back to article China weaponizes its Great Firewall into the GREAT FIRE CANNON, menaces entire globe

China has upgraded the website-blocking systems on its borders, dubbed The Great Firewall, so it can blast foreign businesses and orgs off the internet. Researchers from the University of Toronto, the International Computer Science Institute, the University of California Berkeley and Princeton University, have confirmed what …

  1. Anonymous Coward
    Facepalm

    like websense, then?

    Or it could be standard off-the-shelf incompetence combined with a direct copy of Websense's duplicate get code.

    1. Anonymous Coward
      Anonymous Coward

      Re: like websense, then?

      Nah, websenseless doesn't work at all, so it must be something better.

      What I do find interesting is that this tool is reactive, which makes me wonder if this is really malice or simply a botch code job. Coders over there are as much as capable of making mistakes as they are over here, but that would obviously not serve well as an excuse to start YACW (yet another cold war).

      Now real wars have become a bit too obvious as a tax conversion mechanism (into private equity), I guess cyberwar spending will now shoot up, but for that they need an excuse. Hello excuse.

    2. Anonymous Coward
      Anonymous Coward

      Re: like websense, then?

      Nope. Like Phorm. This is literally what Phorm was designed to do.

  2. oldtaku

    'The researchers are also convinced the Chinese government is directly behind the Great Cannon's operations.'

    It has to be. Besides the technical similarities, they wouldn't tolerate else anyone messing with their search engine like this. Especially not for so long.

  3. LaeMing
    Meh

    Bad net citizens...

    ...get their IP blocks banned.

    1. gerdesj Silver badge

      Re: Bad net citizens...

      Don't bother with IP blocks - their AS numbers is the way to go. However even if the world was to do that (probably a modern age declaration of war), it would be a stupid way to deal with internet damage.

      What we need are politicians (or at least their advisors) who intuitively understand the way t'intertubes works, similar to the way most people understand to a reasonable degree how the road system works. They will also need to understand the cause and effect of this cannon thingie on commerce. Then they will have to liaise with other governments and work around potential net neutrality issues - yes that is probably relevant.

      Fuck me - the more I think about it - the more complex it becomes and it's late on a Friday. I'll stop here to avoid an essay 8)

      Cheers

      Jon

      1. g e

        Re: Bad net citizens...

        Surely if someone tells them it's hurting Big Media's profits they'll take action in a trice...

  4. Anonymous Coward
    Anonymous Coward

    Well done the Chinese Government

    You've taken a problem you had and delivered a solution. People not only find content blocked but also participate in taking down unapproved Web sites. It's so visible and obvious to them.

    I think the Chinese citizens are glad to have such a government looking out for them.

    It's far better than the US and UK governments who do all their reading of thier citizens content in secret and then using it to snoop on you without telling you.

    I think the upfront approach of the Chinese government is much better

    1. Anonymous Coward
      Anonymous Coward

      Re: Well done the Chinese Government

      It's far better than the US and UK governments who do all their reading of thier citizens content in secret and then using it to snoop on you without telling you.

      I think the upfront approach of the Chinese government is much better

      Judging by the downvotes, people are really more comfortable with hypocrisy...

  5. Anonymous Coward
    Anonymous Coward

    Polite as that may be; it is still war. You don't get to enforce your opinions outside of your borders. China and America both; be told.

    1. Anonymous Coward
      Anonymous Coward

      it is still war

      Umm, no. First we have to establish that this wasn't a stupid coding mistake where a targeted tool went into overkill, or an enterprising criminal using a state ISP (brave, Id' say, because what they do over there when they catch you isn't exactly subtle). It's not like that hasn't happened before.

      Next, a war requires a formal declaration. So far, US nor China have formally declared a war. There is mutual stupidity, yes, with the US spying on everything that moves (and not just in China) and China sourcing much of the hacking attempts I see on some of the resources that I manage, but so far I cannot see an all out war - all I see is a criminal rattling of doors.

      1. John Brown (no body) Silver badge

        "Next, a war requires a formal declaration"

        Except when it's a "police action". Or someone "invited" you in to help. Or it's in support of a UN resolution. Or you just go and do it without a formal declaration of war anyway.

        Has there actually been any "formal declaration of war" since 1939?

