to do; route as need to get bits to their destination?
UNIX/Linux Consulting
when that 18mins is over and all their stuff goes through American servers
did you forget to take your meds?
There are plenty of reasons to use encryption but the Chinese government just isn't one of them for me. If I view something they don't like, what exactly are they going to do? I suppose they could block my access but it's not like I would get thrown in a Chinese prison.
I have a lot more to worry about from identity thieves, scams and heck, my own government.
The Anti-Blog
Hope you're encrypting your super secret stuff.
I always encrypt sensitive data no matter if it routes through China, Sweden, the USA or any other country that may tap it.
That summary and article didn't report the .mil or .gov traffic.
I guess we just assumed it was only youtube videos or pokes on facebook.
You think the /. editors RTFA?
From National Defense Magazine: http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=249#
"If China telecom intercepts that [encrypted message] and they are sitting on the middle of that, they can send you their public key with their public certificate and you will not know any better," he said. The holder of this certificate has the capability to decrypt encrypted communication links, whether it's web traffic, emails or instant messaging, Alperovitch said. "It is a flaw in the way the Internet operates," said Yoris Evers, director of worldwide public relations at McAfee.
What makes this really annoying is that a lot of .mil sites use self-signed certificates. When doing mil-2-mil browsing, you just get used to clicking whatever to get into the site. So, I can easily see how China could do a MITM without alarming any of the end users.
I'd rather you do it wrong, than for me to have to do it at all.
It remains unclear whether the redirection was intentional, the report says, but it demonstrates that it is possible for malicious actors to seize control of the Internet and redirect traffic.
On April 8, according to Web security specialists, a small Chinese Internet service provider published a set of instructions under the Border Gateway Protocol, that directed Web traffic from about 37,000 networks to route itself via computer servers in China.
The list was republished by China Telecom and briefly propagated itself across the global Web, which works on a trust system, with each server updating its routing instructions based on data provided by others in the network.
What the hell is a 'trust system' anyway? Is that part of the Border Gateway Protocol?
Maybe someone needs to take a closer look at this 'trust system.'
He who knows best knows how little he knows. - Thomas Jefferson
This can't be good, last time I routed snail mail through China I was hospitalized with SARS.
Chinese Headlines claim for a period of nearly 21,018,240 minutes...nearly 100% of Internet traffic has been routed through the United States....wonder if they're worried about the balance of power?
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
Hope you're encrypting your super secret stuff.
considering where it usually gets routed through.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
What's the purpose of Facebook pokes?
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
Wasn't IPSec supposed to protect against stuff like this, so even if someone was able to route internal traffic through a hostile source, all that could be done would be traffic analysis (finding which machines put more packets on the wire than others)?
The same as poking in real life.
Well, maybe not 100% but it's established that the bulk of US traffic is trunked off to closets in AT&T (and other) switch rooms. This is going to include any communications going to points outside the US and (more importantly) any traffic that happens to be routed through the US while going between two points outside the US.
They hijacked prefixes, not data. At least not directly. If you sent a packet during that time, it may have been routed to China. I doubt they stood up a big infrastructure to close TCP sessions with all of that incoming traffic and actually capture anything. Perhaps for a very targetted attack they could have, but then there'd be better ways than this to do it, I imagine.
No source, citations or references given on the FA, just the usual "Sponsored Links" and the McAfee threat director's 'insight'..
There are two problems here:
1) Can China redirect traffic through its network by advertising that it has the lowest cost routing path? (Apparently, yes.) This is a wormhole attack, and is well documented in research literature.
2) Can China record or alter any traffic that passes through its network? If the data is sufficiently well encrypted, it can not read that data, although it can record the cyphertext. The fact that China can issue a certificate does not mean that it can read *your* data. It only means that encrypted data sent to Chinese servers can be read by the holder(s) of the encryption keys used by those servers.
If you are sending data over the net, and want to protect it, be sure that it is encrypted. If you don't care, be aware that anyone might be able to monitor it, even governments of other countries. If you don't trust the Chinese root CA to certify the identity of servers that you go to, don't accept their CA's certificate as an authority for that purpose.
http://www.eff.org/nsa/
And nobody noticed.
"It is a good thing for an uneducated man to read books of quotations..." -Winston Churchill
With half the calories burned.
We can't afford the cost to administrate secrets. With all the current data gathering and monitoring techniques, the only people who can afford the cost of keeping actual secrets are professional sleuths or top level government and corporate people. They hold secrets on and from each other, but mostly from us. It seems the game is inverted now - by fighting to protect our right to illusory privacy, in practice we mosly protect their right to keep secrets from us.
Build your own energy sources from scratch. http://otherpower.com/
check for more background on this
http://www.wired.com/politics/law/news/2007/06/spy_room
Americans are retarded, complacent idiots, who have no fucking idea what their elected leaders allow.
Encrypt everything.
If you manage to end up in China when driving a station wagon full of tapes from North Carolina to DC you REALLY are doing it wrong.
Monstar L
Does it really matter?
In China, only 15% of everyone is famous for 18 minutes.
They were designed years ago, for an environment where it was actually somewhat sensible for everyone to trust everyone else. Major routing screwups like this, DNS cache poisoning exploits, the type of attack demonstrated by FireSheep, and even plain ol' spam are all possible largely because the underlying protocols are not secure.
