If you want to give credit to a report detailing how much money your political leaders have piled up for themselves, hacking the media outfit that published it is a great way to confirm the story.
that's the thing I don't understand. If accurately reported, this hacking attempt seems to be a sophisticated, expensive military operation with virtually no upside and high risk of discovery.
It just doesn't seem rational to expend that kind of resource for such petty motives, especially if they have any idea how western media works, which I believe they do.
If you want to give credit to a report detailing how much money your political leaders have piled up for themselves, hacking the media outfit that published it is a great way to confirm the story.
Do you think it matters now for the Chinese gov? By doing this and more they will make it very expensive for NYT and impossible for smaller outfits to mess with them. Maybe they'll uncover some dirt and release it to embarrass or discredit its reporters, who knows.
Google thought they'd forced them to back down and we know what happened.
I don't think the New York Times would need much motivation to investigate corruption in China in the first place, but I strongly doubt being hacked by a foreign government would make them less motivated to do so.
All this focus on the sophistication of the Chinese hackers irritates me slightly.
Reading between the lines, it seems the NYT would likely have weathered this "sophisticated" attack a lot better if they had observed a few simple security best practices:
- Salt your password hashes (rendering rainbow tables inert)
- Train your staff NOT to open attachments from unknown sources (especially if you've just written an inflammatory article on a foreign government official)
- Configure your mail server to automatically strip and quarantine any attachment (inbound or outbound) that isn't of a type defined in a very strict white list
- In addition to network firewalls, make use of the software firewall on the PC's themselves by tightly controlling what processes on the machines are given egress permission
This stuff isn't rocket science and if the NYT can't get it right (knowing that they're a natural high profile target), what hope do other firms have?
The focus of the discussion should be on getting to the bottom of why we keep seeing these basic security oversights being made over and over again, not panicking about Chinese über hackers and suggesting everyone move to smart cards, retina scans or paper.
As brown9-2 mentions in his reply, it was a Windows Domain Controller
> Train your staff NOT to open attachments from unknown sources
Spear phishing attacks are more sophisticated than that. They aren't sending .EXE files. The two most common attachments are RTF[0] and PDF[1], or a link in the email body to a website that will attempt a drive-by download.
These emails are composed in a way to make them look innocent (for eg. 'Twitter Password Reset Request', 'New Amazon.com Order', or an email from a new source, etc.).
It is also likely that at this level of sophistication that there are 0day exploits involved.
Attackers can send hundreds of spear emails over weeks and months, they just need a single click from one user to get their foot in the door.
> quarantine any attachment (inbound or outbound) that isn't of a type defined in a very strict white list
As mentioned above, the attachment types are RTF, PDF and XLS - and much more common is a link in an HTML email.
> make use of the software firewall on the PC's
The command and control servers send commands to ordinary looking websites using HTTPS. If you read the analysis of Flame or Stuxnet you will see the lengths that the designers went to to obfuscate this traffic.
This analysis[2] describes what the C&C servers looked like for Flame. The admin panels make no mention of bots or worms, it looks like any other intranet site.
It is really difficult to defend against these types of attacks. An attacker only needs 2 or 3 decent exploit writers to come up with a unique attack vector and a custom trojan tailored for the target. Also, time is on their side and they only need a single hit while you need to find and shut down all of the attempts.
Re: Windows Domain Controllers - I wasn't aware they didn't have the ability to salt hashes (I last used domain controllers and active directory back in the Win2K days). I could be facetious and say "move to open ldap, samba 4, zarafa and an open stack" but I realise that isn't being very helpful :)
Re: spear phishing attacks
All it takes is a bit of training and common sense to significantly reduce the effectiveness of this vector. Examples:
1). Remove Flash and, if possible, Java from all the desktop PCs and work laptops. [0]
2). Use a non-Adobe product for reading PDFs
3). Standardise on one browser (e.g. Chrome), force all users to use it and have someone in IT be responsible for tracking all security announcements from the manufacturer.
4). Ban browser addons
5). Train staff to hover over any link in an email and verify where it's going to before clicking it (and to be especially vigilant if the url purports to be from a well known website i.e. amazon, twitter etc)
6). Ban staff from clicking on any link rendered by an url shortening service.
7). Ban staff from opening any attachment from a new/unrecognised email source (regardless of file format).
8). Re-work your provisioning, network architecture and file storage setup so that it becomes quick and painless to regularly (even randomly) format user's machines and install a clean image.
9). If feasible, configure all user's email programs to render emails in plain text and encourage staff to avoid checking their private accounts on work provided machines (especially high profile users).
10). Ban users from connecting non-work appliances to the network. Use MAC filtering if you have to enforce this.
Re: firewalling
That's why I said block everything going out and only white list a very limited number of _processes_ not ports. Do it via the native software firewall or something like TinyWall.
[0] If a user really needs either of these, they can apply for special dispensation and IT can (after making sure the user is security trained) give them a locked down virtualbox instance they can launch from the desktop. If possible this could also be scripted so that it gets deleted every day or week and re-provisioned from a "gold" vm image.
Some attacks would still make it through despite the above but that's life. At the very least it raises the bar needed for a successful attack, making vanity hacks (like in the case of the latest one on the NYT) less common.
The point about hashes is irrelevant as the corporate passwords were stolen from Microsoft Windows domain controller. Users of Windows domains aren't free to swap in their own implementation of how password storage works.
The executive editor of the Times says “Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied"... but referring to their forensics they say that the attackers "search[ed] for and grab[bed] Mr. Barboza’s and Mr. Yardley’s e-mails and documents from a Times e-mail server" after cracking their password hashes.
So which is it? Did they download gigs and gigs of mail, but not the ones they were looking for? Or is "found no evidence" doublespeak for "we're pretty sure they got what they were looking for, but the logs had already rolled over on that system, so we have no evidence that they did". Based on the rough timeline presented, this was after they were known, so it may have been their honey-pot server, but the tone of the article suggests that they were not honey-potting them and simply monitoring their progress as they slowly stomped their way through their live network. This begs the question... if they were really monitoring the attackers for months, including watching them grab Barboza and Yardley's e-mails, what are we to make of the PR statement that no relevant or sensitive e-mails were obtained?
About Symantec's technology, it is worth noting that antivirus scans are based on identifying malware in one place, then being able to recognize that malware everywhere. This does not particularly help you recognize malware that was custom made to only be installed in one location. Particularly not when the people who were making that malware themselves have access to your anti-virus scans prior to deployment and can verify on their own computers that you do not detect them.
Therefore there is no surprise that Symantec failed to provide any meaningful protection during this attack. They know this. But they hardly want to admit it in front of all of their customers.
"It's okay to blink, because we never do – SONAR technology and live 24x7 Threat Monitoring watch over your PC for any suspicious behavior to quickly identify threats."
"Protection from the future, available today – our exclusive reputation and behavior antivirus technology are so advanced that they can stop online threats that bad guys haven't even created yet."
Yes. And if you engage in suspicious behavior like connecting to a botnet and then spewing spam, SONAR likely figures out that something is wrong.
But remote command and control through a covert channel can be done in ways that do not look particularly suspicious. And a sophisticated attacker should be assumed to know what behaviors SONAR is looking for.
Symantec (or any software company) isn't going to comment to a reporter about why it's product didn't perform adequately, regardless of whether it's related to that reporters parent organization.