        1. streaky

          Has there actually been any "formal declaration of war" since 1939?

          Probably not, lost art of calligraphy and whatnot. How does one even define a declaration of war? Missiles shot out of SSBNs is the standard clue these days - why would you give your enemy a chance to set up defences, move forces, shred documents, hide in a cave and whatnot?

          There's at least 3 wars going on between major/superpowers right now today, just because they haven't been declared doesn't mean there isn't war.

          1. Anonymous Coward
            Anonymous Coward

            1941

            The US last declared war on Dec 8, 1941 against the Empire of Japan. Three days later Nazi Germany and Fascist Italy then declared war on the US.

            1. John Brown (no body) Silver badge

              Re: 1941

              "The US last declared war on Dec 8, 1941 against the Empire of Japan. Three days later Nazi Germany and Fascist Italy then declared war on the US."

              That's close enough for government work :-)

      2. chivo243 Silver badge

        how does one declare a 'cold war'? Isn't this what is going on here?

  6. Destroy All Monsters Silver badge
    Facepalm

    What the hell is that diagram???

    Do people need to learn producing proper sequence diagrams under the threat of violence or what?

    1. Phuq Witt
      Angel

      Re: What the hell is that diagram???

      I'm glad it wasn't just me then. Maybe I'm not as hungover as I thought, after all.

  7. Anonymous Coward
    Anonymous Coward

    So, what now?

    China, whether it be incompetence in administering the Great Firewall thus allowing blackhats to install their malware, or whether it be government interference, is injecting this malware on the rest of the world.

    Some of us as individuals can block certain URLs that host the nasty JavaScript. What next, do we need anti-malware in our web browsers now? Do I need to research a suitable plug-in for Squid to install on my workplace's transparent proxy?

    1. Anonymous Coward
      Anonymous Coward

      Re: So, what now?

      Arguably, Baidu's analytics domains can be considered malicious – requests sent to them return malware. If we can encourage browser makers to have their browsers not send requests to those domains, that would significantly reduce the potency of the Great Cannon.

      At the same time, this would have a dramatic negative impact on Baidu's advertising revenue; in turn, Baidu would pressure the Chinese government to knock it off with the Cannon or risk crippling the most popular site in their own country.

      1. Oninoshiko

        Re: So, what now?

        One better. have the DNS servers start returning NXDOMAIN, or a link to an explanation of the problem, not just for the analytics domain, for all of Baidu.

    2. Anonymous Coward
      Anonymous Coward

      Re: So, what now?

      Browsers are already performing anti-malware duties and I expect that to increase. NoScript is pretty sweet (been using it in block-by-default mode for almost 10 years) but so many sites break horribly with varying grades of horrible (sometimes everything but the actual piece that you wanted to read will load, sometimes nothing at all) that you'll have little choice other than give up on the site, or open the door just wide enough to peek through while maybe the sewage spills in onto your feet. It'll happen more that scripts which screw with you are placed on the same subdomain as scripts that make the site load anything at all, like when someone keeps all their ads as /images/{GUID}.png such that a not-overzealous rule for your ad blocker is basically impossible to write. Whatever we do to block spam like distributed realtime black- and whitelists will likely become more and more necessary in the form of browser addons as more stunts like this take place. Oh, what an exciting time!

      1. John Brown (no body) Silver badge

        Re: So, what now?

        "scripts which screw with you are placed on the same subdomain as scripts that make the site load anything at all"

        Yes, like when back in the day, tucows.com decided direct all their download links via their ad-server. The easy solution was to just not use TuCows. Where are they now? Absorbed into cnet or something?

        1. Anonymous Coward
          Thumb Up

          Re: So, what now?

          "Absorbed into cnet or something?"

          I was going to say they were turned into 4 chanburgers but it's still there, and besides needing you to manually erase the filler from the search form, apparently it functions without JS. Bravo!

    3. ckm5

      The Great Reflector

      We need to detect such traffic & send it back to the website of the ministry that runs the great firewall...

      One thing to keep in mind is that it was detected & mitigated...

      1. This post has been deleted by its author

    4. streaky

      Re: So, what now?

      What next, do we need anti-malware in our web browsers now?

      HTTP/2? Don't bitch about the always-on crypto and we'll be fine. Call your elected representation and try to get them to push BCP-38 or similar as a chunk of extraterritorial law (this is gonna work best if you're in the US).

