Slashdot Mirror
Does China's Cyber Offense Obscure Woeful Defense?
Gunkerty Jeb writes "The official line in Washington D.C. is that there's a new Cold War brewing, with an ascendant China in the place of the old Soviet Union, and cyberspace as the new theater of war. But work done by an independent security researcher suggests that the Chinese government is woefully unprepared to fend off cyber attacks on its own infrastructure."
The official line in Washington D.C. is that there's a new Cold War brewing
Since when?
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
I wonder why China never thought of securing their systems more tightly. Surely they must have realized that retaliation would come their way at some point, no? I mean, aside from the fact secure systems are usually preferably to ones that are not...
"Best defense is a good offense"
If you can attack them quick and well enough, they won't have any non compromised systems left to come back at you. :)
I am 31337 or something.
What the 6% of our debt they own?
About the same amount the Japanese own.
Where does this "The Chinese own the US" myth come from?
Did he hit a bunch of honeypots? If China is better defended than he though, he'll dead by morning.
But clearly you have something better to say...
From the interpretation that sensationalist news services give to the words of scaremonger politicians.
Fear over a the cold war kept jobs in the United States... Maybe if I had enough $$$ to be 'global' I'd be happier, but as it stands I'm stuck here locally...
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
oooo... major ownage...
Most of the hacking and spam that come from China can be directly traced to compromised pirated version of Windows. Just walk down the street, pirated software is but a block away in many cases. Unfortunately for them, their compromised machines can be turned against them.
You know the ol saying. Live by the sword, die by the sword (or some such).
Life is not for the lazy.
and then the usa can bill china 1B for his death.
Another example is China's National University of Defense Technology. They had a bunch of Web servers that weren't using SSL or HTTPS
This is basic stuff...good lord are they bad.
I'd estimate that 40% of logins are user name and either all numerical or all lowercase passwords. There are no hash or space characters.
I'm just going to stop here.
Everyone copied it illegally to save a buck.
It might be the rate at which they're acquiring our debts.
I swear to God...I swear to God! That is NOT how you treat your human!
This sounds crazy, but why does China need to put effort into as much defense as other places?
If one thinks about it, they really don't have much to lose, compared to American or European businesses. Militarily, China may have trade rivals, but no true enemies. They have no terrorist groups wanting to level Shanghai, there is no such thing as an Al-Qaeda like threat to the PRC in any shape or form.
Because China really has no world enemies, combined with the fact that their IP is already known to others, and any secrets they do have is basically evolution of other ideas, they really don't need as good a defense of their IT assets.
Realistically, who can play ball with them in the espionage department? The US? After Operation Sun Devil, any blackhats make themselves really scarce. Europe and Russia? Far easier targets in the US. The Middle east? Arab nations and Iran [1] are more interested in cutting deals with China than actually hacking them.
This isn't to say China does not do R&D. However, the level of security they need is far less than the level of security needed by other countries, because they are not as big a target for extremists, and they have no real rival in the espionage department.
[1]: Iran != Arab.
Mutually assured cyber destruction. I can't wait for the made-for-TV movie!
I use irony whenever I can, but my shirts are still wrinkled...
$11 million is pretty much chump change in this day and age when it comes to corps.. whether the story is "propoganda" or not, who knows, but it'd be on the same level as saying a story about China counterfeiting goods is a propaganda story. Actually the counterfeiting of goods would be a bigger story. Basically, nothing to see here.. move along.
"the Chinese government is woefully unprepared to fend off cyber attacks on its own infrastructure."
I don't think anyone is, or even can be, prepared to fend off large-scale "cyber attacks". ...
If there's one thing that you can rely on, its that big organizations are always several years behind on implementing new technology in a large scale. Sure, the NSA etc might be doing cutting edge security research and stuff, but how long does it take to get defences against new attacks actually implemented across the rest of the government infrastructure? And everything is networked together, so one weak link is enough
It's the same in China, the US, and everywhere. I think the advantage in hacking is always with the hacker because of this - a determined and well-resourced attacker will nearly always find some way to get through simply because he can keep trying until he finds the one attack that was not prepared for. Just look at how easily Sony was carved open.
There's the old saying that the only way to keep a secret between three people is if two of them are dead. In a similar way I'd say the only way to keep digital systems secret from remote attackers is not to allow them near any kind of network at all. Physical isolation is the only way to offer meaningful security.
I'd tell a UDP joke, but you may not get it. I'd tell a TCP joke, but I'd have to keep repeating it until you got it.
