My suspicion is that this is basically observation bias in action. Every public system on the internet in every country is subject to a constant barrage of low level email driven malware, these days. We only hear the reports of the universities, IT security companies, and government services, because these are the only folks with enough security consciousness and enough to lose to notice it, and who are worth writing news articles about. This doesn't mean a particular attack is targetted, or trying to accomplish a particular goal.
The allegation that the particular attack is 'highly customised' doesn't really stack up. The attack vector here on a company called Digitalbond is a file called
In short, the attack file takes the same name as one of the company's own publications.
So really, the use of this filename does not indicate any particular understanding of what Digitalbond does, much less any real interest in it. It's absolutely trivial to construct such attack files algorithmically by crawling target domain name webpages, and is a common and class spam/malware method. There's nothing interesting here.
"The attack begins with a spear phishing email sent to employees of the targeted company and containing a PDF attachment. In Digitlbond's case, the file is called "Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.pdf.exe" and when it's opened, the file installs a Trojan downloader called spoolsvr.exe."
If you are running an unsolicited attachment called blah.pdf.exe and ignoring the windows authorisation message that pops up, then why the hell are you providing IT security advice?
Security vulnerabilities are everywhere. You cannot *whitelist* by country. I'll bet you 20 bucks that even if you only used US parts manufactured and designed in the US, you will *still* find backdoors like the one described here which a sufficiently dedicated attacker with a password sniffer will be able to break right open. Your only protection is rigorous security testing and multi-layered defense.
North Korea measures 200x400 miles. Taiwan 200x100. Beijing is 100 miles inland. Shanghai is coastal. Even Lhasa, Tibet, is 500 miles inland. You're spending multiple billions of dollars to extend strike capabilities to that part of China even the Chinese government don't care that much about.
Europe *doesn't* want this. The Poles don't want this. The US is paying for it, because it's part of a full package of arm twisting and bribery to make them accept something that fundamentally makes their position less secure.
"According to a poll by SMG/KRC released by TVP 50 per cent of respondents reject the deployment of the shield on Polish soil, while 36 per cent support it.[41]"
Except that the Russians tried to arrange a deal whereupon Russian observers would be in place on US missile defense bases, to ensure they cannot be used against them. The US refused.
There's plenty of evidence that the Russians are genuine in their belief that this is a threat to them, and this has been a consistent position of theirs since the Cold War.
Paying doesn't mean anything. For example, Feist ruled that the contents of phone books can't be copyrighted. But that doesn't mean they cannot be sold.
Having an opinion doesn't mean biased. Rather, you need to show a conflict of interest, or some other thing that stops these people from looking at the issue objectively or otherwise clearly. The APS, when ranged against the massive conflict of interest of manufacturers of SDI systems and of congress proposing to build this, are relatively pretty damn disinterested. And they have the knowledge to present reasonable analyses that you can look at.
SDI was a bad idea in the 80s. It's a bad idea now. In place of 'biased', I suggest you use the word 'correct' instead.
Physics, bioweapons, nanotech, all the other scary things are about what people can do. Social psych is about what people *want* to do. Find the grand unified theory of 'how to make people behave in the ways you wish', and you'll be capable of massive control on the civilisation scale, and so massive harm. No single weapon in history has matched the simple, banal ability to tell a hundred million people to kill or die, and have them _obey_.
No, this is the paradox of China. On the one hand, it's a police state with very reduced sets of rights. On the other hand, China is actually an anarchy. Think about it - it's a state massive in area, but with *half the number of police* (per capita) than the US. And the police there are is mostly concentrated unevenly across the country. Thus, you have a police system capable of producing individual 'examples', if the state wishes, but which is in general wholly incapable of enforcing consistently the full set of laws it has on its books across the whole country.
Ironically, the cultural revolution is an example of state failure. It was mostly carried out by popular militias, students, etc, and raged for as long as it did because of the inability of the police force to deal with it. In both that case and Tiananmen Square, the situation had to be eventually resolved by the invocation of martial law and the involvement of the military - hardly a sign of the ability of the police force to maintain stability.