If a reporter asked Oracle for a comment every time Tumblr went down because of something related to MySQL (I have no idea if Tumblr actually runs MySQL, that's just a hypothetical), the best they'd hear is "We don't comment about specific customer information."
Edit: It took me so long to write that that you edited your comment before I finished. ;) I think we're in agreement.
It's not really about privacy (which was why when I saw the quote in the article, I giggled, and thought "That reporter's being funny"), it's about the fact that Symantec isn't even in a position to have a comment about it.
If they were super on the ball and forthcoming, they might comment "We make software which is designed to protect users from the overwhelming majority of malware and viruses. There does not exist any solution which can completely guarantee safety from infection, but we have detected and stopped billions of threats."
Don't get me wrong, the AV industry (actually much of the security industry) should be embarrassed by how fundamentally primitive things are; it's a bunch of horseshit.
But they have absolutely nothing to gain by commenting about it, it would be walking into a hornet's nest. So they get to deflect it by saying they won't comment on a customer issue.
When newspapers are making the news, they often write about it in the third person, as if they were writing about any other newspaper. Symantec would not give the NYT a quote on the record about this. It doesn't mean Symantec wouldn't give the NYT details off-the-record. The comment in the article was a response to a question from a reporter, not the Times' security chief.
For instance a few weeks ago the Washington Post broke a story about how the Washington Post was considering a pay wall.
U.S. Groups Helped Nurture Arab Uprisings
Even as the United States poured billions of dollars into
foreign military programs and anti-terrorism campaigns, a
small core of American government-financed organizations
were promoting democracy in authoritarian Arab states. ...
The United States’ democracy-building campaigns played a
bigger role in fomenting protests than was previously
known, with key leaders of the movements having been
trained by the Americans in campaigning, organizing through
new media tools and monitoring elections. ...
Today the work of these groups is among the reasons that
governments in turmoil claim that Western meddling was
behind the uprisings, with some officials noting that
leaders like Ms. Qadhi were trained and financed by the
United States. Diplomatic cables report how American
officials frequently assured skeptical governments that the
training was aimed at reform, not promoting revolutions.
Is China Next?
Over the course of three short months, popular uprisings
have toppled regimes in Tunisia and Egypt, sparked a civil
war in Libya and created unrest in other parts of the
Middle East. They also have raised a question in many
people's minds: Are all authoritarian regimes now
threatened by this new democratic wave? In particular, is
China, a rising superpower, vulnerable to these forces?
Whether or not you believe the Arab Spring actually resulted in good outcomes, the salient fact is that US funded groups started the revolutions and prominent neocons (like Fukuyama in that WSJ article) were/are calling for similar actions in China.
This is why the Chinese government feels that it is under attack by the United States, and it does not see a line between NGOs, the NYT/WSJ, and the US government, which they believe are working in concert to discredit their leaders and foment violent revolution in the name of democracy, as they did in the Middle East. Is this paranoid? Well, it's now hard to gainsay the USG/NGO connection given those articles, and in general even the NYT does tend to side with the USG against China or Arab regimes (most famously with Judith Miller).
From this worldview, China thinks of this as a conflict between one of their intelligence agencies and one of ours. It's not obvious that they are wrong in that assessment.
> "This is why the Chinese government feels that it is under attack by the United States, and it does not see a line between NGOs, the NYT/WSJ, and the US government..."
They are neither incompetent nor ignorant. They can tell who's who. When they want Industrial info, they know where and how to get it. When they want advanced tech, they know how to get it. When they want to retaliate "cybernetically" they know how to do it.
I would say, as others have pointed out, that this is in retaliation to the pieces about graft and wealth building by CN officials counter to the spirit of the revolution because it could cause internal PLA dissent/strife -and to see if they could obtain info about sourc(e)s of that info.
>"and in general even the NYT does tend to side with the USG against China or Arab regimes"
This is like comparing people's comments about the weather and saying "see, they are aligned, they agree on aspects about the weather". I think it's more that their views coincide rather than the implied "pseudo-state-organ-piece" view. They (CN) are not naive.
I'd predict that if you began hosting Fa Lun Gong sympathetic views and began getting traction that you (your site) would become a target -not because you'd be assoc with the gov't, or even think you were related to the gov't, but because FLG is something they consider counter to their interest. You could be based in North Korea, but if you published things they found counter-productive, they'd look into investigationg your nature, I suspect.
I would say, as others have pointed out, that this is in
retaliation to the pieces about graft and wealth building
by CN officials counter to the spirit of the revolution
because it could cause internal PLA dissent/strife -and to
see if they could obtain info about sourc(e)s of that info.
Absolutely. But the greater context is that they see this as a skirmish in the larger campaign to discredit the PRC's current leaders, foment discontent, overthrow the government, and set up a (US-controlled) democracy.
You have presented nothing to connect that to this, except the obvious one: that state sponsored actions have state objectives behind them. You're arguing by insinuation and equivocation, and present nothing relevant to this event. It's like a comment section on the Stuxnet worm being inundated with comments about Iran sponsoring suicide bombers in Israel. Yes, it's related, but the volume of "evidence" you've added to this discussion suggests you just want to have a conversation about something else.
I thought it was helpful to see a rational state objective behind why the Chinese military may be hacking the New York Times (the article leaves motive unanswered beyond insinuating general malevolence).
"It's like a comment section on the Stuxnet worm being inundated with comments about Iran sponsoring suicide bombers in Israel."
This may not be a news flash for Israelis or Americans, but I bet it would make for informed reading for an Iranian (or even for an American sitting next to an Iranian). I've found foreign articles on current events illuminating of my own cultural blinders.
...except the GP provided no rational state objective for this except insinuating general malevolence as perceived by the Chinese government. That's my whole point. There's no argument here except equivocation.
> This may not be a news flash for Israelis or Americans, but I bet it would make for informed reading for an Iranian (or even for an American sitting next to an Iranian). I've found foreign articles on current events illuminating of my own cultural blinders.
Sure, but Stuxnet was built for very specific purposes, and sponsorship of suicide bombers is so far down the list of motives that it becomes essentially a non sequitur. However, it does achieve very well a change in conversation from the implications of introducing a computer worm to sabotage a nuclear program to a discussion of how evil a regime is. The former is a conversation worth having, no matter how much you feel Stuxnet was justified.
Here, we have a comment about the "context" of this action, which is summed up for us pretty well above as "they see this as a skirmish in the larger campaign to discredit the PRC's current leaders, foment discontent, overthrow the government, and set up a (US-controlled) democracy" (which, incidentally, sounds exactly like the greater context for the great firewall and state-controlled media, as well). This completely ignores the very specific correlation the Times points out with a series of articles they ran on Premier Wen Jiabao. That accusation is much more specific then the "context" found above.
Well, you implied in your comment below that you weren't interested in a simple "discussion of how evil a regime is". Very understandable and I agree with you. Yet the thing is that without this context Americans just don't understand why the Chinese military would get involved on a negative story about a leader. It seems like a gross overreaction. Indeed, without understanding the context it just seems "evil".
Until you realize that undercutting popular support for a leader is step 1 in the PNAC handbook for democratic change. We accuse them of atrocities, we accuse them of holding WMDs, we accuse them of suppressing freedom of speech, we get their population to believe that they are illegitimate by funding "democracy" movements. Then the fighting starts and we drop off weapons with the rebels, even if we know full well this could result in something worse ("Obama administration clearly was worried about the consequences of its hidden hand in helping arm Libyan militants").