What's the purpose of FarmVille?
It's an API that lets you randomly write to memory addresses on their servers.
How can I believe you when you tell me what I don't want to hear?
Wherever I want to go from any country in east Asia, everything gors by California. Could USA stop the permanent hijack of the internet? Seriously, this article is stupid, it doesn't even tell which ISP is involved. I don't expect Fox to know what as AS nuber is, but there is a limit to stupidity!
and what percentage do the Chinese represent of the internet? I'd bet it's more than 15%.
Never say never. Ah!! I did it again!
and they already embedded Red Chinese spy images in all your pics while that happened.
Got security?
Not while China's in the WTO.
-- Tigger warning: This post may contain tiggers! --
Isn't that why they have the whole meta-moderate in the firehose thing?
----- The internet has given everyone the ability to have their voice heard equally as loud.. even if they shouldn't be
If the data is sufficiently well encrypted, it can not read that data, although it can record the cyphertext. The fact that China can issue a certificate does not mean that it can read *your* data.
If they used a Man-In-The-Middle attack during the routing change, creating signed certificates using a top-level CA, they won't even need to decrypt anything. In addition, having the cypher text means that they can spend a few months or years using brute-force to decrypt it (or less, now that they have the fastest supercomputer in the world). Once they do, they'll have the keys for those sessions. Using that, they may even be able to derive the server's private key.
At the very least, they have a copy of the data, and they can eventually crack the encryption.
I do agree with you on the Chinese CA, and I plan to remove it from all of my browsers as trusted.
Hello little man. I will destroy you!
For US citizens: Chinese government spying on your traffic is way less harmful than US government spying on your traffic. I mean, what can they do with that data? Sending you spam?
If you want to know if China is hijacking your data just looks for the bits that are shifted left.
Ah ha! I found you, Comrade Ping!
2) Can China record or alter any traffic that passes through its network? If the data is sufficiently well encrypted, it can not read that data, although it can record the cyphertext. The fact that China can issue a certificate does not mean that it can read *your* data. It only means that encrypted data sent to Chinese servers can be read by the holder(s) of the encryption keys used by those servers.
I don't think you understand MITM attacks.
Take a moment to look at the list of trusted root certificate authorities in your web browser right now.
FF Preferences > Advanced > Encryption > View Certificates
Notice the Chinese ones? The Chinese government can compel any of those root CAs to produce a certificate for any domain they choose. For example, let's say CNNIC creates rogue certs for Google.com.
1) You request a secure page "https://mail.google.com"
2) MITM intercepts the request and makes their own connection to mail.google.com using the real cert.
3) MITM uses the fake cert to encrypt it's connection to you, and pass you the mail.google.com data.
4) Firefox validates the cert chain and gives you a big "look it's secure" bar, and you just got pwned.
The real problem is with the retarded cert system. Any CA can create certs for any domain without the domain's permission; If the CA is trusted your browser won't complain at all.
This is why it's important to view the certs that you are using (in Firefox, click or hover over the "secure" bar).
Note: If you had a cookie that kept you signed in to gmail, its too late to check the cert after the MITM is logged into your account.
There are two kinds of people you know but don't interact daily with: Those you don't really care about (Old classmate that you never really hung out with... He's just on your contact list because... Well... Why the hell not? It doesn't cost you anything and might be useful some day) and those that you still are interested in but just haven't had anything to say to at the moment or haven't interacted with lately but might want to reconnect with. Pokes are for the latter group: They signal "Heya. I'm here if you need me or if you'd like to grab a beer some day.. Just wanted to let you know but I don't really need response right now and just writing this all would feel stupid..." so in a way they're like keepalive packets for friendships: No data is being exchanged except for the fact that the connection still exists. The old fashioned way to do this was christmas cards but they have their flaws (mainly, latency).
What facebook does is essentially this one: It makes it really easy to get back in touch. I have friends that I didn't really speak to for a year or two and at that point it was unlikely that I'd ever just spontaneously call him. But a few comments on each others' facebook statuses was easy, then a message, then the call, then the actual human interaction. It lowers the treshold. Pokes are one tool at that: Haven't talked to someone for a few years but suddenly get interested on how he is doing? Poke. No obligations, nothing, just one click. But if he pokes back, he's probably also interested in how you're doing and the treshold to start a conversation just went down by half.
You can compare it to christmas cards, the children's "Do you like me? [ ] Yes, [ ] No" notes or whatever (there are numerous more example of offline pokes: Things simply to lower the treshold for the real interaction). You might think that it is a shame that those exists (that the treshold should stay higher)... I dunno. Whatever you (or I) think about it, we're quickly going towards the point where that treshold for social interaction doesn't exist (it has been an ongoing trend ever since phones made it a lot easier to call someone than to visit them).
This story is rooted in ridiculous xenophobia.
You have more to fear from your wi-fi or cable snooping neighbor than from China.
Security must be end-to-end. There is no such thing as a trusted ISP or country.
It's hard enough for Slashdot to keep up with the news, now you want them to keep up with what they keep up with? :P
It would explain the increase in Chinese spam that I see since April 18th ;)
Privacy is terrorism.