      We need to detect such traffic & send it back to the website of the ministry that runs the great firewall

      a) Github figured it out pretty because they started injecting their own JS into pages as I recall.

      b) I prefer redirecting people to meatspin (pls don't google that if you don't know what it is) who are up to shady stuff on my servers, more effective than taking down some Chinese propaganda BS.

      Edit: derp, merge..

      1. Anonymous Coward
        Anonymous Coward

        Re: So, what now?

        What next, do we need anti-malware in our web browsers now?

        HTTP/2? Don't bitch about the always-on crypto and we'll be fine. Call your elected representation and try to get them to push BCP-38 or similar as a chunk of extraterritorial law (this is gonna work best if you're in the US).

        Never mind that getting a TLS certificate for a private website hosted on a free subdomain for a not-for-profit volunteer-run group of about 30 people is nigh on impossible and that HTTP/2 isn't yet supported by Apache 2.4 at last check (I read mod_spdy was buggy).

        Then there's the situation where encryption is outlawed. HTTP/2 is not a solution for everyone. We need to be able to check that some code is authentic for sure, we don't need it encrypted.

  8. nanchatte

    I thought I understood what was going on...

    ...until I saw that diagram.

    1. Tom 13

      Re: I thought I understood what was going on...

      Ok, like ads I skipped the diagram until I got to your comment (it being the third such at the time I was reading comments). Now that I've gone back and looked at, I'm confused too.

  9. Ole Juul

    commonly used analytics, social, or advertising scripts

    I'm not a fan of those anyway.

    1. Solmyr ibn Wali Barad

      Re: commonly used analytics, social, or advertising scripts

      Yup. Most of them are blocked by my very own Great Firewall, painstakingly construed by finding a checkbox named "Enable JavaScript" in the browser settings, and hitting it with a fury of the thousand winds. What a marvel of technological achievement.

  10. Frank N. Stein

    Surely, the US Government is aware of the "Great Firewall of China". Why are US firms still permitted to buy products for pennies on the dollar from China and then make a huge profit on them from customers? MONEY. The root of all evil. Actually, selfishness is the root. Money is just a tool that is used for selfish purposes...

    1. Destroy All Monsters Silver badge
      Big Brother

      3rd Reich-style economic control for you, sir? With added hectoring about "money"? Suits you.

    2. Anonymous Coward
      Anonymous Coward

      The verse says LOVE of money is the root of evil.

      1. choleric

        "The love of money is a root of all kinds of evils."

        1 Timothy 6:10

        Money doesn't have a monopoly on evil, though it's a good one to watch out for!

    3. Anonymous Coward
      Anonymous Coward

      Sold them the rope

      Khrushchev once said that, "When it comes time for us to hang you, your capitalist will sell us the rope." Well, the Soviets never did get their chance to hang us, but the Great Firewall of China was built in no small part with the help of American companies like Cisco and Microsoft. Of course they got away with it (and maybe were even encouraged to pursue it) because in its dealings with China the US government and its private sector partners have always seemed to put profit ahead of human rights. But then, the Nazis used tabulating machines supplied by IBM to administer the Holocaust, and that company was never held to account either.

  11. c4m1k4z3

    Technical considerations for github returning 301 Moved Permenantly back to baidu? (Not a legal/ethical debate)

  12. Ken Hagan Gold badge
    Childcatcher

    The killer application for IPv6

    The obvious solution is to align IP address blocks with national boundaries, so that it is easy for end-users to write rules that describe which blocks they trust. With IPv4, it is too late to do the renumbering. With IPv6, it isn't since the address space is large enough that you could invent a new kind of unicast address range for the purpose and allow both sets of addresses to run alongside for a few years.

    Note the focus on end-users. At present, firewalling entire countries is possible but only if you have the resources of a large organisation (or government) to keep the firewall rules up to date. We need to work out a way to give end-users the same power.

    If any politicians are listening, please note that the same capability would let end-users restrict their domestic internet usage to countries with laws on censorship/porn/whatever that they approve of. This would be far more effective than passing yet another law that applies only to servers in your own country, most of which already conform to your local laws and the rest of which you can already deal with through your own legal system on a case-by-case basis.

