Slashdot Mirror
Does China's Cyber Offense Obscure Woeful Defense?
Gunkerty Jeb writes "The official line in Washington D.C. is that there's a new Cold War brewing, with an ascendant China in the place of the old Soviet Union, and cyberspace as the new theater of war. But work done by an independent security researcher suggests that the Chinese government is woefully unprepared to fend off cyber attacks on its own infrastructure."
first to post, wins!
...the US government is keeping mostly mum about the threats coming over from China. That and they want to keep getting their money.
The official line in Washington D.C. is that there's a new Cold War brewing
Since when?
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
I wonder why China never thought of securing their systems more tightly. Surely they must have realized that retaliation would come their way at some point, no? I mean, aside from the fact secure systems are usually preferably to ones that are not...
"Best defense is a good offense"
If you can attack them quick and well enough, they won't have any non compromised systems left to come back at you. :)
I am 31337 or something.
Did he hit a bunch of honeypots? If China is better defended than he though, he'll dead by morning.
But clearly you have something better to say...
Fear over a the cold war kept jobs in the United States... Maybe if I had enough $$$ to be 'global' I'd be happier, but as it stands I'm stuck here locally...
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Most of the hacking and spam that come from China can be directly traced to compromised pirated version of Windows. Just walk down the street, pirated software is but a block away in many cases. Unfortunately for them, their compromised machines can be turned against them.
You know the ol saying. Live by the sword, die by the sword (or some such).
Life is not for the lazy.
and then the usa can bill china 1B for his death.
Another example is China's National University of Defense Technology. They had a bunch of Web servers that weren't using SSL or HTTPS
This is basic stuff...good lord are they bad.
I'd estimate that 40% of logins are user name and either all numerical or all lowercase passwords. There are no hash or space characters.
I'm just going to stop here.
Everyone copied it illegally to save a buck.
This sounds crazy, but why does China need to put effort into as much defense as other places?
If one thinks about it, they really don't have much to lose, compared to American or European businesses. Militarily, China may have trade rivals, but no true enemies. They have no terrorist groups wanting to level Shanghai, there is no such thing as an Al-Qaeda like threat to the PRC in any shape or form.
Because China really has no world enemies, combined with the fact that their IP is already known to others, and any secrets they do have is basically evolution of other ideas, they really don't need as good a defense of their IT assets.
Realistically, who can play ball with them in the espionage department? The US? After Operation Sun Devil, any blackhats make themselves really scarce. Europe and Russia? Far easier targets in the US. The Middle east? Arab nations and Iran [1] are more interested in cutting deals with China than actually hacking them.
This isn't to say China does not do R&D. However, the level of security they need is far less than the level of security needed by other countries, because they are not as big a target for extremists, and they have no real rival in the espionage department.
[1]: Iran != Arab.
Mutually assured cyber destruction. I can't wait for the made-for-TV movie!
I use irony whenever I can, but my shirts are still wrinkled...
"the Chinese government is woefully unprepared to fend off cyber attacks on its own infrastructure."
I don't think anyone is, or even can be, prepared to fend off large-scale "cyber attacks". ...
If there's one thing that you can rely on, its that big organizations are always several years behind on implementing new technology in a large scale. Sure, the NSA etc might be doing cutting edge security research and stuff, but how long does it take to get defences against new attacks actually implemented across the rest of the government infrastructure? And everything is networked together, so one weak link is enough
It's the same in China, the US, and everywhere. I think the advantage in hacking is always with the hacker because of this - a determined and well-resourced attacker will nearly always find some way to get through simply because he can keep trying until he finds the one attack that was not prepared for. Just look at how easily Sony was carved open.
There's the old saying that the only way to keep a secret between three people is if two of them are dead. In a similar way I'd say the only way to keep digital systems secret from remote attackers is not to allow them near any kind of network at all. Physical isolation is the only way to offer meaningful security.
I'd tell a UDP joke, but you may not get it. I'd tell a TCP joke, but I'd have to keep repeating it until you got it.
The official line in Washington D.C. is that there's a new Cold War brewing
The official line from Fox News is that there's a new Cold War brewing
So... what you're saying is that the only thing that keeps American hackers from overrunning China with viruses, spam, and various forms of hackery is that we haven't taken the time to learn their language? That's either impossibly inaccurate or we are incredibly lazy. Hey Anonymous! Go learn some Chinese.
Mod me down, I shall become more off-topic than you could possibly imagine.
It was probably "nice" of him to report his findings to China CERT but as a citizen of the U.S. (I'm assuming, if he's working for NSS) couldn't that be considered something, I dunno...bad? I mean, China is an enemy of the U.S., and the cold war is based on information. "Hey, dude, your fortifications are weak here, here and...oh here." Seems a little off. I would probably have submitted the information to someone on our side, but I do see his neutrality point - a bit.
Yawwwwwn.
They have no terrorist groups wanting to level Shanghai, there is no such thing as an Al-Qaeda like threat to the PRC in any shape or form.
