Slashdot Mirror
Despite Promises, China Still Targeting US Firms (crowdstrike.com)
itwbennett writes: Three weeks after the U.S. and China reached their first ever cybercrime and cyberespionage agreement, a new report from CrowdStrike details intrusions from hackers affiliated with the Chinese government, indicating they almost immediately broke their word. In a blog post, CrowdStrike's Dmitri Alperovich said the first observed intrusion was detected on September 26 – one day after President Obama hosted President Xi Jinping of China for a state visit.
While I don't view my personal website as being valuable to anyone, my server does get hit by a lot of script kiddie type attacks that are coming from Chinese IP addresses. It seems that these "hackers" (who always fail as the overwhelming majority of them do tens of thousands of attempts to ssh in as root) are just hitting my server by IP address without concern for its function (beyond running ssh [yeah, I know there are things I can do to prevent or slow down their attempts but I don't want to]). It would be interesting to know if maybe they're just honing their techniques by trying systems in my IP address range.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
That's just what we call pillow talk.
Is anyone surprised by this? Even a little bit? I don't know what it is about the Chinese, but they seem to think that if one repeats one's denials enough, the plainly observable truth will just go away. How else would you explain their straight-faced, utterly disingenuous denials?
The only way they will stop is if you publicly humiliate them inside China or at a major event.
Everything else won't work.
-- Tigger warning: This post may contain tiggers! --
Well, if they promised, then it should have stopped by now, right?
I mean, after all, they promised, and everybody knows that's binding.
Or, alternatively, the shit nations tell one another is pretty much meaningless lip service, and China doesn't give a crap what anybody else things.
Lost at C:>. Found at C.
It's not hard to imagine that there are disagreements and rogue elements within China, even within China's government. There certainly are contradicting practices and policies within the United States! Out of one side of our mouth, we say "torture is horrible and should be banned," while out of the other, we refuse to agree to the Geneva conventions on torture. Why wouldn't we expect China to have similar in-fighting and disagreements? To what extent is this hacking endorsed by their government?
Everyone knows China is the go-to scapegoat for Infosec people. Crowdstrike, in particular, is a well known smoke seller.
It's too bad that the very same people that could be helping build a better society, are trying to get govt. money by war-mongering, spreading bullshit about other countries and hoping the local govts will pick the bait.
Obama is negotiating with North Korea. Any guesses on how that will work out?
One of the reasons of some may attacks "from China" is that they have of the largest network of "pirate", not maintained, old XPs...the rest is just political talk. Look, a flying commie that eats baby just went by!
Did anyone really believe that any agreement was worth a pound of noodles?
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
Quick show of hands. How may people are using a VPN from a different country so they can access Netflix over seas? Uh huh.
If Netflix can't determine the country of origin of a bunch of brainless media consumers, why is everyone so ready to believe that professional hackers can't hide their point of origin an pin it on China? Seams like that would be a no brainer for anyone wanting to cover their tracks.
Or maybe it's just a bunch of Chinese script kiddies having fun with no government involvement at all. Hell, I bet the American script kiddies are having just as much fun re-routing their attack traffic through China to make it look like state sponsored cyber shenanigans.
Daily State Department press briefings with verifiable evidence of the actions, with the same basic script every time: "Given that our Chinese friends have pledged not be engaging in nor benefitting from such actions, one can only conclude they have lost control of their internal domestic networks."
The Chinese government would hate nothing more than being publicly accused of not having iron control, to the point of possibly even shutting the hacking down for real.
there are only two kinds of organizations in the world: those that know they've been hacked, and those that don't know it yet.
nothing to see here - move along
A big part of the problem is this BO administration. Worse that Jimmy Carter, this one is frankly, in-your-face anti-American, trying to trash the country.
You should read Machiavelli. Definitely western.
Yes, he is criticized, but it started because he was describing the *real* politic and exposing the (then current) dirty laundry. Why did he do it? Because he was under house arrest following a change in government and wanted to be active again. He was trying to demonstrate that he had political savvy. It wasn't a book for general consumption (no such thing existed at the time anyway), but written for the guy in charge.
Even the best known quotation is done misleadingly. "The ends justify the means" is how it is quoted, but that isn't what he said. Closer (from memory) is, "In any endeavor the end must be considered." Which should be common sense.
FUCK CHINA!
Do you mean like a Nigerian Prince that needs your help and your bank account information?
While true, there's a lot more to it than that. Just because a treaty is signed the laws aren't automatically changed, neither is the behavior of bureaucrats.
And the preceding paragraph assumed that the attacks were coming from Chinese government agents. This has hardly been proven.
Only at this point do we come to the question of "Has the US stopped attacking China?". *PERHAPS* the government has. It's opaque enough so all I can say is "I don't believe it has.". But it's quite clear that no real action has been taken to control either commercial interests or individuals.
Did anyone really expect anything different? This treaty looked like a piece of PR work from the beginning.
I think we've pushed this "anyone can grow up to be president" thing too far.
While true, that ignores the fact that "On the internet, nobody knows you're a dog." You can't tell *where* the attacks you notice are coming from, unless they are so incompetent that you can presume they didn't forge headers, use indirection, etc.