  13. Left-Pond-Left-Coastian

    A Browser-based solution?

    Unless I'm overlooking something, browsers distributed outside of China need just two features:

    1. A list of domains which can ONLY be accessed via https, not http. If the Great Cannon starts MITMing other domains than Baidu, the next stage would be to apply the https-only rule to all Chinese IPs (or ASes, and someone else suggested.)

    2. Remove China's root CA from the list trusted by non-Chinese browsers.

    At that point, if Baidu wants traffic from clients outside the PRC, it will need to sign its https responses with a certificate from some other root CA, thus preventing MITM actions by the Great Cannon.

    Of course, PRC officials could force Baidu to divulge its non-PRC-signed cert. The rest of us would know that had happened as soon as the Great Cannon resumed spewing: that would be the signal for the browser-makers to refuse to send even HTTPS requests to PRC IPs/ASs, or at least to any domain with which the great cannon interferes.

    Google's already non-grata enough with the Chinese that they'd have no reason not to do this in Chrome: I don't know about the Firefox folks. Apple's likely to be a problem: I doubt that Apple would make the OSX and iOS default browsers implement the disclplines suggested above: their business it too tightly bound to the PRC.

    1. Anonymous Coward
      Anonymous Coward

      Re: A Browser-based solution?

      I'm willing to bet Google would not have even mentioned a problem (even if their servers were absolutely hosed from China) if they still had a profitable foot in the door there.

      1. oneeye

        Re: A Browser-based solution?

        Google and Mozilla have already acted last week to remove Certs in all their products, This was before Great Cannon. Because the Chinese had issued some certs that imitated Google domains. Do try and keep up,would you?

        1. Charles 9 Silver badge

          Re: A Browser-based solution?

          I am keeping up. But what if China outright steals legitimate certificates belonging to Western companies, thus are able to perfectly mimic them and prevent them being blacklisted without collateral damage?

    2. Charles 9 Silver badge

      Re: A Browser-based solution?

      What happens then if the Chinese start taking over non-Chinese IPs, particularly those already in use by non-Chinese businesses? Now how will you be able to know what's coming before you get attacked by the Great Cannon's zero-days?

  14. Robin Bradshaw

    Great cannon ping pong

    I may have misunderstood but i was under the impression that if the developers at github had less scruples, they could have either setup a temporary 302 redirect to the largest video file on baidu they could find, or introduce their own ddos javascript to do the same in return to chinese site of their choice, it isnt that great of a cannon if your enemys can send your own weapon back at you.

    Full respect to the devs at github for just using an alert() to halt the evil javascript and signal something was wrong to the end user, my first instinct would be to have a crack at flattening baidu.

  15. Alan J. Wylie

    Can I be the first to coin a phrase?

    "Chinaman in the middle attack"

  16. oneeye

    its all gona get worse!

    This problem has enormous implications for mobile. There are tons of great FREE apps by Chinese developers. Most if not all connect to Baidu,or somewhere else in China. And don't forget those really CHEAP PHONES that some anonymous cowards crow about. Those have a direct line to China too! I don't care what country you use it in. I can confirm apps like ES File Explorer do connect to Baidu. It looks for updates which you can turn off,but the privacy policy says they use Baidu analytics. There are at least tweo separate connections in that regard. Now,what do you think those Chinese browsers and security apps are doing. All you guys who scoff at the warnings not to use those Chinese Phones,where are you? All you defenders of China? They are about to own your comunications system country wide. What say you now? So quiet I can hear a pin drop.

    1. ecofeco Silver badge

      Re: its all gona get worse!

      As for the Chinese phones, there really are no choices. 85% of ALL, ALL consumer electronics devices are made... in China.

      No matter whose name is on it, it's Chinese. Hon Hai ring any bells?

      As for the rest of your post, yes. God only knows what backdoors are lurking in our devices.

      1. Solmyr ibn Wali Barad

        Re: its all gona get worse!

        "Hon Hai ring any bells?"

        Minor nitpick - it's a Taiwanese group. But they have an awful lot of operations in the mainland China, so they have to have cosy relations with the Chinese regime.

  17. ecofeco Silver badge

    More comeplleing evidence for IoT and cloud

    Surely this and all the other mounting evidence shows this is a great time to go all in on cloud and IoT, right?

    Right?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020