Now half a dozen countries are burning across the Middle East in the name of setting up US-controlled democracies.
Yet most Americans don't get why the Chinese would defend their leaders reflexively or why the Chinese military would hit out. The view goes something like this: Sure, Wen Jiaobao may have skimmed some money off the top, but politicians are constantly caught in scandals and China has gotten richer while the US has gotten poorer. So China's corruption isn't fatal to growth, while America's bank/Fed chimera may well be. And yet America wants to set China on fire just like it has so many other countries in the world, first with words and then with guns.
So, yes, I do believe this context is relevant. You don't need to agree with their views, but you do need to understand why they see this as self-defense against US imperialism.
Again, all you've done is repeat the same explanation for the Great Firewall and censorship of news as soon as it starts to appear to be capable of "fomenting dissent". It's worth noting that many in China do not share your view, and we have the weibo messages to prove it. While there is certainly a good bit of animosity aimed at the US (both well-sourced and born of invented stories), it's ridiculous to claim that even a large portion of the populace believes that they need to be protected from revolution brought about by american psyops in the news.
Assuming that of them certainly sells the people of China short, not to mention the complete lack of agency you seem to believe the people that actually live in Egypt, Tunisia, Libya, Syria, etc had in deciding to revolt in the first place. It's not clear what your personal belief is here (you're only reporting on the "context", after all), but you've repeated the libya arms thing enough that I'll assuage your fears: look back through history. Nation building by rebel proxy does not work as intended. You only have to look at your so called new "US-controlled democracies" to dispel any idea of US control.
Meanwhile, the new york times reported on corruption in those around Wen Jiabao, and the Chinese government hacked into their systems apparently so they could find out who provided information to the reporters and how they got the information that they did. It's a silly strawman to suppose that "without this context Americans just don't understand why the Chinese military would get involved on a negative story about a leader." No, it's extremely clear, and I think few here were very surprised.
the complete lack of agency you seem to believe the people
that actually live in Egypt, Tunisia, Libya, Syria, etc had
in deciding to revolt in the first place.
Egypt's revolution provided the first hurdle. Obama was
criticised for backing stability as the drama of Tahrir
Square unfolded. But on 1 February came his call for
Mubarak to step down "now". As the New York Times wrote:
"Obama upended three decades of American relations with its
most stalwart ally in the Arab world, putting the weight of
the United States squarely on the side of the Arab street."
As for this:
look back through history. Nation building by rebel proxy
does not work
Nation building doesn't work. Revolution by rebel proxy sure does. Governments don't overthrow themselves. As for history, the American Revolution succeeded because the French were pumping in money. The Vietnamese beat off the Americans because they had the Chinese and Soviets in their corner. The Afghans repelled the USSR with the help of the US and the Stinger missile. You will be hard pressed to find a revolution that won or even began without the intervention of foreign powers; where are the armaments coming from in the first place? The record shows that the Arab Spring was caused by US training, funding, armaments, and media support.
“We learned how to organize and build coalitions,” said
Bashem Fathy, a founder of the youth movement that
ultimately drove the Egyptian uprisings. Mr. Fathy, who
attended training with Freedom House, said, “This certainly
helped during the revolution.”
At one time the United States financed political reform
groups by channeling money through the Egyptian government.
But in 2005, under a Bush administration initiative, local
groups were given direct grants, much to the chagrin of
Egyptian officials.
The Egyptian government even appealed to groups like
Freedom House to stop working with local political
activists and human rights groups.
“They were constantly saying: ‘Why are you working with
those groups, they are nothing. All they have are slogans,’
” said Sherif Mansour, an Egyptian activist and a senior
program officer for the Middle East and North Africa at
Freedom House.
When their appeals to the United States government failed,
the Egyptian authorities reacted by restricting the
activities of the American nonprofit organizations.
In the face of government opposition, some groups moved
their training sessions to friendlier countries like Jordan
or Morocco. They also sent activists to the United States
for training.
Further documentation on this topic is not hard to find. But feel free to minimize the explicit, acknowledged support of the most powerful country in the world for violent democratic revolution in favor of local "agency". As for whether this article on the #2 leader in China was printed at random, The New York Times has a track record of coordinating with the US government:
The New York Times had agreed to temporarily withhold
information about Mr. Davis's ties to the agency at the
request of the Obama administration, which argued that
disclosure of his specific job would put his life at risk.
Several foreign news organizations have disclosed some
aspects of Mr. Davis's work with the C.I.A. On Monday,
American officials lifted their request to withhold
publication, though George Little, a C.I.A. spokesman,
declined any further comment.
It's one thing for a newspaper to withhold information
because they believe its disclosure would endanger lives.
But here, the U.S. Government has spent weeks making public
statements that were misleading in the extreme -- Obama's
calling Davis "our diplomat in Pakistan" -- while the NYT
deliberately concealed facts undermining those government
claims because government officials told them to do so.
That's called being an active enabler of government
propaganda. ...
Following the dictates of the U.S. Government for what they
can and cannot publish is, of course, anything but new for
the New York Times. In his lengthy recent article on
WikiLeaks and Julian Assange, NYT Executive Editor Bill
Keller tried to show how independent his newspaper is by
boasting that they published their story of the Bush NSA
program even though he has "vivid memories of sitting in
the Oval Office as President George W. Bush tried to
persuade [him] and the paper's publisher to withhold the
eavesdropping story"; Keller neglected to mention that the
paper learned about the illegal program in mid-2004, but
followed Bush's orders to conceal it from the public for
over a year -- until after Bush was safely re-elected.
In other words, whether under Bush or Obama, the NYT has an acknowledged track record of coordinating with the US government on stories that could result in international incidents. A hit piece on one of the top people in the Chinese government might not have been done at the State Department's request, but it certainly would not have been published over the State Department's objection. The fact that its effect was to sow discontent with China's leadership is not unnoticed by anyone skeptical of US-exported democratic revolution.
While I totally understand and don't debate that the US has supported many of the revolutions in the Middle East, there is a fundamental difference between supporting and creating said movements.
As far as I can tell, the US has been a follower, not a leader, in these movements. Sure, activists have been trained in the US. That's been the case for decades though, and it took organization and significant change and economic pressure — not brought about by the US — in the region to create an the conditions for change.
I think this comes close to accusing an umbrella seller of conspiring with the weather because she happens to push umbrellas when it rains and switches to selling lemonade when it's hot. I think the NYT and Salon both have readerhips and understand them and try to ride waves of interest.
I think there are coincidences and occasionally there could be coercion (don't publish on account of national security) but I do not see it as "an organ of the gov't". It's self interest. In other words it's not comparable to XinHua News, as you're implying.
W/re ME revolutions. All those examples were in places where the outcome was nearly inevitable (needed some logistical/moral support) and the US/EU didn't want to appear to be on the 'wrong side' of history. Witness CN and RU. Specially RU tends to pour arms into those conflicts to upset the West, to some extent --I don't fully understand their intent but they are unsuccessful in much but delaying the inevitable.