If the China invades the US, it's global thermonuclear war. Then it wouldn't matter at all who wins or not and what the military budgets are.
Even if China wins and there is mysteriously no nuclear exchange, what exactly do they win? A country full of unproductive, rebellious mouths to feed, without any resources to covet, that previously was doing perfectly well buying their iPads... The status quo is the most favourable status for China. As far as I can see, the only even slightly plausible scenario for future war would be started by the US.
So, "some of the 3000 Chinese companies in the US (maybe 12, maybe 20-30) might have relations (possibly entirely above board and legitimate) with the chinese military" has mutated into "more than 3000 Chinese companies are actually front companies for chinese intelligence trying to steal IP"?
International students do not attend US universities at taxpayer expense. They instead pay much higher fees, effectively subsidising the fees of domestic students - that's why universities like them. Living expenses also contribute billions each year to the US economy.
Apart from the money, they also make important scientific contributions, frequently choosing to stay. Look through google scholar, and you'll see the increasing numbers of chinese names. They aren't there to steal research - they are *doing* the research, and the fact that they are choosing to do it in the US and publishing it means the US gets to benefit from both the results themselves and the reputation of having ground breaking research done there instead of in Asia or Europe.
What's the biggest threat to the American lifestyle?
Isn't it obvious?
The USA itself.
The Chinese could do a lot, but little of it can compare to the damage the US has dealt and will potentially continue to deal to its own economy, to its political system, to its civil liberties and justice system, its international reputation, its health system, and now, it seems, to its research community.
I'm 90% certain this 3000 front companies figure is going to appear in a ton of places now. But where the hell does it come from?
Because S. Eugene Poteat is no longer a CIA agent. He's been out of the CIA for over 10 years. So how does he have access to privileged intel on Chinese intelligence activities? How on earth could he, a man whose intel career ended well before the start of this nonsense, know?
The answer is, by my reckoning, he doesn't. It's just a made up statistic. And there's a pattern behind this guy's statements too: he's long been a proponent of the removal of accountability from the intel services.
"Thirty years ago," he wrote, "the Church and Pike Committees bought into the KGB perception management campaigns to discredit American intelligence and proceeded to limit the activities of the intelligence community..."
Since the Church and Pike Committee hearings are probably not covered in high school history courses, let me remind younger readers that these were congressional committees convened to investigate egregious excesses by an intelligence community that had come to act with little or no external accountability.
The agency' excesses included assassinations, coups detats, revolutionary and counter-revolutionary movements, covert action to influence the elections of friends and enemies alike, mind control experiments that sometimes led to murder, and other behaviors that caused lots of reasonable people to question the agency' unlimited freedom to act without transparency or accountability. The excesses were not about how they gathered intelligence so policies could be set. The excesses were about policies devised and executed in a black box.
Poteat is saying that citizens concerned with that unrestrained behavior were deceived by the KGB.
There's a certain wing of the US who is pushing the intel agenda. By reproducing the cold war, they get more funding and the unlimited powers they always coveted. S. Eugene Poteat's proper title is 'Intellaine security company employee, and lobbyist for greater surveillance powers without civilian oversight'. Don't buy into their bullshit, unless they show their working.
I'd note that the 3k companies claim came not from the CIA, but from a guy who's retired from the CIA in the 90s, and was previously involved in - get this - the Gulf of Tonkin incident.
I'm pretty sure that if China was intent on sending a superspy to steal your celestial mechanics precious bodily fluids, they wouldn't send someone with a space military related publication record, and have him write an article on it available over the internet: http://en.cnki.com.cn/Article_en/CJFDTOTAL-XYZH200901020.htm
Maybe people should just realise that academics are interested in all sorts of different stuff, that all research publications are gonna be read by someone combing over it in search of military applications, and that if you are actually doing military significant research, you should do it under Darpa or something and security check your staff?