I think we've pushed this "anyone can grow up to be president" thing too far.
The government can't protect us or itself from security threats from China by agreement. Only a bunch of incompetent 'security experts' would even suggest it. These people are playing games trying to be important when they know little to nothing about real security. The only way we can even begin to secure out systems is by reducing the bloat to something manageable for which we can actually audit (and I don't mean the type of audit that was done on Truecrypt- but a real audit) and designing better KISS hardware.
1. We need the sources for every piece of hardware to be publicly available.
2. We need every critical application design to be reviewed by security focused groups and every line of code that goes into production to be reviewed by multiple competent parties.
3. We need the designs to made publicly available for every component.
4. Resist implementing overly complex code.
5. Stick to well understood security conscious languages.
6. Sane default settings for a given use case- if your going to depend on code which is not used by significant number of parties then it needs to be severely contained and executed in a manor that is well designed to cope with it. ie we don't need images with scripting capabilities, if we really need macros in word documents then the macros need to be properly contained by well implemented code.
7. Design hardware to have a long shelf life so that we can thoroughly understand the designs and review the code.
8. We need to stop playing games. Pretending like secure boot is security- or anti-virus software is security. These are little more than gimmicks. It's not making us any safer. Its not being implemented properly by *any one* and even if it were it's increasing risk by increasing bloat and it's not even auditable because we don't have the code to do it.
More code equal more bugs. More complex code equals more bugs. We need to resist implementing overly complex code.
Insert free advert for CrowdStrike Falcon
How is this CrowdStrike Falcon immune from hack attacks?
Why aren't these 'Chinese' hackers bouncing their attacks of servers in another country?
This 'Chinese' hacker bogeyman is becoming tedious.
Most people here don't get their tech info from watching CSI: Cyber.
There wasn't a treaty. It was just a joint statement. Reportedly, the US was starting to threaten the public discussion of sanctions, and China hastily came up with the idea of voluntarily agreeing to terms regarding what is and isn't legal espionage.
China would be making announcements if they had intelligence regarding US attacks. It would benefit them very much to have something solid, a named event, in the discussion. The reality is though that the US methods are very different. The US government doesn't employ teams of script kiddies to do that work, they employ a ginormous signals intelligence infrastructure that is undetectable when data is not leaked.
If the Chinese didn't take action after this to smack some people down, I'd expect the backroom diplomatic discussions to heat up a notch. The details of that aren't likely to become public until a future stage of the process.
If the news cycle has these stories next year during the Presidential Debates, then anti-China sentiment could really gain traction. I don't think the Chinese want this fight. I think they execute the two or three most decadent of their script kiddies, stop attacking US corporations (temporarily), and focus on non-US installations of international corporations with headquarters outside the US. At least until after the election. And on a continuing basis if there is anti-China sentiment in the US.
Perhaps all countries do this like they do with spies. As written in Mad Magazine decades ago, "When we want to know more about another countries activities, we employ intelligence agents. When another country does the same to us, we accuse them of using spies."
mfwright@batnet.com
Obama is a hopeless wimp and a god-awful "negotiator," and we've no more reason to suppose China will live up to bargains with him than Russia or Iran will. They are laughing their asses off at this putz. Spare us the bewildered tone of surprise, this is exactly what we all wanted when we elected this idiot.
Get away from any open networks, air gap within a site, encrypt to a better standard than whats floating around as a default.. hire people who understand networks at the site level, who can design/work well with advanced encryption. :) Just with super computers on site. :)
Its going back to the walk in vault of past decades
Why is all the secure information been open networked in the USA?
The best designers enjoy life in some culturally enriched leafy suburbs and cities. The production lines are in other states thanks to some political jobs deals, huge energy needs decades ago. So the complex mil/gov only networked data has to be sent over vast distances via front companies, networks, telcos, foreign brands. They all get a look or can split the networks.
Better crypto cant secure the huge open facing networks that link the university and company mil/gov networks to the many distant suppliers and production line sites.
The US traded the comfort of its best designers and private sector needs for security per project site. Every winning state gets a bit of the huge federal contract and can hide the really skilled workers per state, city.
Networks solve the distance issue and allow the very best to work all over the US and add their ideas quickly.
The problem is the networks are not well understood, open to the world or just set to US junk standards by default.
Other advanced nations just split the network and get vast amounts of free data and can ip/date the blame on other nations.
Security audits long after the event then find simple traces leading back to the expected list of nations
All the political leaders did was ensure their state got good paying mil/gov jobs. Nobody told them to factor in the tame networks, complex security needed to work in other states and send sensitive design data every year over decades.
Domestic spying is now "Benign Information Gathering"
I'm sure our president will take prompt, strong, effective action based on his long string of foreign-policy successes.
-Styopa
You are, of course, correct about it not being a treaty. In fact I suspect that it was entirely a PR move, and no change in action is contemplated by either side. This is the more likely as there's no accurate way of telling where a cyberattack is coming from.
I think we've pushed this "anyone can grow up to be president" thing too far.
MACs can also be changed, though admittedly it's uncommon.
When they start shutting down botnets quickly, then I'll believe that there are reasonably accurate ways to trace an attack.
I think we've pushed this "anyone can grow up to be president" thing too far.