Perhaps. The bigger 'threat' is not so much from foreign media per se, but from internal Chinese (activists) who would translate and disseminate this information via various channels. It's not as though most Chinese know how/bother to avoid the GFC or know how to read English. It's the internal 'conspiracy theorists' and anti-propagandists who the gov't fear the most which is why they have introduced laws governing internet cafes, ISPs, blogs, microblogs, and hire thousands to scrub sites of offending info, etc.
The gov't mostly want to control internal communication. I think in this case they were looking for info on where the NYT got this information, so they could track down and rectify the sourc(e)s.
>> it does not see a line between NGOs, the NYT/WSJ, and the US government.
Aren't we all doing the same mistake when we refer to them? All we know is that the attacks came from China, so we safely assume it came from the Government? Why is it that each time something comes from China (a country with approximately 5 time more people than the US - source Wikipedia) we blame their government and treat it as a declaration of war (or, with less exaggeration, a political move)? Is it possible that this enormous gigantic human honeycomb has, say, organizations, corporations, competitors, God-knows-what-which-isn't-their-government?
The western media have created this weird image of China and ... something doesn't add up. I've never been there and I hope I'll get the chance some day, but I can't help but feel that "someone" (feel free to replace this word with the antagonists of your favorite conspiracy theory) is trying to shove down our throat that China is a menace.
That being said, I agree with your analysis. The Chinese government has seen what happened in the Arab world and it knows that the US constantly needs an enemy. It probably does feel threatened.
What you might not understand is that the Chinese government has its hands in every corporation, organization, competitor, etc.
You might have false assumptions coming from the US system, where corporations and government are separate entities. They even sue one another at times.
In China, large corporations are overseen by the government. The government funds them, decides what they can and cannot do, and decides which corporations will succeed. You cannot build a search engine or social network right now, unless you pull a political coup, because the government controls which companies succeed. Baidu and Tencent are the "blessed children" for the time being.
Within the government, China is run by various clans, continually vying for power in the Communist Party. It's easiest to build a large company by having a family member in the upper echelon of the party, to push things through.
Everything is connected to the government in China. It's in your company's interest to keep the party in power, because the corrupt politicians keep you in business. It's in your wealthy family's interest to keep the government in power, because they keep you wealthy. It's a giant corrupt system, keeping itself in place.
Most likely, these attacks were actually executed by some low-level hackers somewhere. But most certainly, someone in the government has something to do with their funding, organization, or guidance.
>> What you might not understand is that the Chinese government has its hands in every corporation, organization, competitor, etc.
Yes, this is the point. Being a 30-year-old Chinese, I've already known under a dictatorship almost everything is controlled by gov. Want to give birth to a child? need a permit (or your kid won't have ID nor social security); want to start up your own NGO? need a extremely complex license which is designed to scare you away; want to publish a book? need a license and it will be censored or even be banned; want to form a street demonstration? almost impossible.
I think for a dictator, he needs a system to restrain the free flow of people and information (a good example, North Korea), to do this the gov uses its power/money/people to reach out as far as possible into every corner of social and personal lives. It wants to know everything and wants to control everything (whether it can do is another story).
I cannot say I have any evidences to prove a sophisticated operation like this can only be done by gov, but I believe only gov or gov sponsored organizations can do this.
"Government" is not one cohesive entity, certainly not in a country as big as China. Sure, there might be some rogue actors sympathetic to such attacks. But that doesn't imply that "Chinese government" in general is supportive of such acts, just like a few corruption scandals do not imply that entire US government is corrupt.
But for each scandal we need to re-evaluate the prior.
I'm irritated that you post this as if presupposing that the US government is not corrupt. I know you are factually correct, but the connotation bothers me.
When they failed to stop SOPA of their own accord, I realized that the majority are either incompetent or corrupt.
Well, my main point was about China and mentioned US govt just as an example. If you don't like that example, how about: "Its wrong to call a corporation corrupt just because a few mid-level employees go rogue"
> Aren't we all doing the same mistake when we refer to them? All we know is that the attacks came from China, so we safely assume it came from the Government?
I think the reason they see all of our institutions as one head of the same beast is that in China things really do work that way.
Of course, as parent points out, it's not completely false to see the United States that way, although our institutions collaborate in a more anarchic and haphazard fashion than the Chinese leadership may realize.
China pushes an alternative world view[0] to the US, it doesn't involve individual rights, and free markets. It seems the majority in the west (primarily the U.S) view this as a 'menace' or a 'threat' to their way of life... hence the constant propaganda.
EDIT: Just in response to the down votes, I thought maybe it was due to no citation.
On every parametric cultural ontology I've seen the U.S. comes out at the top for individualism, e.g. Hoftstede's IDV: {US, 91; China, 20} [1]. This is why we believe in free speech, even if it's hateful speech, to a level alarming to the rest of the world. As Americans we are likely to see society as a composition of individuals than a cohesive system, or of individuals as points on the fabric of society.
As much as I'm tempted to accept the self-loathing implicit in your analysis, temphn, I must strenuously object. Talking to people should never be denied or (in this case) punished. I don't care if it's government sponsored propaganda, the NYT, or the KFC marketing department: there is no justification for censorship.
If, as you say, "the Chinese government feels that it is under attack by the United States" then perhaps they should ask themselves why they are so afraid of information. Why are they not able to influence their own population on their home turf more effectively than these American interlopers? If they can't do that, then perhaps the foundations of their government are too weak to support the dreams and aspirations of almost 2Bn human beings.
You know, I really don't think that a regional book ban of James Joyce in 1933 is really all that comparable with what's going on in China today. Call me crazy.
I don't think you are wrong about the way China perceives the US influence, and I don't think China is wrong to perceive it that way, either.
The US government publicly avows its support for human rights and democracy around the world in general (even as it diminishes those very principles within its own borders -- but that's another story). It's not exactly a secret, although America definitely makes exceptions for its own convenience all the time (e.g. its support for the Shah of Iran, or the dictator Mubarak), and doesn't tend to publicly proclaim its support for revolution by as-yet unknown actors in nuclear-armed states like China.
However, I don't see any evidence that this notion is related to this specific case of hacking. Concern about US influences that would threaten the autocratic regime that currently controls China may be one big reason why they developed a large-scale military hacking capability.
But in this particular case, it simply looks like the principal(s) of the regime using those capabilities to try to find out the names of people who leaked sensitive information -- presumably, so that those people can be imprisoned/tortured/murdered.
The CPC simply wanted the names of whoever was leaking their corruption to the foreign press to 'fix the leak' by rounding these people up for unpleasant interrogation.
lol western orchestrated arab spring in China. I don't think so.
Hey China, you guy's stop buying our debt, floating our consumer economy with a giant pool of near slave labor we can exploit, and stop giving us billions for our resources or we will promote a rebellion so all your nuclear weapons can wind up in the hands of breakaway republics that might be hostile like nuclear Uyghurstan
>> Whether or not you believe the Arab Spring actually resulted in good outcomes, the salient fact is that US funded groups started the revolutions and prominent neocons (like Fukuyama in that WSJ article) were/are calling for similar actions in China.
This is why the Chinese government feels that it is under attack by the United States
The Chinese don't give a rat's hoot about the Arabs. They attack American computer systems for obvious reasons, obvious to most of us.
The Chinese central government most certainly cares about Arabs, as they share a disputed border with several majority Muslim countries, including Pakistan and Afghanistan.
Moreover they have repressed domestic minority populations who are predominantly Muslim. The extent to which there are Islamic unification or nationalist movements (which are often tied in with movements in the middle east), the Chinese government very much does care about unrest amongst Chinese muslim populations.