The Uyghurs are trying. They aren't half the threat that the PRC makes them out to be (the same could be said for Al-Qaeda), but they are still a threat and they still do blow stuff up and kill people.
I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
Basically 25% of our debt is in foreign hands, 23% of that the Chinese own. This means they own about 6% of the total US federal debt.
Err..
I'd be interested to see how well prepared our (USA) infrastructure is.
Let me guess...
We are not at war--we are rivals, competing for political influence and economic power, but we are not enemies. Hell, we are rivals with most European powers-- political rivals with France, political and economic rivals with Germany, etc.
His general point was to raise awareness among the Chinese that being aggressive in the "cyber sphere" (whatever that really means) might not be a good thing, because their infrastructure was at least as vulnerable to attack as the US's is. He wasn't clocking individual exploits to give anyone an advantage, he was measuring overall vulnerability to encourage Chinese policymakers to think twice about attacking (or condoning attacks) on US networks.
'nuff said
Maybe it'll take the American equivalent of China's "patriotic hacker" movement, to educate the Chinese of the error of their ways.
"Because the best defense is a good offense. Do you know who said that? Mel the cook on Alice."
In all reality, I doubt either country would be in position to fend off cyber attacks. I mean the US government tried to go after Anonymous and ended up having the security firm they hired get a huge black eye and multiple government websites getting smacked up as well. In terms of China, they have attacked multiple countries, but it seems when they get hit themselves they stop what they were doing and being denial of the facts.
Just because you are wrong and I called you out on it doesn't mean I am a Troll.
"The Uyghurs" are trying? As an entire race? Really?
If anyone here says something along the lines of "the Muslims are trying to level NYC" they'd be buried. Rightfully.
There is not a cyber 'cold war' brewing. It is already happening. I've seen it at the company I work for first hand. The Chinese are infiltrating and stealing everything they can copy the bits of from US corporate infrastructure. Most companies don't even have the awareness to know they are infected. They believe having a firewall and Anti-Virus is protecting them. Anyone who thinks the US isn't doing the same things to China is just being willfully ignorant.
Do really dense people warp space more than others?
There firewall is fully operational!
Ave Molech Setting
because if we didnt have something to flee from in cringing terror at all times, politicians would be forced to account for our failing states, education systems, healthcare infrastructure, employment, and foreign policy.
Good people go to bed earlier.
I was at Google when the Chinese attacked, and I felt personally violated. I would be more than happy to see the favor returned.
And anyone who doesn't think it was actually the Chinese intelligence agency that mounted that attack against Google is a victim of wishful thinking.
--
$tar -xvf
The communist Chinese are good at one thing - talking big.
They can't even keep their own system safe.
I hope this young man is correct in his assessments which pretty much trash / emasculate Chinas own Cyber vulnerability in the eyes of the readers. I had read for some time already that since many or most Chinese computers run on pirated Microsoft Window products that this could be the case. I always wonder when odd perspectives like this are injected into a volatile mix in the area of Warfare / Public Opinion / Technology if their isn't some attempt being made to mold, test or to shape popular opinion. This was especially the case in WWII when there were efforts of all sort underway these releases were attempting to obscure through - 'disinformation'. During WWII this was commonplace. To what ends I cannot guess - it could be even be exotic..? Any thoughts on this from the /. Community?
and it got only one Trojan within one year of operation
in contrast to a European and US version!
-
It caught 1 Trojan over three years of operation
in contrast to a European and a US copy of XP
That there is not and never has been a credible threat from China on this. That the entire purpose of the cyberwar hype is to generate juicy defense contracts selling snake oil to the government. Your taxes at work.
http://rocknerd.co.uk
I don't think there's been much discussion of China's vulnerability, mainly because their society seems so much less DEPENDENT on tech than the West (particularly the US).
To pick a superficial example:
- person A has a top of the line firewall, and orders all their groceries online every other day
- person B has a garden and farm animals.
Clearly, person A has far better 'defenses' than person B, but who's really more vulnerable.
-Styopa
China couldn't care less about a US cyberattack hitting them. Cyber uptime is not essential for China in the same way the USA has been dependent on computers since the IBM 360 circa 1964.
That time the common experience of many chinese people was "cultural revolution re-education" with manual forced labor in rice paddy fields. Computers came to them like 1994 or 2004 or so. They do not yet have a grown-up generation that would collapse if computers went kaput.
On the other hand, God save America from all screens going blank suddenly, as that would be like end of the civilization! USA already has like two full generations who had never lived in an IT-less and infocomms deprived world.
The chinese are tougher and radio, printing press leaflets would be enough for the Beijing govt to maintain control, as well as the bayonets of its Red Army.
Premise: Trojans try to make themselves really obvious so I can easily spot them and remove them.
Observation: I've never noticed a trojan in my system.
Conclusion: I've never had a trojan in my system.
Stuxnet included !