like websense, then?
Or it could be standard off-the-shelf incompetence combined with a direct copy of Websense's duplicate get code.
China has upgraded the website-blocking systems on its borders, dubbed The Great Firewall, so it can blast foreign businesses and orgs off the internet. Researchers from the University of Toronto, the International Computer Science Institute, the University of California Berkeley and Princeton University, have confirmed what …
Nah, websenseless doesn't work at all, so it must be something better.
What I do find interesting is that this tool is reactive, which makes me wonder if this is really malice or simply a botch code job. Coders over there are as much as capable of making mistakes as they are over here, but that would obviously not serve well as an excuse to start YACW (yet another cold war).
Now real wars have become a bit too obvious as a tax conversion mechanism (into private equity), I guess cyberwar spending will now shoot up, but for that they need an excuse. Hello excuse.
Don't bother with IP blocks - their AS numbers is the way to go. However even if the world was to do that (probably a modern age declaration of war), it would be a stupid way to deal with internet damage.
What we need are politicians (or at least their advisors) who intuitively understand the way t'intertubes works, similar to the way most people understand to a reasonable degree how the road system works. They will also need to understand the cause and effect of this cannon thingie on commerce. Then they will have to liaise with other governments and work around potential net neutrality issues - yes that is probably relevant.
Fuck me - the more I think about it - the more complex it becomes and it's late on a Friday. I'll stop here to avoid an essay 8)
Cheers
Jon
You've taken a problem you had and delivered a solution. People not only find content blocked but also participate in taking down unapproved Web sites. It's so visible and obvious to them.
I think the Chinese citizens are glad to have such a government looking out for them.
It's far better than the US and UK governments who do all their reading of thier citizens content in secret and then using it to snoop on you without telling you.
I think the upfront approach of the Chinese government is much better
It's far better than the US and UK governments who do all their reading of thier citizens content in secret and then using it to snoop on you without telling you.
I think the upfront approach of the Chinese government is much better
Judging by the downvotes, people are really more comfortable with hypocrisy...
it is still war
Umm, no. First we have to establish that this wasn't a stupid coding mistake where a targeted tool went into overkill, or an enterprising criminal using a state ISP (brave, Id' say, because what they do over there when they catch you isn't exactly subtle). It's not like that hasn't happened before.
Next, a war requires a formal declaration. So far, US nor China have formally declared a war. There is mutual stupidity, yes, with the US spying on everything that moves (and not just in China) and China sourcing much of the hacking attempts I see on some of the resources that I manage, but so far I cannot see an all out war - all I see is a criminal rattling of doors.
"Next, a war requires a formal declaration"
Except when it's a "police action". Or someone "invited" you in to help. Or it's in support of a UN resolution. Or you just go and do it without a formal declaration of war anyway.
Has there actually been any "formal declaration of war" since 1939?
Has there actually been any "formal declaration of war" since 1939?
Probably not, lost art of calligraphy and whatnot. How does one even define a declaration of war? Missiles shot out of SSBNs is the standard clue these days - why would you give your enemy a chance to set up defences, move forces, shred documents, hide in a cave and whatnot?
There's at least 3 wars going on between major/superpowers right now today, just because they haven't been declared doesn't mean there isn't war.
China, whether it be incompetence in administering the Great Firewall thus allowing blackhats to install their malware, or whether it be government interference, is injecting this malware on the rest of the world.
Some of us as individuals can block certain URLs that host the nasty JavaScript. What next, do we need anti-malware in our web browsers now? Do I need to research a suitable plug-in for Squid to install on my workplace's transparent proxy?
Arguably, Baidu's analytics domains can be considered malicious – requests sent to them return malware. If we can encourage browser makers to have their browsers not send requests to those domains, that would significantly reduce the potency of the Great Cannon.
At the same time, this would have a dramatic negative impact on Baidu's advertising revenue; in turn, Baidu would pressure the Chinese government to knock it off with the Cannon or risk crippling the most popular site in their own country.
Browsers are already performing anti-malware duties and I expect that to increase. NoScript is pretty sweet (been using it in block-by-default mode for almost 10 years) but so many sites break horribly with varying grades of horrible (sometimes everything but the actual piece that you wanted to read will load, sometimes nothing at all) that you'll have little choice other than give up on the site, or open the door just wide enough to peek through while maybe the sewage spills in onto your feet. It'll happen more that scripts which screw with you are placed on the same subdomain as scripts that make the site load anything at all, like when someone keeps all their ads as /images/{GUID}.png such that a not-overzealous rule for your ad blocker is basically impossible to write. Whatever we do to block spam like distributed realtime black- and whitelists will likely become more and more necessary in the form of browser addons as more stunts like this take place. Oh, what an exciting time!
"scripts which screw with you are placed on the same subdomain as scripts that make the site load anything at all"
Yes, like when back in the day, tucows.com decided direct all their download links via their ad-server. The easy solution was to just not use TuCows. Where are they now? Absorbed into cnet or something?
This post has been deleted by its author
What next, do we need anti-malware in our web browsers now?
HTTP/2? Don't bitch about the always-on crypto and we'll be fine. Call your elected representation and try to get them to push BCP-38 or similar as a chunk of extraterritorial law (this is gonna work best if you're in the US).