I'm confused... What's the relationship between Arabs and Pakistan/Afghanistan?
There's a difference between being Arab and being Muslim. The greatest Muslim countries are not Arab (Indonesia, Turkey, Iran, Pakistan).
"Islamic unification" is by definition the opposite of "nationalist movements", and is very unlikely to happen. I can guarantee that Saudis, Pakistanis, Morrocans and Turks have way too little in common to even consider unification.
Revolutionaries tend not to be known for dealing in practicalities.
And yeah, you're right, Arabian culture is distinct from other parts of the Muslim world, but neither are they totally disentangled either. Both the green revolution in Iran and the Egyptian revolution against Hosni Mubarak had well defined religious components for example.
Again bad example, Iran is not an Arab country. They don't speak the same language, they don't share the same culture, they consider themselves the descendants of the Persian Empire, not the Caliphate (the big Arab Empire a few hundred years ago).
Also, I'm not sure I get your last sentence either. An awful lot of revolutions in the world (Arab and otherwise) have been fueled by religion. Even in the US, religion might not have been a motivation for the War of Independance, but it had a major impact on the relationship between government and religion.
Arabs also know how to do revolutions without involving religion:
- Lebanon went through something extremely similar to the Arab Spring back in 2005. The revolution against the oppressors of the time succeeded by putting religion aside and having most parties unite. (Lebanon is a segregated mosaic of approximately 17 religions, each having more or less political power).
- Syrian resistance (or rebels, depending on your point of view) are not, despite what the media is telling you, an Islamist resistance. The leaders of the resistance have clearly repeated over and over again that they're not after the minorities, they're not trying to put Islam forward, they're simply against the Assad regime.
jebblue, I believe the point of the paragraph you highlighted is that China feels it's under attack by the United States, not that it cares about the Arabs.
Maybe I should have highlighted the whole drivel of a comment ... my point ... remains what I wrote. America trying to teach Arabs about the virtues of Democracy is +not+ why China attacks American computer systems.
> It's not obvious that they are wrong in that assessment.
Any entity with the reach of the United States is naturally going to have connections with all kinds of actors. While the idea of Americans/Zionists/Illuminati/Nibiru pulling the strings behind every major event is no doubt very exciting for conspiracy theorists (eg. I'm getting 2.28 million google hits for ["dalai lama * a cia agent"]), and simpler (ignoring the agency of the citizens of those countries), that doesn't mean sane people should believe extraordinary claims without extraordinary evidence. It's not in anyone's interest to topple the PRC, even if it were possible, which it is not.
But in the months before, the Obama administration clearly
was worried about the consequences of its hidden hand in
helping arm Libyan militants, concerns that have not
previously been reported. The weapons and money from Qatar
strengthened militant groups in Libya, allowing them to
become a destabilizing force since the fall of the Qaddafi
government.
U.S. State Department speaks to Twitter over Iran
The U.S. State Department said on Tuesday it had contacted
the social networking service Twitter to urge it to delay a
planned upgrade that would have cut daytime service to
Iranians who are disputing their election.
China Democracy Promotion Act of 2011
By denying visas to certain Chinese nationals in the
government who promote human rights abuses, we might as
well assist Chinese patriots who work to end the lack of
accountability for government officials who are part of the
Chinese Communist Party. This legislation will send a
message that abuses by these officials that go unchecked
within China will not be ignored by the international
community.
But they say the party’s agenda, as it stands today, is not
visionary enough to set China on the path to stability.
What is needed, they say, is a comprehensive strategy to
gradually extricate the Communist Party, which has more
than 80 million members, from its heavy-handed control of
the economy, the courts, the news media, the military,
educational institutions, civic life and just the plain
day-to-day affairs of citizens. Only then, the critics
argue, can the government start to address the array of
issues facing China
By examining the growth in individual rights, the public
sphere, democratic processes, and pluralization, the author
seeks to answer questions concerning the relevance of
liberal democratic ideas for China and the relationship
between a democratic political culture and a democratic
political system.
China represents an uncomfortable thorn in U.S. efforts to
promote democracy around the world. While some projects
have been successful, a large gap exists between the
increasing U.S. funding in China and its "limited
impact." [1] Moreover, U.S. democracy promotion in China
has contributed to strategic distrust between China and the
United States; Beijing perceives it as a strategic move to
destabilize the rise of China and sabotage the Communist
Party’s leadership.
Given countless public statements like this, the PRC thinks with some justification that all these American institutions - Twitter, the State Department, the New York Times, Harvard - would like to see their government changed and replaced with a democracy. Despite their obvious internal differences, said institutions do share the assumption that exporting Western democracy will be good for China. But China sees what it has done for the Middle East and may have its own opinions.
that doesn't mean sane people should believe extraordinary
claims without extraordinary evidence
Move along, nothing to see here? Yet the NYT itself admits: "Diplomatic cables report how American officials frequently assured skeptical [Arab] governments that the training was aimed at reform, not promoting revolutions." Much of this is out in the open, so it's more coordination than conspiracy. As for the phrase "conspiracy theory", the implication of that phrase is that conspiracies don't exist. And to entertain the idea that Americans (let alone Zionists!) could possibly conspire is equated by you to believing in the Illuminati and the Nibiru. Yet in this selfsame article the NYT implies that the Chinese government engaged in a conspiracy against them.
Perhaps then you believe it is only Americans that never conspire. What then to make of "the Obama administration clearly was worried about the consequences of its hidden hand in helping arm Libyan militants"?
Occam's Razor says some office working for the Chinese government is looking for who snitched on Wen Jiabao's problematic enormous wealth.
> Perhaps then you believe it is only Americans that never conspire.
seriously?
Just look at the flailing US response day by day in the Egyptian revolution as they tried to get ahead of how it would turn out for an example of how the Obama administration was just as blindsided by the Arab Spring as everyone else.
For US intervention in the Libyan revolution, after the 1994 Rwandan genocide, Rice said "I swore to myself that if I ever faced such a crisis again, I would come down on the side of dramatic action, going down in flames if that was required."
More generally, a bunch of unconnected dots about supporting democracy or human rights in China, like any other interesting subject, is normal.
> Yet the NYT itself admits: "Diplomatic cables report how American officials frequently assured skeptical [Arab] governments that the training was aimed at reform, not promoting revolutions."
>>For US intervention in the Libyan revolution, after the 1994 Rwandan genocide, Rice said "I swore to myself that if I ever faced such a crisis again, I would come down on the side of dramatic action, going down in flames if that was required."
A change of subject, but... Why have this been forgotten today?! Syria seems worse than Libya. It reminds me of the civil war in ex-Jugoslavia with the rape camps and atrocities.
(I mostly read discussions about China to see if I can spot the members of the "50 cent army" :-) )
> As for the phrase "conspiracy theory", the implication of that phrase is that conspiracies don't exist.
Exactly this. Or that all theories are not worth our time, since they are just that, "just a theory" (implying there is no proof?), like creationists (of which, America is filled with) like to say.
> Or that all theories are not worth our time, since they are just that, "just a theory" (implying there is no proof?), like creationists (of which, America is filled with) like to say.