Please excuse the reply to myself, but I'd like to point out that I'm not trying to single out China here, the above statements apply to USA, UK, Canada, or government that a trusted Root CA company resides within.
Eg: The US Government could compel (and also gag-order) Thawte into creating fake certs for Google.com (or any other domain), and in Google's case, you wouldn't even find out you've been pwned by checking the cert...
Honestly, HTTPS / SSL is The Ultimate Theater of Security.
You cannot have the centralized control you need to block out abuse without also having that centralized control in the hands of censorship happy powers.
Freedom of expression implies freedom to be an ass.
15% went into China. 9% came out???
The point isn't that it was routed through China per se; the point is that it is so easy to hijack the traffic of a large portion of the 'net. As has already been pointed out, anything sensitive should be encrypted anyway.
I thought "Freedom of expression" implies your own breast milk costs you $0.
I don't understand, why couldn't they just log all the data that went through ? Unencrypted passwords, http authentications, emails sent... It would have the potential to bring a lot of valuable informations. If I was the Chinese CIA, I would have only one goal : make it happen again.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
You don't need an infrastruction to terminate connections, you just need to watch traffic flow and record it. You can analyze it over time later elsewhere to find useful information.
Not that I think that was the point or anything, but if I were going to do something like this, knowing that I wouldn't be able to keep the traffic flowing in my direction for any length of time, I'd just log everything and analyze later. If I was China, I'd upload it to EC2 and pay Amazon to analyze it for me at that, they could probably afford it.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Chineeese! It's ALIVE! It's coming for YOU and your family! Hide in your bomb shelters! Wrap wet towels on your heads! Cover your bedrooms in tin foils. The Chineeese Terror is coming!!!
Seriously, what is wrong with you Americans? Can't you and your government live through life without manufacturing an enemy to hate? What is it in your national psyche that requires an opponent? Is it because you actually bought into your own "we're the Good Guys(TM)" propaganda that the only way to validate this absurd world view is to manufacture "bad guys". My theory is that you are so hung up on WWII, the last "good war" that you fought in, that you and your leaders are subconsciously trying to recreate it so that you can feel good about yourselves again. Hence, the Axis of evil, war on terror, and now a more traditional enemy, the Red Peril. Get over it.
Certificates aren't used to encrypt anything. The certificate contains a set of assertions about the subject of the certificate, signed by the certificate issuer. One of those assertions is typically the subject's public key. All the certificate is claiming is that a certain public key is associated with a certain identity, where that identity is claimed by the certification chain starting at some root (in this case, the Chinese CA). If you trust a certain root CA, then you also must trust any assertions made by the children of that CA in the CA hierarchy. If you do not trust that CA, then you won't trust any certification paths that originate at that root.
So is a man in the middle attack possible, as you've described? No. Here's what would actually happen:
1) You request a secure page "https://mail.google.com"
2) Google's server sends you Google's certificate. This is signed (through some CA chain) by a root CA that you (presumably) trust. An attacker could also send you Google's cert, but the attacker doesn't have Google's private key, so anything they encrypt could not be decrypted using Google's public key.
3) You verify that certificate by validating the certificate chain to it. Note that even though China may have a root CA, it doesn't have the private key that was used to generate the certificate. (If China sent you such a cert, it would only validate against the Chinese root CA, which you would have to already trust!)
4) If the attacker attempts to do a man in the middle attack, they can pass you a certificate, but they can't generate data signed by Google, unless you trust China's root CA, because the attacker doesn't have Google's private key.
Breaking modern encryption algorithms using current techniques would take somewhere around the lifetime of the universe. The number of computations required to break a well designed algorithm increase exponentially with the key length. You should always use an algorithm and key length that can be expected to protect your data for longer than the data will remain valuable.
As I indicated in my explanation below, being able to create a certificate does not mean that they can trick you into trusting their site. They must have a cert signed by a root CA that you trust. If you trust the Chinese CA, then you're stuck trusting its assertions. But if you don't, the attack can't work.
The crazy thing is that this happened months ago, and nobody noticed.
Odd, Slashdot reported the day afterward: Chinese ISP Hijacks the Internet (Again).
The story you linked was posted on April 9th. The article in the summary says (twice) its redirect happened on April 18th. They couldn't be the same if these dates are accurate.
That said, this April 18th attack is discussed in a "316-page report to Congress," so it's pretty clear it wasn't *just* noticed.
finding out who to defriend
But I thought Richard Nixon and Rosemary Woods were both dead...
#DeleteChrome
Security must be end-to-end.
And how can that be achieved? At some point you have to trust your Browser, OS or hardware vendor / manufacturer.
There is no such thing as a trusted ISP or country.
Tell that to all the "Trusted Root CAs" installed in your browser. Who did you trust to put them there? The governments that those CAs reside in can coerce them into creating fake certs; This requires an implied trust in the country those CAs reside in.
IMO, "end to end" security is not used at all during a HTTPS connection, it's inheretly a 3 party process: You, Them, The CA. Encrypted data might flow end to end, but the security is not end to end unless you are only trusting yourself and the endpoint for that security.