Slashdot Mirror
My suspicion is that this is basically observation bias in action. Every public system on the internet in every country is subject to a constant barrage of low level email driven malware, these days. We only hear the reports of the universities, IT security companies, and government services, because these are the only folks with enough security consciousness and enough to lose to notice it, and who are worth writing news articles about. This doesn't mean a particular attack is targetted, or trying to accomplish a particular goal.
The allegation that the particular attack is 'highly customised' doesn't really stack up. The attack vector here on a company called Digitalbond is a file called
Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.pdf.exe
Googling reveals
http://ciip.wordpress.com/2009/07/27/leveraging-ethernet-card-vulnerabilities-in-field-devices-white-paper/
In short, the attack file takes the same name as one of the company's own publications.
So really, the use of this filename does not indicate any particular understanding of what Digitalbond does, much less any real interest in it. It's absolutely trivial to construct such attack files algorithmically by crawling target domain name webpages, and is a common and class spam/malware method. There's nothing interesting here.
Except that if you RTFA, it is.
"The attack begins with a spear phishing email sent to employees of the targeted company and containing a PDF attachment. In Digitlbond's case, the file is called "Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.pdf.exe" and when it's opened, the file installs a Trojan downloader called spoolsvr.exe."
If you are running an unsolicited attachment called blah.pdf.exe and ignoring the windows authorisation message that pops up, then why the hell are you providing IT security advice?
Boy, how soon do people forget.
http://arstechnica.com/business/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems/
Made in Canada :p.
Security vulnerabilities are everywhere. You cannot *whitelist* by country. I'll bet you 20 bucks that even if you only used US parts manufactured and designed in the US, you will *still* find backdoors like the one described here which a sufficiently dedicated attacker with a password sniffer will be able to break right open. Your only protection is rigorous security testing and multi-layered defense.
Uh... why is the parent marked as troll? It's basically factually correct.
North Korea measures 200x400 miles. Taiwan 200x100. Beijing is 100 miles inland. Shanghai is coastal. Even Lhasa, Tibet, is 500 miles inland. You're spending multiple billions of dollars to extend strike capabilities to that part of China even the Chinese government don't care that much about.
What is the purpose of a deterrence that you cannot see coming?
Europe *doesn't* want this. The Poles don't want this. The US is paying for it, because it's part of a full package of arm twisting and bribery to make them accept something that fundamentally makes their position less secure.
"According to a poll by SMG/KRC released by TVP 50 per cent of respondents reject the deployment of the shield on Polish soil, while 36 per cent support it.[41]"
Yes, the US are arseholes here.
Except that the Russians tried to arrange a deal whereupon Russian observers would be in place on US missile defense bases, to ensure they cannot be used against them. The US refused.
There's plenty of evidence that the Russians are genuine in their belief that this is a threat to them, and this has been a consistent position of theirs since the Cold War.
Paying doesn't mean anything. For example, Feist ruled that the contents of phone books can't be copyrighted. But that doesn't mean they cannot be sold.
Having an opinion doesn't mean biased. Rather, you need to show a conflict of interest, or some other thing that stops these people from looking at the issue objectively or otherwise clearly. The APS, when ranged against the massive conflict of interest of manufacturers of SDI systems and of congress proposing to build this, are relatively pretty damn disinterested. And they have the knowledge to present reasonable analyses that you can look at.
SDI was a bad idea in the 80s. It's a bad idea now. In place of 'biased', I suggest you use the word 'correct' instead.
If you are trying to defend Japan, maybe the Japanese should pay for it?
Do you know how Lincoln dealt with the British during the civil war?
Seriously.
Physics, bioweapons, nanotech, all the other scary things are about what people can do. Social psych is about what people *want* to do. Find the grand unified theory of 'how to make people behave in the ways you wish', and you'll be capable of massive control on the civilisation scale, and so massive harm. No single weapon in history has matched the simple, banal ability to tell a hundred million people to kill or die, and have them _obey_.