I don't see it. I was adding to the argument that you are using the word "theory" with a negative connotation, which makes absolutely no sense. And that mistake is very common in America, since you have religious folks spreading misinformation all over the country, including schools. On the other hand, I can see an ad hominem here:
> the idea of Americans/Zionists/Illuminati/Nibiru pulling the strings behind every major event is no doubt very exciting for conspiracy theorists
Someone is a "conspiracy theorist", so whatever he finds exciting must be wrong.
It's ad hominem because (a) bringing up creationism make the US look bad and (b) has nothing to do with conspiracy theories about the US having orchestrated the Arab Spring and plotting to overthrow the PRC. Are you saying I'm a creationist, or am being secretly influenced by them?
In fact, believing in creationism fundamentally relies on conspiracy theories and makes one more likely to believe in conspiracy theories.
> Someone is a "conspiracy theorist", so whatever he finds exciting must be wrong.
From a Bayesian perspective, I would get behind "much more likely", yes. I'm claiming the conspiracy theories involving those four all assume magical powers in similar ways and are just as unlikely, so I think they're OK to associate with each other, as they inform on each other.
The Obama administration secretly gave its blessing to arms
shipments to Libyan rebels from Qatar last year, but
American officials later grew alarmed as evidence grew that
Qatar was turning some of the weapons over to Islamic
militants, according to United States officials and foreign
diplomats.
But in the months before, the Obama administration clearly
was worried about the consequences of its hidden hand in
helping arm Libyan militants, concerns that have not
previously been reported. The weapons and money from Qatar
strengthened militant groups in Libya, allowing them to
become a destabilizing force since the fall of the Qaddafi
government.
If you read my comments above, you can see that I did indeed read the top comment.
All that is provided is the assertion that all (american?) organizations questioning the Chinese government are apparently seen as arms of the United States's campaign against China, which explains why the Chinese government would make this move. What I was asking for any specific evidence that would preclude the much more obvious explanation that the New York Times wrote a story exposing corruption surrounding the Chinese Premier, and the people infiltrating the system were looking for the sources of that information (which is what the New York Times themselves are claiming). Without specific information, all we're left with is that "the Chinese government does not like dissent", and the Arab spring narrative is merely sophistry.
@magicalist: I agree with you (i.e., that in this case the obvious explanation is operative, and furthermore that the Chinese government is capable of discriminating between the actions of the US government and those of the NYT) but there's no sense arguing the point.
To me, this back-and-forth is reminiscent of "lefter-than-thou" debates I have witnessed before, and they all end up right where they started.
One caveat: it's quite possible that there are US government sponsored probes of Chinese sites, that we are not aware of, and that may be quite extensive and outrageous (to the Chinese government). So this skirmish with the NYT may be part of that larger cold war. This is not the same as saying (as the original comment did) that the Chinese government sees the NYT as a proxy of the US government.
False dichotomy perhaps? Consider this specific instance as a subset:
> the New York Times wrote a story exposing corruption surrounding the
> Chinese Premier, and the people infiltrating the system were looking
> for the sources of that information
of:
> all (american?) organizations questioning the Chinese government are
> apparently seen as arms of the United States's campaign against China
As a Chinese, I would say the Chinese government is worried about 'Arab Spring', but that's not why they attacked NYT this time. The 'Great firewall' was built to prevent any uprising similar to 'Arab spring' from being started.
I'm first generation Chinese-American, IMO not going to happen. Chinese people are concerned about money first and foremost followed by their family.
Also I'd like to challenge the implied perspective that somehow American democracy is somehow superior. In fact the very notion of fighting for a political cause is a Western idea, Chinese people are less naive than Americans in a sense because everyone in China knows that the nightly newscast (Xinwen Lianbo) is all BS whereas people in America listen and cling onto their political religion (Rachael Maddow/Amy Goodman/Colbert Report for Left Coast Yuppies, Glenn Beck for Tea Partiers and CNN for mainstream suburbanites).
The Chinese idea is that politics has really less to do with personal life as they are the waves of a ocean to a surfer; they come and go, rather than try to bend the all-powerful, insurmountable, it's best to yield to the ocean, surf in its direction. People humbly refer themselves as One of the Hundred Names (Lao Bai Xin), separate from the emperors or now CPC in their celestial palace.
Not fighting for one's identity and civil representation may seem apathetic and offensive to American sensibilities. But for the Chinese, one would rather improve one's lot by focusing on getting into a better school, a good employer and finding a good partner for marriage and taking care parents than getting a piece of legislation changed advertising that you could potentially live a better life.
I'm sure supporters of American-style democracy will point to the civil rights movement, the New Deal, child labor laws as democracy-in-action that changed working class people's lives for the better if people stick together and march onto Washington. But the Chinese perspective sees revolutions and protests as natural occurrences of the masses dissatisfaction, like waves in an ocean, they will form when the conditions are right (mass protests on polluting factories, mass Weibo posts on air quality and expose on certain official's corruption). Even Tianmen incident was a protest made by the falling dominoes of communism and a mass of disaffected students and workers with varying and complex mix of agenda's - and to compare with the Westerner's idea of a rallying cry (Sandy Hook, Upton Sinclair's The Jungle, Rosa Parks) with a singular hero or matyr, it's a contrast of Taoist Wu-Wei and Confucian idea of communal harmony to American individualism and manifest destiny.
I think you're overstating your case. I would say the "228 incident" [1] would counter your assertion that rallying cries (political causes) are anathema or that people don't care about authoritarianism as they might seek over ways to overcome the difficulties presented by such (following your waves in the ocean).
I think the healthy political involvement (even antagonistic approach) to politics in, practically Chinese, Taiwan speaks to how, essentially, Chinese people did "march on Washington" to produce change and shake off authoritarianism and did have a singular genesis with Lin, Jiang-mai and the Tienma Teahouse incident.
The political ecology of Taiwan when 228 incident occurred is largely different than the current (smoggy and turbid) one in Mainland China. And in the late 1980s, KMT regime lost its vitality(, but still holds some kinda moral integrity, )as the older generation who fled from the Mainland to Taiwan around late 1940s died out or retired, allowing a transformation of the political session there. However, in Mainland China, the power of the ruling party still tightly grasp the controls and the grassroots are more suppressed and less clearly divided than those in Taiwan at the time.
I'm not trying to generalize that a revolution would not happen here in China but changes in near future is highly unlikely, except that the economy of China would collapse or the ruling party itself would be split by inner struggles.
One of my implied points was that democracy is not 'foreign' and uninteresting to the Chinese, as implied by the OP. Prior to Mao's consolidating power, there were lots of CN intellectuals who were very excited about the prospects for CN and democracy. Song, Jiaoren was one such enthusiast of democracy who was assassinated prior to assuming CN Premiership[1]
It reminded me somewhat of the Japanese justification for protecting domestic ski manufacturers from EU mfgs: "Japanese snow is different".
> It's unfortunate that we don't get more foreign perspective on HN and Reddit.
Agree. But you should be aware that culturally different point of views and requests to avoid US-centrism on HN are often downvoted. I have experienced it myself. I do not care that much except that I fear other potential contributors may feel it as an injunction to "shut up".
For exmple, I detected that many of my colleagues (in an It company) read HN very regularly, but I am under the impression that they would not try to comment or would be repelled by downvotes.
What? Why? I happily wish for the day that the Great Firewall gets shut off, but in my book, the Chinese Government has been fantastically successful.