Even with a PGP web of trust you have to trust more than just yourself and the endpoint unless you have pre-shared the key... at which point I wonder why you wouldn't just use pre-shared key and avoid the whole "public-key encryption" theater of security in the first place.
You've completely missed my point. It should be possible to secure the Internet's routing protocols without infringing on anyone's freedoms. Furthermore, the lack of encryption on things like standard HTTP and e-mail traffic actually makes it easier for your electronic communications to be spied on.
I would label you simply as troll if it weren't for your positive karma and low UID... So I'll give you the benefit of doubt and assume that you simply missed the whole point and try my best to summarize. This might be a bit difficult to grasp if you didn't grow up in the digital age (IE: Time of text messages, instant messaging and the like)... But if you hilight your ignorance by acting like a smug you probably can't expect all that courteous replies. Anyways:
FB lowers the treshold to get back in touch (and by "back in touch" I mean relationship that includes interacting in person) with people you probably wouldn't reconnect with otherwise. You end up forming a good relationship to some of these people so as the amount of people you get back in touch with increases, it results in more non-computer-maintained interaction.
As for my own stuff - they're welcome to see that I've ordered such-and-such a book, or that Cousin Thomas's measles are clearing up. Face it folks - most people's lives aren't that interesting. Except to themselves.
"The greatest lesson in life is to know that even fools are right sometimes" - Winston Churchill
Stars and stones! Warn a body when you post a link to Fox "News"! They may have the facts straight for this story, but there was a banner ad for Glenn Beck on that page. My CHILDREN could have seen that!
For millennia, more than 15% of the world's population was in China. So what?
PlusFive Slashdot reader for Android. Can post comments.
Once is an accident.
Twice is a coincidence.
Three times is enemy action."
-- Gen. Douglas MacArthur
Does that make this enemy action?
Does this mean they intercepted all the SPAM they send to me?
Comment removed based on user account deletion
Well, nobody sends serious data without good encryption.
In addition, Government agencies do not send secret data
through Internet or usual mail. This data is usually sent
using diplomatic mail, or human messengers.
Very secret data is usually kept in closed room, without Internet,
with physical access only for a few people.
That summary and article didn't report the .mil or .gov traffic.
Big friggin deal. Any traffic captured from those TLD's would be external traffic. So now China know that Private Bloggins is jarhead59@gmail.com, and his girlfriend just dumped him. Quick, everybody panic!
What's the purpose of FarmVille?
Its the fastest way to insure that all your private data isn't private anymore. Why you would have private data on Facebook is beyond me, but playing the games (ie: allowing them access to your data) is the fastest way to insure that privacy is no longer a concern.
Tequila: It's not just for breakfast anymore!
...and why exactly would they want to use Google's private key instead of, say, the one they just created a signed certificate with?
They did not become a transit network where all of this information was just flowing through waiting to be logged.
They falsely announced that they owned certain prefixes and asked the Internet (web of trust) to forward packets with those destinations to their network.
In order for them to capture an email you sent during that time, they'd have to maintain a TCP connection with you and a fake email server that matches the destination IP address you were using. For a website, they'd likely capture the initial GET request, but they'd have to reply with an actual webpage from one of their servers in order to capture anymore data. If they can't maintain something to actually reply to the packets, they only get what was initially sent and that's it. With no reply, your web browser, email client, etc. time out waiting for a reply and stop sending data.
So sure, they could capture some packets. Maybe an HTTP authentication if you just happened to send that packet at the right time. Or [window size] number of packets related to your email. But it's not like they can do this and capture 18 minutes of traffic between you and whatever.gov or hotmail.com or anything else.
-John
Your step two is flawed. VortexCortex steps are accurate.
In your step 2 Google think they send you Googles certificate but they are really sending it to the MITM. Since it was the MITM who started the connection they build the session keys so can decrypt the session.
In your step 3 They don't need googles private keys they can create their own and because they have a CA trusted by most people they can sign them so that most people trust them. (I use firefox mostly which comes with CNNIC CA installed)
This sort of MITM attack is used all the time by filtering gateways. Examples include "McAfee web gateway" amongst many others. Since the filtered company controls its desktop operating environment they can install their own CA. The gateway filter then creates certificates pretending to be the endpoint and creates a outbound connection pretending to be the client.
The only real way for SSL to solve the man in the middle problem is for client side certificates issued by the server's owners. You have a distribution problem. If the server trusts the CA in the middle as well then it can intercept both ways.
I noticed because all of my messages came to me in small funny fonts and smelled of burnt sesame seeds.
I laugh every time I read your .sig. Every f'ing time. :)
In China the headline was: China Triumphs (Again) Imperial Denial of Services Attack Thwarted after only 18 Minutes of Disruption.
I would link to the article, but it's all in Chinese.
UDP traffic would keep flowing to China so long as they advertised prefixes, but they're not really going to get any good intel out of that. Maybe some VoIP packets if they're lucky, but those are likely to end after about 20 seconds when the participants hang up because they can't hear each other (all packets are going to China, not to each other).
Anyone sending TCP traffic is going to stop as soon as they don't get an acknowledgment. Or never start if they can't complete a handshake. So not much is going to be flowing here waiting to be logged. Maybe something interesting, but in reality, you're only going to capture what's put out on the Internet for the first couple of seconds, no matter how long you can maintain the prefix advertisements.
