back to article Chinese ISP hijacked US military, gov web traffic

Eight months after traffic to as much as 15 percent of the world's internet destinations was mysteriously diverted through China, investigators for a US Congressional committee remain wary of the Asian superpower, even as they're quick to say they have no evidence it's the work of the Chinese government. “Several incidents in …

COMMENTS

This topic is closed for new posts.
  1. Number6

    Encryption

    Obviously we need all email clients to have easy-to-configure encryption settings that are on by default. It helps if servers are using TLS to pass data, makes the job of the snooper a bit harder, but Joe Public is blissfully unaware of how easy it is to eavesdrop on his email to his gran.

    Of course, the security services would be horrified if it took off, they would have to divert a lot more resources to reading our email traffic if it was scrambled in some way.

  2. Anonymous Coward
    Anonymous Coward

    Like SMTP used to be

    And DNS Auth with CRYPT-PW for major ISPs which you could get on a dictionary attack.

    Sometimes after a major failure the routers back off and the wrong master is chosen which makes odd things happen. Once before my ISP routed Class A all the way from my home router into Russia, accepting the entire chain to some dodgy peering agreement.

  3. Ross 7

    Mistake

    Likely a mistake, although that's not to say they weren't trying to do something nefarious on a smaller scale.

    Given it was 18 minutes, and they sucked up soooo much traffic it's likely they went titsup and defacto blackholed a large portion of the inet, so the routing tables corrected themselves.

    BGP is definitely from an older and more gentlemanly time. If you;re relying on trust on the inet, and that trust isn't as a result of some serious crypto you need to have a rethink...

  4. Anonymous Coward
    Pint

    Of course all US mil and gov agencies

    carefully encrypt their sensitive traffic before sending it over the public Internet so... You say what? Oh, they don't ?

  5. dephormation.org.uk
    Pint

    TalkTalk's Chinese takeaway

    BGP? Sounds horribly complicated.

    In the UK we let the Chinese do spying properly.

    For example, TalkTalk invite the Chinese to install spyware directly into their network, thus avoiding the cost, complication and inconvenience of BGP reconfiguration.

    GCHQ/CPNI then let it stay there for months on end, before anyone acts.

    I like a beer with a takeaway.

  6. Anonymous Coward
    Thumb Down

    Phorm,Huawei,TalkTalk.

    Huawei have a deal with TalkTalk to do covert DPI snooping on their customers traffic then TalkTalk covertly and then anonymously scrape websites using their customer's urls, supposedly scanning them for malicious content. (By the way, just to make you feel more comfortable, Phorm have a done a deal with Huawei too, back home in China.)

    Government action/regulatory clampdown so far? Well - nothing yet. But the ICO is looking at it, and is said to be "disappointed". Police have shown no interest in a RIPA prosecution. Home Office are clamped down tight, and have absolutely nothing to say about the matter. TalkTalk mysteriously switched the whole thing off when the press found out. According to Home Office Minister Nick Herbert (written answer in Parliament) no one has even been in touch with Home Office to make representations about it, although I personally know of about seven people who have in fact done so. Maybe he thought they were vexatious.

    So it looks like the Chinese arrived here quite some time ago, they've certainly scraped MY website this summer, courtesy of TalkTalk, but without either TalkTalk's customers or me, being asked first. As they appear to have open access to most of our ISP network already, as dephormation says above - why bother with all this diversion stuff. If you've been given the front door key you don't need to climb in the back window.

  7. MaXimaN
    Big Brother

    Be realistic

    It's not like they could do anything with such a massive amount of data if they collected any of it. I mean, they'd need to own the world's most power supercomputer to do pattern matc...

    Oh. Hang on.

    1. Jon 86
      Pint

      It real

      Isn't the world new supercomputer owned by the Chinese. You may want check Tianhe-1. If they have the data, supercomputer and technical know how what else stops them.

      Is the government in America and UK hear about all these issue or they have secured network so don't give a toss.

      Well, let me grab a pint and sit back until the frst interweb war starts. I've saved a couple of machines to play my part. At least to defend my country.

  8. John-Mark Gurney
    Big Brother

    Encrypt it all

    I'm just as worried about the US government snooping as I am about China. The US courts say that the government is free to snoop, and the people cannot force the government to follow the law. Encrypt all your internet traffic.

    With the cost of SSL certs cheap, no website should unencrypted. I moved my home site to only allow encrypted traffic. I've also stopped visiting sites that don't have a signed certificate.

    It's easy to turn on encryption for torrents (done). Many IRC servers also support TLS too.

    Basic email encryption can be done if more people install a certificate. Simply install a certificate on your SMTP server and most sending hosts will automatically use TLS. Sure it isn't as good as PGP as it's still unencrypted on the sending/receiving hosts, but at least on the internet it is.

    1. crayon
      FAIL

      Re: Encrypt it all

      "With the cost of SSL certs cheap, no website should unencrypted."

      Certs may be cheap, but using SSL increases CPU used and leads to global warming.

      "I've also stopped visiting sites that don't have a signed certificate."

      That means you only visit your own site? since 99.99999999% of the web doesn't use SSL.

  9. Anonymous Coward
    Flame

    Don't Forget To Create Your Own CA

    Governments can strongarm the CAs to issue bogus certificates for any DNS name. I guess a "National Security Letter" does the trick in the Land Of The Free Running Spooks.

    Look at the list of CAs in your browser and be very, very scared.

  10. Anonymous Coward
    FAIL

    So how did you read this article?

    "I've also stopped visiting sites that don't have a signed certificate."

    Maybe I'm stupider than I thought (a distinct possibility), but I couldn't find any signed certificates for forums.theregister.co.uk.

    So how did you manage to read the article and post here if you only visit encrypted sites, hm?

    I base the above assertion on my right-clicking the page in Firefox (Linux version) and selecting "View Page Info" where it reveals the following under the "Security" tab:

    Web site: forums.theregister.co.uk ; Owner: This web site does not supply ownership information ; Verified by: Not specified ; Technical Details - Connection Not Encrypted - The web site forums.theregister.co.uk DOES NOT SUPPORT ENCRYPTION for the page you are viewing. (Ed: all-caps mine)

    I even tried manually typing in an "s" into the address and hitting Enter, like <https://forums.theregister.co.uk/> but it just sat there with the spinning logo and wouldn't even load/connect/whatever.

This topic is closed for new posts.

Other stories you might like