The official line in Washington D.C. is that there's a new Cold War brewing
The official line from Fox News is that there's a new Cold War brewing
So... what you're saying is that the only thing that keeps American hackers from overrunning China with viruses, spam, and various forms of hackery is that we haven't taken the time to learn their language? That's either impossibly inaccurate or we are incredibly lazy. Hey Anonymous! Go learn some Chinese.
Mod me down, I shall become more off-topic than you could possibly imagine.
Where does this "The Chinese own the US" myth come from?
From the same place that "The Japanese own the US" myth came from in the 80's... Ironically the British owned the most US assets followed by the Dutch then the Japanese in the 80's... I have no idea who owns what in what capacity these days.
It was probably "nice" of him to report his findings to China CERT but as a citizen of the U.S. (I'm assuming, if he's working for NSS) couldn't that be considered something, I dunno...bad? I mean, China is an enemy of the U.S., and the cold war is based on information. "Hey, dude, your fortifications are weak here, here and...oh here." Seems a little off. I would probably have submitted the information to someone on our side, but I do see his neutrality point - a bit.
... because, God knows, the Chinese government is trustworthy.
http://en.wikipedia.org/wiki/United_States_public_debt#Foreign_ownership
Is a good starting point. Basically 25% of our debt is in foreign hands, 23% of that the Chinese own. This means they own about 6% of the total US federal debt.
They have no terrorist groups wanting to level Shanghai, there is no such thing as an Al-Qaeda like threat to the PRC in any shape or form.
The Uyghurs are trying. They aren't half the threat that the PRC makes them out to be (the same could be said for Al-Qaeda), but they are still a threat and they still do blow stuff up and kill people.
I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
Basically 25% of our debt is in foreign hands, 23% of that the Chinese own. This means they own about 6% of the total US federal debt.
Err..
Anonymous coward with a "fact" and no source.
Quick someone needs to mod this guy informative.
You are entitled to your own opinions, not your own facts.
I'd be interested to see how well prepared our (USA) infrastructure is.
Let me guess...
I disagree about it being US propaganda, because the US can royally lose and lose big in a pissing contest these days. China can do three things in less than 24 hours to royally fsck the US and her economy:
1: Allow the yuan to trade freely.
2: Push for a "currency basket", or have oil be traded by the yuan.
3: Start arming countries or factions that don't like the US. For example, if the Taliban started getting access to UCAVs from a mysterious source. Or Ahmadinejad showing off his new technology of ICBMs that isn't enhanced by Photoshop skills.
Any of these three would cripple the US economy quickly. #3 is farfetched in today's dynamics, but if push came to shove, can be done. #1 and #2 would easily push the US dollar into hyperinflation.
Funny. I looked at the same article.
1,160.1, estimated, as of December 2010.
The debt end 2010 was listed as 13,529.
Divide one into the other and you get 8.6%
A bit larger than 6%.
And price Chinese manufactured goods out of reach? Yeah, that would fsck the US economy. It would fsck the Chinese economy a whole lot more.
#1 is a precondition to this.
Been there and done that, during the Cold War. That wouldn't royally fsck the US economy by any means.
The Chinese can't allow the yuan to trade freely. Their economy is heavily dependent upon exports, if they were to allow the yuan to strengthen they'd have to completely redo their economic policy, hence why they refuse to do it. Remember that even with the growth of their economy, they still don't have enough to go around, and that's assuming that they allowed the rural workers to get a piece of it.
Maybe it'll take the American equivalent of China's "patriotic hacker" movement, to educate the Chinese of the error of their ways.
In all reality, I doubt either country would be in position to fend off cyber attacks. I mean the US government tried to go after Anonymous and ended up having the security firm they hired get a huge black eye and multiple government websites getting smacked up as well. In terms of China, they have attacked multiple countries, but it seems when they get hit themselves they stop what they were doing and being denial of the facts.
Just because you are wrong and I called you out on it doesn't mean I am a Troll.
Seems to be correct sir.
Of course if you don't want higher taxes on the wealthy this is the price you pay. Either we tax them or we devalue the currency, when they are the ones making the campaign contributions this is what you see.
The trend of China's holdings is amazing though - from a distant second (less than half of Japan's) to first, in a mere 5 years.
"The Uyghurs" are trying? As an entire race? Really?
If anyone here says something along the lines of "the Muslims are trying to level NYC" they'd be buried. Rightfully.
There is not a cyber 'cold war' brewing. It is already happening. I've seen it at the company I work for first hand. The Chinese are infiltrating and stealing everything they can copy the bits of from US corporate infrastructure. Most companies don't even have the awareness to know they are infected. They believe having a firewall and Anti-Virus is protecting them. Anyone who thinks the US isn't doing the same things to China is just being willfully ignorant.
Do really dense people warp space more than others?
There firewall is fully operational!