You can't tell the world to send you traffic for Gmail (advertise Google prefixes) and then when it gets to your network, shuttle it out a back door towards the real Google. If it came to you in the first place, it's coming back to you when you let it out of the network.
There's a BIG difference between what happened here and someone sitting in the middle of a network watching/logging everything that flows through.
Unless they caused most routers to accept new routing, packets forwarded to an unaffected router would route traffic normally, just a small deviation due to one bad routing table. How do they get all USA traffic all the way over to China?
Mike
You're assuming they
a. don't have tens of thousands of Chinese mil hackers
b. didn't save a copy off to a log
c. didn't have months to use this to install rootkits on US and EU computers
d. weren't in an active trade war with the US, Thailand, Japan, and India.
But they are.
All your networks are belong to China now.
-- Tigger warning: This post may contain tiggers! --
It doesn't matter if the traffic was hijacked by China or the NSA, All traffic should be encrypted by default!
I killed da wabbit -Elmer Fudd
Meanwhile, in other news - in April, the U.S. Government released the uncensored / unerased Watergate tapes for only one time - and it was being streamed live to a server in California from an undisclosed location in Washington. Isn't it strange that the 18 minutes that were missing in the release to the public is the same 18 minutes that the Internet went through China?
Well, nobody sends serious data without good encryption
Just like no one ever keeps important data without good backups.
You're missing the point. Everyone's browsers by default DID TRUST the Chinese root CA during the time of this "traffic rerouting". The Chinese were in a position at that time to create automated signed certificates, and there would not have been any certificate warning in the browser. If they did this, it should be possible to trace, if the military sites keep an archive of all network traffic, as they would be able to see a change to the SSL certificates (facing the server) take place almost all at once.
(For those who may not know what I'm saying, a MITM attack would require the attacker to impersonate the server to the client, and impersonate the client to the server. For existing SSL connections, new encryption keys would have to be created and the negotiation process would start over between the attacker and the client, and between the attacker and the server.)
As far as how long it would take to brute-force a key, do you have any first-handknowledge of this? Are you an expert in this field? It's my assumption that the US Federal government is now able to decrypt 128-bit RC4 in a "reasonable" amount of time, which is why they relaxed the export restriction on 128-bit encryption from the US.
I've seen the numbers comparing 40-bit and 128-bit RC4, for instance, but I can't seem to find information regarding the amount of computing power that was needed to brute-force a 40-bit key in 1.5 days. Also, even if it's statistically unlikely that the key will be guessed within 100 years, that doesn't make it impossible, just unlikely.
The traffic of a .mil site could be a high-profile and high-reward target for the Chinese, so it would be worth spending time and resources to decrypt the traffic they may have captured.
Hello little man. I will destroy you!
No, it can direct traffic to it's network by that advertising, but not through it. You can't tell the world to send you all traffic for Gmail at x.x.x.x and then slip it out a back door and say now go to the real Gmail.
Obviously there are ways to become a transit network, but it's not in this manner. For this to work, China would have to tell ISP X that it has the best path/prefix for Gmail, but make sure ISP X doesn't tell anyone else. That's not usually how peering works. If ISP X doesn't tell anyone, then China can shuttle traffic out to ISP Y who has the real best path/prefix for Gmail and become a transit network. What likely happens is that ISP X tells all of it's peers that China has the best path/prefix for Gmail, including ISP Y, eventually, and now all traffic heads to China. China can't send it back out because everyone thinks they own those prefixes and it'll just loop back to them.
-John
Please excuse the reply to myself, but I'd like to point out that I'm not trying to single out China here, the above statements apply to USA, UK, Canada, or government that a trusted Root CA company resides within.
Eg: The US Government could compel (and also gag-order) Thawte into creating fake certs for Google.com (or any other domain), and in Google's case, you wouldn't even find out you've been pwned by checking the cert...
Honestly, HTTPS / SSL is The Ultimate Theater of Security.
Not to mention that of course, governments in any country where GOOG/MSFT/AAPL/YHOO do business (pretty much all of them) do not ever need to bother with MITM attacks. All of these companies provide convenient access for national "law enforcement" agencies to all of their customers' data on request (maybe after a quick subpoena)...
I read the article. Oh my gosh! Oh my gosh! China Telecom is stealing all the paswordz and stuff! Oh my! Oh my!!! Really though? So 15% of the internet traffic is being pressed through their (very) busy servers. And through all the spam, netflix, youtube, doubleclick ads, porn, pings, routing noise and mostly not super-duper secret general internet pages, someone is going to wade through all that (and lord love a duck there *is* a lot of it), and in 3-5 seconds, steal all the passwordz and super-duper-duper secret stuff and break it and change it and pass it on like nothing ever happened. Not likely. How many billion people are there in China. How many times that number would you need to do what is proposed ....perhaps a million? ...and those Trillion people all need to be connected to the internet too, right? So when the cold light of reality hits this story, it starts to look like a badly written sci-fi story, without a satisfying conclusion. Its bull.