The sheer number of people brought out of poverty in the last few decades is mind-boggling. In 1981, 85%[1] of China's population (that's 850 million people[3]) lived on <
$1.25 a day. In 2005, that was 16% (200 million people)! The USA is at 16%[2].
I'm confident that we'll eventually see reform in China. It'll take a few decades. People are still "high" on growth. Once the growth slows down, people will start taking a more critical eye on their government, and change will occur. I think those changes will be occur gradually and peacefully.
It might be worth taking a quick glance at those articles again to make sure you're making a meaningful comparison.
The US poverty figures you quote are for an income of $23k/yr, or ~$11/hr. In that chart you quote for China, you notice that even the 71% mark only gets you up to $5/day (so $0.60/hr).
Edit: thinking about it. Isn't the poverty line relative to the cost of living? It may take a lot less money to feed and clothe a family in China than in the US.
In one of my visions, the Internet freedom would deteriorate after some 'Spring', as the security deteriorated in Egypt in the past years. And the next one taking the power would only control the firewall more tightly.
not op but I would say almost nil. The "Arab Spring" occurred in already unstable regimes, which China is not. There is also a massive difference in scale with regard to the amount of power that must change hands for something even close to occur - a much higher activation energy.
I think the best hope for China is a gradual transition to democratic reform as the old guard passes on. It's likely though that nepotism will bridge the generation gap.
Basically, it states that since 50% of world's resources are concentrated at Europe + Asia + Africa, whoever desires to control the world should control this area first. If you think of it this way, it makes sense that if an international super-power such as the USA wishes to maintain that power, it has to control this region, or at least make sure no one else controls it. The greatest threat in this situation is certainly China and the best possible way to attack this problem would be to create internal strife considering the peculiar circumstances.
</tinfoil>
> This is why the Chinese government feels that it is under attack by the United States, and it does not see a line between NGOs, the NYT/WSJ, and the US government,
Ironically, you are assuming the same thing about China.
China is a giant corrupt honeycomb. There are blurred lines between corporation/government. Corporations are often a face for government interests. It's totally corrupt, and everybody knows that the face of an organization is not the actual motives behind the organization.
A single Chinese clan will control multiple branches of government and multiple corporations. They all seem separate, but they have the same interests and work together.
It makes sense for the Chinese to assume that the US is similar. That there is some corrupt connection behind the faces of separate entities, just like in China.
In point of fact I think this kind of hacking attempt is a kind of ham-handed attempt to control what cannot be controlled. The Chinese are pissed, and so someone put some money and time toward attacking the NYT. And not doing a very good job, either.
The US, by contrast, has more direct ways to express its displeasure.
Maybe but more likely one faction thinks another has leaked info and wants to get evidence. The power struggles over succession to the leadership are very serious. Indeed the whole business of staying in power is serious eg current case of poisoning.
Strange that they would hack NYT when NYT's source for the WenJiaobao article seemed to be public financial records and info from wikileaks (state department cables).
What is the strategic gain from hacking NYT? Identify potential other sources (within china) perhaps?
Any decent reporter is going to try to track down additional sources if possible. Conversely Chinese dissidents who want to get word out to the world are much more likely to talk to reporters for the NY Times than to the Chinese government. Therefore this becomes a possible way to identify dissidents.
Even their public outing is good for them. The fact that this story is out there will make it less likely that Chinese dissidents will dare talk to NY Times reporters. Which means that dissidents will have a harder time getting their stories out to the world.
There are other benefits to the Chinese as well. For instance the rich data that the Times has about various US organizations could help them identify people who could become useful informants.
More often than not, the journalist or their editor get tips from people in the know (who are trusted NOT to disclose that information to you). Only then does a journalist start combing public records to have a verifiable (and non incriminating) source -- there's just too much to look at without some initial hints.
Perhaps they are looking for information about the tipsters.
TBH, it could be anyone in the chain with sufficient authority to trigger it and hoping to impress someone who can reward him in a tangible manner.
And the sad thing, it is not limited to bureaucracies or government organisations. I have seen bugs that are not fixed, patches that are rejected because it allows someone somewhere to behave heroically in an attempt to impress someone.
When I first experienced this, it was a very real WTF moment from the School of Dilbert Mismanagement.
What is the strategic gain from hacking NYT? Identify potential other sources (within china) perhaps?
---email---
Hey [NYT reporter,]
you may wanna check this
....lists wealth and place where this can be verified...
James
---------
---------
email 2
Hey NYT Exec
got a tip from a State Dept source regarding Chinese leaders
wealth....
--------
Maybe they'll get a "I can't believe he/she gave me herpes" email or at worst they mess with, and raise the cost of doing business for NYT. The cost to the Chinese is as close to zero as possible, they have the money and manpower, so why not do it.
It will be interesting if we see the first use of national firewalls used to keep a nation-state boxed in from the outside. I'm not sure what the 21st century equivalent of a blockade or siege is, but that would come close.
Interesting idea but difficult to implement. The hackers hide behind proxies. Unless you could cut off proxies everywhere they would still find ways to get in.
As virtual as the Internet is, in many ways, it still takes physical form as fiber optic cables and trunks. And due to a variety of reasons the number of those that cross national borders is fairly limited. Wireless is great but hard to push terabits of data through like lasers in glass do.
I've just always thought of the Great Firewall of China as a state device to keep Chinese citizens from full access to the Internet, this article made me wonder if at some point there will be another Firewall outside the Great Firewall which isn't controlled by the Chinese but also keeps Chinese packets inside the country but for different reasons.
"After surreptitiously tracking the intruders to study their movements and help erect better defenses to block them, The Times and computer security experts have expelled the attackers and kept them from breaking back in.
"The timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings."
As a student of the language, history, culture, current politics, and future prospects of China since 1975, I had better comment on how significant this is. The effort by operatives based in China (that much is indisputable from the computer forensics involved in this case) is deeply hostile to the press freedom that is a fundamental difference between China and the United States. Under usual principles of international law, China has the responsibility to keep actors on its territory from launching harmful attacks on the territory of another country, unless it is interested in declaring war. Prior restraint of news media is routine in China, and accounts for a great deal of the public ignorance in China that keeps the current dictatorial regime in power, but it is not at all a friendly act toward the United States. The United States government has everything to gain and essentially nothing to lose by every other government on the planet being exposed to more press coverage of national leaders and their possibly corrupt activities. In this regard, the current regime in China and any government of the United States under the Constitution have inherently differing interests.
The national interest of the common people of China, on the other hand, would be best served by freeing the news media there from the prior restraint and censorship that now exist there. If everyday people in China knew better what is really going on in the country, and what their leaders are doing, China could make greater progress in overcoming persistent poverty and enjoy more peaceful relations with countries all around the globe. Right now, the masses in China are not given the choice of knowing what's going on through uncensored mass media, nor are they given the choice of free and fair elections for choosing national leaders.
My best hope is that this effort to scare off the New York Times from honest reporting about China will fail as efforts by the Church of Scientology to frighten away investigative journalists are also increasingly failing.
A lot of journalists would like nothing better than to write even more tough stories about what is really going in China, based on unfettered reporting with Chinese-speaking sources in the country. One journalist from China I met long ago in a place far away commented well in advance of the Internet age that if the Communist Party of China ceased censoring mass media that its rule would be gone "in a week." The time will come when the Party can't shut down all the channels of information flowing into China and within China, and then the Party will have to face elections or face a revolution.