Ave Molech Setting
And if people stopped being scared for a moment and thought (which they won't), they'd realize exactly who has whom by the proverbial short hairs on the debt issue. China doesn't want to undermine our ability to pay, say by totally cutting off cash to fund our *deficit* (a different but obviously related issue). They can turn down the cash spigot and make us hurt, but not *too* much, and it'd probably be for our own long term good.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
http://www.treasury.gov/resource-center/data-chart-center/tic/Documents/mfh.txt
I'd say the amount china owns is substantial. I'm against sensationalism as much as the next guy but a trillion dollars held by a foreign country is a shitload no matter how you slice it. Sure Japan has over 75% as much as china but there is a HUGE drop off after that. If we're going to say Japan owns almost as much as China to downplay foreign debt, we should also say Japan and China hold almost as much US debt as the rest of the world combined. You can't totally brush that off to a fox news ratings grab.
Well, they own all your factories.
May the Maths Be with you!
because if we didnt have something to flee from in cringing terror at all times, politicians would be forced to account for our failing states, education systems, healthcare infrastructure, employment, and foreign policy.
Good people go to bed earlier.
It's not 6%... http://www.usdebtclock.org/ Quotes US national debt at ~14 trillion. China holds ~3 trillion in US bonds. That is ~21% of our national debt. Citation:http://news.xinhuanet.com/english2010/china/2011-04/23/c_13842843.htm Also, bonds aren't the only form of obligations the US sells to cover its debts. I think its safe to assume China likely owns a larger chunk of US debt than the bonds alone. In a world of nuclear weapons, economic domination is king. You may also want to look at the alliances China is trying to form with the many enemies (or barely neutral parties) the US has acquired over the years. Most recently that includes Afghanistan, though this is a work in progress. tl;dr China owns roughly 21% of US national debt through bonds alone.
So what you mean roundeye, pirated XP machines no good security?
Yu Dum.
Probably from their currency manipulation schemes that lower the value of their currency (and, in turn, lower the cost to buy their goods). That scheme subsidizes Americans more than any debt ownership. Still, we're mutually dependent, I'm not worried about them.
SSC
It's get harder each day to find posts like this one that leaves out the ideological dogma when evaluating China.
Owning foreign debt is a slight misnomer. China's purchase of government debt instruments is an investment for them. And when you invest you want to chose the most stable and the most likely to fulfill the terms of the investment. In essence they are placing their trust in the US economy. Should they attempt to weaken the US economy it will most likely hurt them worse than the US. A big part of Chinese economy is the US market. Without access to that market they stand to lose big time. Also remember that China does not provide a single product that the US could not supply internally or purchase from another country unlike energy needs. There really is no reason for the US and China not to cooperate with one another.
I hope this young man is correct in his assessments which pretty much trash / emasculate Chinas own Cyber vulnerability in the eyes of the readers. I had read for some time already that since many or most Chinese computers run on pirated Microsoft Window products that this could be the case. I always wonder when odd perspectives like this are injected into a volatile mix in the area of Warfare / Public Opinion / Technology if their isn't some attempt being made to mold, test or to shape popular opinion. This was especially the case in WWII when there were efforts of all sort underway these releases were attempting to obscure through - 'disinformation'. During WWII this was commonplace. To what ends I cannot guess - it could be even be exotic..? Any thoughts on this from the /. Community?
On that topic, I ran a vanilla XP (no service packs) until 2008. Zero virii.
I'm sorry, I not familiar with these hard english words like that. What is a "virii"? It isn't anything that I've ever heard of before.
Back on topic, did that computer get any viruses?
and it got only one Trojan within one year of operation
in contrast to a European and US version!
-
It caught 1 Trojan over three years of operation
in contrast to a European and a US copy of XP
Probably from their currency manipulation schemes that lower the value of their currency (and, in turn, lower the cost to buy their goods). That scheme subsidizes Americans more than any debt ownership. Still, we're mutually dependent, I'm not worried about them.
While China does something to work itself out from the "mutual dependency" with US, what is US doing (or even able to do)?
Questions raise, answers kill. Raise questions to stay alive.
That there is not and never has been a credible threat from China on this. That the entire purpose of the cyberwar hype is to generate juicy defense contracts selling snake oil to the government. Your taxes at work.
http://rocknerd.co.uk
Been there and done that, during the Cold War. That wouldn't royally fsck the US economy by any means.
Last time, the US was very successful at it. For every dollar the US spent in Afghanistan, the Russians needed to spend a hundred dollars. A stinger missile is a lot cheaper than a helicopter. The massive overexpenditure on the military is usually held up as one of the main reasons for the fall of the USSR. The Star Wars program also helped this - it didn't work as a defence shield, but the Soviets thought it did, so they thought that they needed ten times as many ICBMs to ensure that enough got through.