This article is so-god-damned simplistic and more rumors. The Chinese didn't even try to hide it as per the BGPmon.net monitor. I'm 99% sure this was simply a fat-finger good old fashioned programming error on their peering/IP transit routers. This has HAPPENED MANY TIMES IN THE US/CANADA AND EUROPE. Oh and BTW, the Chinese great firewall/DPI (deep packet inspection) "Golden Shield" according to public documents these days is mostly Huawei high-end routers including the NE80E, SIG9800 and a few others. Huawei have sold this product WORLDWIDE including Europe and the Middle East and they simply market the product/engineer the product like Cisco & Juniper. The Chinese government (aka CCP, some propaganda department probably) is responsible for the operation of the filter lists which gets passed to the semi-nationalized telecom operators (China Telecom, China Unicom/(ex. Netcom), China Mobile and a few others licensed for international inter-connect). China Telecom uses AS4134 and Unicom/Netcom uses 4837 for international peering with foreign countries. There are a few other Chinese AS'es I believe but those are for special reserved usage like VPN. The way it works is very simple, there are two layers. There's an internal AS layer within the provinces of China (not connected to outside the country) and an international layer. All international peering/IP-transit traffic is connected to a Cisco/Juniper device which passes all traffic to a Huawei DPI (deep packet inspection) for high-speed ASIC based filtering. If a keyword matches (e.g. twitter, facebook) the packet is dropped and the Chinese have aggregate logged data of filtered data like any other commercial product off the Huawei device. It is technically impossible to do massive packet capture unless they are specifically targeting something. The Chinese-fucked up routes probably sent to Chinese-border international border routers, their Huawei DPI probably dropped those packets. They also manipulate/use faux-DNS using their Huawei DPI. (So if you use opendns in China the DNS will still be manipulated, it's TIME FOR ENCRYPTED DNS!) Here's another open industry secret: The Chinese like any other international ISP have to connect their network to the international internet up-stream ISPs/ASN's right. I believe now they even have some of their DPI hardware in the US/Europe. Again all public data, see: https://www.peeringdb.com/private/participant_view.php?id=308 https://www.peeringdb.com/private/participant_view.php?id=730 If the US gov't really wanted to see China's internet filter lists they could theoretically do the following (again this would be POLITICAL SUICIDE I'M GUESSING AND possibly touch off a war with China, and would require a warrant obviously): Go to Any2 LA or Equinix San Jose or any other Chinese international peering/IP-transit place and go to China Telecom or China Unicom's cage. Seize the Huawei DPI device. Simple. Copy the data. Do analysis. Return it back to the Chinese!? LOL. It's a Chinese-registered APNIC IP with a public WHOIS registration of "FSKWC NET". Mhmm... F must standard for Firewall. Must be the Chinese-DPI-GFW firewall cluster. The internet community has discovered that all traffic to Mainland China passes through a FSKWC NET device before it goes further in-ward to China. Some of these devices we know are in the US and Europe where the Chinese peer before they are sent across the pacific on one of the Trans-pacific or Eur-Asia fiber-optic cables (TPE, etc...) The real problem with China is political and political change. I believe this will change over time as change evolves, develops and moves towards a more open model. As an engineer I really don't care about political crap, I wish they would just develop an open internet policy like HK or Singapore or Japan. Filtering political extremism is fine for stability (remember in Chinese thinking/culture it's all about "stability" ve
What's the purpose of FarmVille?
FarmVille is a Web 2.0 application depressed folks to sit around doing nothing for HOURS each day, in isolation, while getting the emotional feedback of accomplishment.
While you can say some of the same things about all video games, these "social" games are different because they NEVER END and they give people a false sense of community. Inter-personal communication is reduced to automatically spamming everyone's news feed.
As the US economy spirals down, expect more people to become insular and hooked.
Yes. Actually, I am. :-)
Sorry to be AC.
as an IP engineer at a major backbone provider, I can safely comment on the hyperbole of this incident.
China Telcom -4134- would have to either send very/more specific routes and get max prefixes blown out, or send very general routes and loose to smaller routes.
yes, for a little while any "tier 1" player, or major government player, can convince another provider to send routes to an inappropriate AS, the game soon ends. anyone who isn't running at the very least a max prefix is a cluetard and needs their peering revoked anyway. From my 20%, 4134 is always a hair's breath away from getting a smackdown.
tldr; they can't really steal the whole internet, but we need to watch out for smaller route hyjacking.
Because (assuming that you don't trust the Chinese CA), they would have to use Google's private key in order to produce signed data that was tied to the identity asserted in the certificate issued by the CA that signed for Google.
If you trust a CA that is controlled by the attacker, you're toast. You have to ensure that you do not. (I don't think most people in the world have any idea what a CA is though, let alone how to tell their browsers which ones to trust, so the reality is that any CA's that Mozilla or Google or Microsoft or other browser makers trust (by including them in their browsers by default) are also "trusted" by you.
The big difference is that the NSA does not generally disclose commercial secrets to US corporations. If Chinese SIGINT gets hold of commercially sensitive information, it goes straight to the relevant Chinese companies. I'm not sure what other countries do these days. The French used to bug the seats on airliners to try to overhear commercially sensitive conversations, but they haven't done that (or, at least, got caught doing that), for a couple of decades. It's less of a problem for most companies if the US intelligence services know what they're doing than if their competitors do.