We need to detect such traffic & send it back to the website of the ministry that runs the great firewall
a) Github figured it out pretty because they started injecting their own JS into pages as I recall.
b) I prefer redirecting people to meatspin (pls don't google that if you don't know what it is) who are up to shady stuff on my servers, more effective than taking down some Chinese propaganda BS.
Edit: derp, merge..
What next, do we need anti-malware in our web browsers now?HTTP/2? Don't bitch about the always-on crypto and we'll be fine. Call your elected representation and try to get them to push BCP-38 or similar as a chunk of extraterritorial law (this is gonna work best if you're in the US).
Never mind that getting a TLS certificate for a private website hosted on a free subdomain for a not-for-profit volunteer-run group of about 30 people is nigh on impossible and that HTTP/2 isn't yet supported by Apache 2.4 at last check (I read mod_spdy was buggy).
Then there's the situation where encryption is outlawed. HTTP/2 is not a solution for everyone. We need to be able to check that some code is authentic for sure, we don't need it encrypted.
Yup. Most of them are blocked by my very own Great Firewall, painstakingly construed by finding a checkbox named "Enable JavaScript" in the browser settings, and hitting it with a fury of the thousand winds. What a marvel of technological achievement.
Surely, the US Government is aware of the "Great Firewall of China". Why are US firms still permitted to buy products for pennies on the dollar from China and then make a huge profit on them from customers? MONEY. The root of all evil. Actually, selfishness is the root. Money is just a tool that is used for selfish purposes...
Khrushchev once said that, "When it comes time for us to hang you, your capitalist will sell us the rope." Well, the Soviets never did get their chance to hang us, but the Great Firewall of China was built in no small part with the help of American companies like Cisco and Microsoft. Of course they got away with it (and maybe were even encouraged to pursue it) because in its dealings with China the US government and its private sector partners have always seemed to put profit ahead of human rights. But then, the Nazis used tabulating machines supplied by IBM to administer the Holocaust, and that company was never held to account either.
The obvious solution is to align IP address blocks with national boundaries, so that it is easy for end-users to write rules that describe which blocks they trust. With IPv4, it is too late to do the renumbering. With IPv6, it isn't since the address space is large enough that you could invent a new kind of unicast address range for the purpose and allow both sets of addresses to run alongside for a few years.
Note the focus on end-users. At present, firewalling entire countries is possible but only if you have the resources of a large organisation (or government) to keep the firewall rules up to date. We need to work out a way to give end-users the same power.
If any politicians are listening, please note that the same capability would let end-users restrict their domestic internet usage to countries with laws on censorship/porn/whatever that they approve of. This would be far more effective than passing yet another law that applies only to servers in your own country, most of which already conform to your local laws and the rest of which you can already deal with through your own legal system on a case-by-case basis.
Unless I'm overlooking something, browsers distributed outside of China need just two features:
1. A list of domains which can ONLY be accessed via https, not http. If the Great Cannon starts MITMing other domains than Baidu, the next stage would be to apply the https-only rule to all Chinese IPs (or ASes, and someone else suggested.)
2. Remove China's root CA from the list trusted by non-Chinese browsers.
At that point, if Baidu wants traffic from clients outside the PRC, it will need to sign its https responses with a certificate from some other root CA, thus preventing MITM actions by the Great Cannon.
Of course, PRC officials could force Baidu to divulge its non-PRC-signed cert. The rest of us would know that had happened as soon as the Great Cannon resumed spewing: that would be the signal for the browser-makers to refuse to send even HTTPS requests to PRC IPs/ASs, or at least to any domain with which the great cannon interferes.
Google's already non-grata enough with the Chinese that they'd have no reason not to do this in Chrome: I don't know about the Firefox folks. Apple's likely to be a problem: I doubt that Apple would make the OSX and iOS default browsers implement the disclplines suggested above: their business it too tightly bound to the PRC.
I may have misunderstood but i was under the impression that if the developers at github had less scruples, they could have either setup a temporary 302 redirect to the largest video file on baidu they could find, or introduce their own ddos javascript to do the same in return to chinese site of their choice, it isnt that great of a cannon if your enemys can send your own weapon back at you.
Full respect to the devs at github for just using an alert() to halt the evil javascript and signal something was wrong to the end user, my first instinct would be to have a crack at flattening baidu.
This problem has enormous implications for mobile. There are tons of great FREE apps by Chinese developers. Most if not all connect to Baidu,or somewhere else in China. And don't forget those really CHEAP PHONES that some anonymous cowards crow about. Those have a direct line to China too! I don't care what country you use it in. I can confirm apps like ES File Explorer do connect to Baidu. It looks for updates which you can turn off,but the privacy policy says they use Baidu analytics. There are at least tweo separate connections in that regard. Now,what do you think those Chinese browsers and security apps are doing. All you guys who scoff at the warnings not to use those Chinese Phones,where are you? All you defenders of China? They are about to own your comunications system country wide. What say you now? So quiet I can hear a pin drop.
As for the Chinese phones, there really are no choices. 85% of ALL, ALL consumer electronics devices are made... in China.
No matter whose name is on it, it's Chinese. Hon Hai ring any bells?
As for the rest of your post, yes. God only knows what backdoors are lurking in our devices.