I am TheRaven on Soylent News
I don't think there's been much discussion of China's vulnerability, mainly because their society seems so much less DEPENDENT on tech than the West (particularly the US).
To pick a superficial example:
- person A has a top of the line firewall, and orders all their groceries online every other day
- person B has a garden and farm animals.
Clearly, person A has far better 'defenses' than person B, but who's really more vulnerable.
-Styopa
Are you counting US citizens as holders of US debt in your "rest of the world combined" comparison? I bet you are not. Foreign entities only own a total of 4ish trillion dollars, domestic entities own 10ish trillion. http://www.usdebtclock.org
If I can just reach out with my words and touch a butthole, just one, it will all be worth it.
You are correct. I did not include US citizens as part of "the rest of the world" in holding FOREIGN debt. To your credit I forgot to put the word foreign in front of debt in that second to last sentence leaving myself open to semantic attack. Curse you slashdot! You win again. (I just hope I didn't misspell anything...)
I don't know about your numbers, but I do know that there is beginning to be a ... well what appears to be a planned and deliberate media attack against China. Yes I know China appears scary because they have grabbed so much power so quickly and they really do not have the finesse to know how to use it, work with it or manage it effectively, but they are in an accrual phase anyway.
Case 1 for me was the frenzy last weekend about the "Chinese church stopped from having Easter services". This was sheer BS. The story inside the story (and all I did was read the article and apply a tiny bit of understanding) is that an unsanctioned church (tiny bit of special knowledge: Chinese religious bodies must register with the government. Kind of like registering with IRS for tax free status, but more complex since everyone in the institution automatically receives a stipend from the government if they are in a religious institution, and the government wants to place an official inside the institution to make sure that money is handled properly.
OK, the church was not just unregistered, it insisted on NOT registering. Why you might ask. Well it was in the story but no one actually said it: The name of the church was given in Chinese a number of times, but the translation only once at the end of the story: "Watchtower". Oh yeah, they are Jehovah's Witnesses and refuse to have any government connection much less oversight. They are banned in countries all over the world because of this and it's results (no government service for young people). They showed up in the park to have their Easter service: a public park of course and how many were there? about a thousand. You can't have a meeting with ten people without a government permit here (tiny bit of extra knowledge) and they pack a thousand people in a public park and....
Oh, a deliberate publicity stunt! of course. I know the reporters knew this, and possibly wrote the story that way and had it rewritten for them in the west. If not then they already know what is expected now. Yes I am old and a little cynical, but this anti-whoever of the week will just get worse. I am NOT a Chinese apologist, I AM a realist. The Chinese have plenty of problems, you and I don't like their solutions, but then again they don't think much of ours either. Reality requires clear vision, media obscures it , use your mind fully please.
Your final exercise today is to parse the following sig:
Subversion of spatial scale luxury decoration ideas.
China is no longer a communist nation, it is a corporate fascist nation. An autocracy largely run for the benefit and ego of those at the top.
They intrinsically will do nothing that threatens the power and wealth of those at the top. Of course those at the top will use the power of the Government of China for their personal advantage mainly locally but also more internationally in the future.
Corporate wars are very likely to have a made in China origin. Executive corruption, blackmail and even elimination, to ensure corporate competitive advantage. Industrial computer hacking is of course a part of the package.
Chaos - everything, everywhere, everywhen
Premise: Trojans try to make themselves really obvious so I can easily spot them and remove them.
Observation: I've never noticed a trojan in my system.
Conclusion: I've never had a trojan in my system.
Hence, firewall that stealths all ports and doesn't allow any software you haven't specifically OK'd out.
Step one: do not use IE for anything other then company/personal intranet. Block it on software firewall level from accessing anything else.
Step two: Install firefox.
Step three: Install the following add-ons: Adblock+, noscript. Properly white-list things you need.
Step four: Sandbox your browser if paranoid (sandboxie etc).
Step five: Avoid visiting shoddy sites.
You can never make a possibility of infection zero without rendering your machine completely autistic, just as you cannot totally nullify a risk of getting hit by a car if you ever have to go outside of your house. But you can minimize it to extent where your chances of infection are non-existent, and even if infected, the infected process is likely to reveal itself in the exact way you described.
It will still not be zero, but it will be about as good as you can make it, security updates or not. In this regard, most of the loopholes closed by updates add an extra layer of security, but when you're at the level described above, you're already behind so many layers, that one extra just won't make a meaningful difference. As you have observed with your system. That is the point I'm trying to make here.
Stuxnet included !