I am TheRaven on Soylent News
That you've ordered such-and-such with your credit card data?
Either it was April Fool's Day or getting near April 15th and they wanted to see our tax returns. Any how, most of what they probably got was porn any how and they don't need that as they are the world's champions at reproducing - since they have the largest population.
I'll give you A and D, but false BGP advertisements in no way facilitate B or C.
If you can do C, there's no need to do what's mentioned in the article, either.
So for all your blabbering, you have no point.
Well, then my question wasn't rhetorical.
How long would it take to brute-force a 128-bit key using modern hardware such as the Tianhe-1A, which has peak performance of 4.701 petaflops? What about using a bot network?
Is it theoretically possible to derive the server's private key from a session key? How about from multiple session keys?
I also expect that there are still MD5 certificates in use out there, and possibly even on .mil sites.
And of course, the possibility that SSL might be vulnerable to an attack if the attacker has a plaintext, and HTTP contains known plaintext such as "GET / HTTP/1.1".
Hello little man. I will destroy you!
All your Cloud is belong to mil side of China.
Got Root?
-- Tigger warning: This post may contain tiggers! --
Oh, you mean the countries who run the Echelon system? You left out Australia and New Zealand.
Honestly, HTTPS / SSL is The Ultimate Theater of Security.
Umm, no. What it isn't is a system that is make it impossible for governments to do shenanigans; it's more aimed towards stopping other types of threats (e.g., random fraudsters with computers) and it most certainly raises the bar for that much more commonplace issue. Yes, it's possible to have a PKI that is mostly government-proof (using just your own root CA) but that's not much good for communicating with anyone outside your local chapter of the tinfoil hat brigade. The practicalities of the wider world (e.g., not having a particular CA able to hold their customers over a barrel) pretty much requires losing some safety, and at some point it becomes necessary to couple to real-world identities anyway (and governments naturally are concerned with that, especially for taxation and in the judicial branch).
"Little does he know, but there is no 'I' in 'Idiot'!"
it was probably all porn anyways
Link
You are being MICROattacked, from various angles, in a SOFT manner.
You think /. users RTFA?
Who says they are not sending the traffic along to the real destination ? So you'd get a reply from the real destination and you would send more data through China. Only difference from your point of view (possible a bit slower), possibly they will just see only one side of the conversation, but that is can be useful too.
New things are always on the horizon
Slashdot is a Web 2.0 application depressed folks to sit around doing nothing for HOURS each day, in isolation, while getting the emotional feedback of accomplishment.
FYP
Social Engineering Expert: Because there is no patch for stupidity.
I send all my emails in Pig Latin. Ucksay ityay, Aidubay.
BGP says. If you tell the Internet, via BGP, that you own x.x.x.x network, then who are you going to forward the traffic to? Who's going to send it to the "real destination" when you said, via BGP, that you own it?
You have become the real destination!
I haven't seen any report that says China became a transit network upon hijacking these prefixes. If they somehow did, then they could just sit back and watch traffic flowing through. I don't see where they did that, though. If they did, I'd love to read about it.
-John
It depends on the algorithm used, the performance of the individual nodes, the number of nodes being used in the attack, etc. Botnets vary wildly in size and performance. The Chinese supercomputer is (most likely) composed of off the shelf Intel or AMD processors. If someone used hardware custom designed to run a brute force attack, it might run much faster. (That's how some of the RSA challenge cracks were done.)
"Is it theoretically possible to derive the server's private key from a session key? How about from multiple session keys?"
Shouldn't be if you are using a well designed algorithm! If you could, that would be a major hole.
China, has many connections to the outside world, they obviously have a route to the real destination.
They announce the prefix of the real destination to some of their BGP-peers. Traffic from users flows to them if the routers of their peers accept the route and think this is the shortest path.
They send the traffic along to the real destination over one or two of the other peers.
The traffic arrives at the real destination and replies to the client. The client receives the reply and sends more data (through China) to the real destination.
So China seems one side of the conversation.
The only security that is build in, is if the other peers actually properly filter the traffic so that they only accept traffic from prefixes China announces.
I do not have any data about what really happend.
New things are always on the horizon
To get a sense of how long it would take to find a particular key, consider:
The key has n bits, so there are 2^n possible keys that can be enumerated with those bits.
Each processor can test m keys per second. (I'm assuming each processor has the same performance, and ignoring latency between CPU nodes, I/O latency, or anything else that might slow the system down.)
You have access to p processors.
So the time to process all 2^n keys is:
(2^n)/p*m
Note that the value of m doubles once every 18 months (due to Moore's law), so to keep the key finding time constant, you must also add a bit every 18 months. (Adding bits is fairly cheap, but developing faster processors is not!) The value of p is not all that important because p increase linearly as you add more nodes, while n and m increase exponentially. To figure out how long of a key you need for a given algorithm, you simply need to determine the amount of time that you want to keep your data secret for, and choose a number of bits such that (2^n)/p*m is sufficiently large.
I'll let you plug in the numbers and work out the exact times for your favorite system for yourself. :-)
And how does China stop those specially selected BGP peers from advertising the hijacked routes to their peers? And from there to their peers? Etc., until the entire backbone knows China owns those hijacked prefixes? And at the same time, make sure China's legitimate prefixes do get advertised around to everyone?