No, this is the paradox of China. On the one hand, it's a police state with very reduced sets of rights. On the other hand, China is actually an anarchy. Think about it - it's a state massive in area, but with *half the number of police* (per capita) than the US. And the police there are is mostly concentrated unevenly across the country. Thus, you have a police system capable of producing individual 'examples', if the state wishes, but which is in general wholly incapable of enforcing consistently the full set of laws it has on its books across the whole country.
Ironically, the cultural revolution is an example of state failure. It was mostly carried out by popular militias, students, etc, and raged for as long as it did because of the inability of the police force to deal with it. In both that case and Tiananmen Square, the situation had to be eventually resolved by the invocation of martial law and the involvement of the military - hardly a sign of the ability of the police force to maintain stability.
If the China invades the US, it's global thermonuclear war. Then it wouldn't matter at all who wins or not and what the military budgets are.
Even if China wins and there is mysteriously no nuclear exchange, what exactly do they win? A country full of unproductive, rebellious mouths to feed, without any resources to covet, that previously was doing perfectly well buying their iPads... The status quo is the most favourable status for China. As far as I can see, the only even slightly plausible scenario for future war would be started by the US.
Maybe the absence of a global steward is better than the US.
So, "some of the 3000 Chinese companies in the US (maybe 12, maybe 20-30) might have relations (possibly entirely above board and legitimate) with the chinese military" has mutated into "more than 3000 Chinese companies are actually front companies for chinese intelligence trying to steal IP"?
What a farce.
International students do not attend US universities at taxpayer expense. They instead pay much higher fees, effectively subsidising the fees of domestic students - that's why universities like them. Living expenses also contribute billions each year to the US economy.
http://www.nafsa.org/_/file/_/eis09/usa.pdf
Apart from the money, they also make important scientific contributions, frequently choosing to stay. Look through google scholar, and you'll see the increasing numbers of chinese names. They aren't there to steal research - they are *doing* the research, and the fact that they are choosing to do it in the US and publishing it means the US gets to benefit from both the results themselves and the reputation of having ground breaking research done there instead of in Asia or Europe.
What's the biggest threat to the American lifestyle?
Isn't it obvious?
The USA itself.
The Chinese could do a lot, but little of it can compare to the damage the US has dealt and will potentially continue to deal to its own economy, to its political system, to its civil liberties and justice system, its international reputation, its health system, and now, it seems, to its research community.
I read his biography?
I'm 90% certain this 3000 front companies figure is going to appear in a ton of places now. But where the hell does it come from?
Because S. Eugene Poteat is no longer a CIA agent. He's been out of the CIA for over 10 years. So how does he have access to privileged intel on Chinese intelligence activities? How on earth could he, a man whose intel career ended well before the start of this nonsense, know?
The answer is, by my reckoning, he doesn't. It's just a made up statistic. And there's a pattern behind this guy's statements too: he's long been a proponent of the removal of accountability from the intel services.
http://www.commondreams.org/views05/0316-27.htm
There's a certain wing of the US who is pushing the intel agenda. By reproducing the cold war, they get more funding and the unlimited powers they always coveted. S. Eugene Poteat's proper title is 'Intellaine security company employee, and lobbyist for greater surveillance powers without civilian oversight'. Don't buy into their bullshit, unless they show their working.
Well, I've heard rumours 9/11 was a hologram.
It would be good if you could, you know, name this MP, because I'm pretty sure I'd have heard of it.
I'd note that the 3k companies claim came not from the CIA, but from a guy who's retired from the CIA in the 90s, and was previously involved in - get this - the Gulf of Tonkin incident.
I'm pretty sure that if China was intent on sending a superspy to steal your celestial mechanics precious bodily fluids, they wouldn't send someone with a space military related publication record, and have him write an article on it available over the internet: http://en.cnki.com.cn/Article_en/CJFDTOTAL-XYZH200901020.htm
Maybe people should just realise that academics are interested in all sorts of different stuff, that all research publications are gonna be read by someone combing over it in search of military applications, and that if you are actually doing military significant research, you should do it under Darpa or something and security check your staff?
Have you ever been to China? Seriously? Do you have even the slightest idea what you are talking about?