Sure, they could have become transit for some networks attached to them, but I doubt that'd apply to any networks within the US or even this hemisphere.
I do not have any idea what really happened, either.
...it's not super-secret!
I think you underestimate just how much data that is...
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Ah, so! Ah, so! Me frappy dickie!
Which is why the IETF has the sidr working group. In a nutshell, a resource PKI is handed to organizations owning resources. For example, the root own all so it hands out ASN numbers, V6 & V4 blocks as well as a resource certificate showing this allocations to each RIR. The RIRs sign (with their RPKI cert from the root) sub allocations to LIRs(ISPs) who sign sub allocations to smaller ISPs... etc.
As an owner of a resource cert (+key),
- ISP A could cms sign a ROA (Which states what resource blocks your upstream(ISP B) is allowed to advertise). Anyone could then verify that ISP A is allowed to ?originate? prefixes for ISP B
- You could sub allocate resources to a third party and create an RPKI cert for them as proof to the world.
Anyone else can use validation tools (RIPE validator, rcynic, ?BBN?) to validate ROAs, AAOs ... etc from repositories.
ISPs could then write scripts that verify prefix advertisements by using the data from the validation tools... ./ does this solve the problem?
Well, maybe not 100% but it's established that the bulk of US traffic is trunked off to closets in AT&T (and other) switch rooms. This is going to include any communications going to points outside the US and (more importantly) any traffic that happens to be routed through the US while going between two points outside the US.
And don't forget that all that data is retained for years...
Also one of the Google documentary's mention something similar at google...
But back to the story;
Remember when the US dropped that EP-3E Aries II reconnaissance plane on china's doorstep...
Can you the Chinese them for wanting to try out all their new tech...
Talk about dropping the ball!
Identifying people I don't want to be friends with?
Noone has to intercept anything, or maintain a session. Just TCPdump the lot, and look at it later.
That is, unless they are trying to intercept SSL, which they COULD do, as a CA cert controlled by a Chinese company has been added to most browsers already.
Choose some tier-1 providers, they don't share.
New things are always on the horizon
You know this is Slashdot, home of news for nerds and stuff that matters.
It is neither Digg nor Fox News, so how about you do us ALL a favour and stop talking sensationalist bullshit.
Farmville by Zynga requests the most basic default level of permission i.e.
Access my basic information
Includes name, profile picture, gender, networks, user ID, list of friends, and any other information I've shared with everyone.
You see that last phrase ??? INFORMATION I'VE SHARED WITH EVERYONE. So you put stuff online, set the privacy level to the lowest (can be seen by everyone), then complain about privacy because everyone can see it ?
Are you illiterate or just plain dumb ?
Disclaimer : I have no affiliation with either Zynga or Facebook. I'm just tired of all this bullshit masquerading as truth. Either check your facts or shut the fuck up.
Actually, I'm just not naive, and I've managed IT for almost two decades. You obviously are not aware of how fast your info is being pushed to 3rd parties +. Facebook has already admitted that 3rd parties were gaining access by apps passing the info along, they have blocked those apps. Zynga has their own privacy problems. I'm on Facebook daily, just smart enough to not put anything valuable on there. If you want to believe that Facebook will "do no evil", just like google, fine, but I have tested enough to know better. They are sloppy, they are not focused on security, and they let shit slide to make money, like many businesses.
But it is what it is, and it wouldn't take much for you to test that system yourself. Why don't you stfu and do that, instead of being a fanboy?
Tequila: It's not just for breakfast anymore!
Only unclassified material with .mil is trafficked via the Internet. Classified materials reside on classified networks that are not connected to the Internet and are routed through US (and their allies) communication systems (and encrypted, obviously).
The main security problem is people taking info off of the classified network and putting it on the network that is connected to the Internet, not the fact that some Internet traffic was routed through China for a while.
What's the purpose of Facebook pokes?
What's the purpose of Facebook?
To have a right to do a thing is not at all the same as to be right in doing it
But this is all assuming that no weakness is found in the randomness of the keys or the encryption algorithm itself. In other words, assuming that the Chinese haven't stumbled on a method of breaking SHA hashes or RC4.
(And my assumption that the NSA has a way around it still stands. I'm not convinced they would allow the world to have 128-bit encryption in exported software unless they had a way to crack it.)
BTW, the Chinese supercomputer is actually composed of "Nvidia Tesla M2050 general purpose GPUs" along with Xeon CPUs, so it seems to be quite suited for the job.
Hello little man. I will destroy you!
John - here's the report that suggests it may well have been operated as a transit network:
http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=249#
The relevant bits:
"This happens accidentally a few times per year, Alperovitch said. What set this incident apart from other such mishaps was the fact that China Telecom could manage to absorb this large amount of data and send it back out again without anyone noticing a disruption in service. In previous incidents, the data would have reached a dead end, and users would not have been able to connect."
They
Sensitive .mil data, however, DOES have the option of being passed over the internet, depending upon application. An example might be management of military benefits, wherein service members have a reasonable expectation of being able to interact and query their benefit data without having to find a red terminal.
China BECAME PORN.