AFTER EDIT: The first reply asked a fair question, which is whether or not there is a basis for thinking that the Communist Party of China losing power in China would be a good thing. My answer is yes. I lived in Taiwan both under the KMT dictatorship and under its current democratic regime (which now again has the KMT as the ruling party, after an election). I have also been to Hong Kong. Chinese people can adapt well enough to democracy. In general, all around the world, freedom and democracy have their defects, but they are generally better for the people who live with them than the alternative. Precisely because Taiwan is available for an example, I think a transition to democracy in China could be especially smooth. It is regrettable that although there are Muslim democracies, the first attempts at specifically Arab democracies so far are nascent and struggling. The democratic transition in Arab countries will be harder in the short term for lack of culturally similar examples, but I think that too will be a long term benefit to the common people of the Arab lands.
AFTER ONE MORE EDIT: Anyway, it shouldn't be the censorship and armed force of the Party that restricts the people's right to choose their national leaders.
> One journalist from China I met long ago in a place far away commented well in advance of the Internet age that if the Communist Party of China ceased censoring mass media that its rule would be gone "in a week."
Is that a good thing?
Would it's replacement be better?
Arab spring has kind of taught us that things aren't as simple as: "Break status quo and things get better".
As one American once put it, "The boisterous sea of liberty is never without a wave."
In the United States, over 200 years in, it is still very much so the American experiment. Its success dependent on all sorts of radical notions about human nature.
Turbulence in brand new democracies is not evidence of failure. It is to be expected. Democracy is hard.
Arab spring has kind of taught us that things aren't as simple as: "Break status quo and things get better".
I don't think that anyone needed to be taught that. I doubt that we will be able to judge whether the Arab Spring was a success for another ten or twenty years- the immediate aftermath of revolution is always deeply messy.
Not to mention that 'better' is entirely subjective anyway, of course. There are plenty of older Russians that miss the Soviet days, believe it or not.
When looked at from the very long term position, the removal of dictators is indeed a good thing that is worth suffering through. I'm not sure that anyone can judge whether it's worth it, though- that a personal judgement.
Dictators... Are you saying wen jiaobao is a dictator?
Given the vast improvement in the way of life for Chinese since deng xiaoping, and their continuos prosperity. Are we really sure that's the "best" thing to do.
I like how the whole article is rambling about Chinese hacks yet no strong & clear evidence suggests it's from China, except perhaps from a Chinese IP address.
You know what, Chinese computers are also likely to be hacked easily.
I agree that the Times can't prove absolutely that the Chinese government was behind the attack. But they do provide a few strong pieces of evidence: (1) the university computers used in this attack were the same machines used in past attacks that were linked to China's military; (2) the attacks coincided directly with policy issues affecting Chinese officials.
The article also had a relatively even-handed tone. It discussed the broader trend of hacks originating in China without linking the trend to the Chinese government, and it included an eloquent rebuttal quote from a Chinese official.
What Chinese newspaper competes with the New York Times, in any meaningful sense? Given that media inside China is heavily censored, and Chinese newspapers publish in a language the vast majority of the US cannot read?
I was implying it could be an American newspaper... As it stands if I 'hacked' HN and routed through china, I reckon the news would be: "HN hacked by Chinese Government!"
Seems like putting a password on their printer and thermostat as well as telling their employees not to click random links or better yet setting up a security rule on their email router to not allow links and attachments from outside the network would have prevented this.
In essence these big companies are leaving the door unlocked and keep acting surprised when people that don't like them open it up and poke around inside. There needs to be more education and common sense this sounds like a very easy attack to prevent.
This story, and the recent RubyGems debacle should be teaching all of us one thing -- assume you can and will be hacked. Do you understand the implications (what data you are going to lose? what credibility?) Do you have a plan to deal with it?
Ruby Gems was lucky in that their hack was noisy. The chinese government, as illustrated above, won't play so nice.
This is why monitoring and incident response matter.
Remember the subtle backdoor that almost slipped into the Linux kernel in 2003[1]? That could be Ruby Gems right now. Hopefully, they are taking the proper steps to investigate exactly what the hackers did.
China appears to be engaging in highly sophisticated attacks of the like that major companies need to be aware.
The RubyGems fiasco is the result of remarkably incompetent decisions by everyone in the chain of control.
The lessons are completely different. In the first, it's that you have to expect that you will be compromised if a determined and capable attacker targets you.
In the second, it's that you will be compromised if you use software written by people and maintained by a community that seemingly lacks any remote resemblance of engineering competence.
I don't think the RubyGems people were incompetent. The software serves its core purpose quite well (as a library delivery mechanism) and is quite reliable. But clearly they weren't thinking about security in decision, and what would happen if the repos were compromised.
Let's be honest here - no software is 100% secure. As developers and consumers, the idea that we all review all of the tools in our toolchain for security soundness is absurd. It's like saying that everyone using C made poor decisions because of security flaws in popular libraries (even security ones, like openssl) and therefore all of the C community has no engineering competence.
The fact is, China already has their eyes on GitHub and it's not beyond the planning capability to place backdoors in popular software to suit their future ends.
No matter who the attacker may be, you have to be prepared for the situation where your computers and data are compromised, period.
> I don't think the RubyGems people were incompetent.
They sat on a publicly disclosed vulnerability in the YAML parser for a week. The YAML parser itself was ridiculously designed to (essentially) eval() YAML.
Those were the two active decisions of incompetence.
On top of this, they built a massively central system that is widely trusted with no means of code verification whatsoever. There is no telling what people could have injected into that repository at any point in its history.
0.8.11 / 2005-07-13: Added Paul Duncan's gem signing patch.
They've had a mechanism for code signing for 8 years. Yes, they could require signing of all gems on the site, but the ability has been there for a long time.
didn't expect much out of this story because it has felt for a long time that hackers targeting politically sensitive media orgs, govt and private sector out of China is the norm. Too common, widespread (however it's being organized) and they are too many for us to keep tabs on/hope to stop. All we can do is be vigilant in security practices and keeping on top of latest measures.
Keeping on top of the latest measures is great, but I wonder if it's good enough. Maybe we should go back to writing our most sensitive information on paper.
"It then replaced every compromised computer and set up new defenses in hopes of keeping hackers out."
I hope that's just poor reporting, or does the Times' IT department really have that poor an understanding of how computers work? No wonder they got pwned. And I'm not buying the "we gave them free reign for four months on purpose" line. It makes no sense.
Someone has poor understanding of how computers work, but it isn't necessarily the NY Times.
Once a computer is compromised, you can't trust anything about it. You may believe reinstalling the OS is enough, but it is possible that some remote control tool is still lurking in a main BIOS reflashed while compromised, or in the GPU firmware, or tens of other places.
While it should potentially be possible to reflash everything, it is practically cheaper to replace the computers. Do YOU know how to reflash your bios with a trusted version, your GPU firmware, etc?
I don't mean "I know how to look it up on Google, and I'm sure I can do it if needed". This thing is hard to automate and do at scale even if you do know how to do it, especially if not all your computer models are uniform. Depending on how old and varied the hardware is, it is very likely that the economical solution, (assuming you suspect an attacker capable of these feats), is to replace all the computers.
[Though, all the hardware they replaced it with has been, most likely, built and QAd in China. Why would you trust _that_? The rabbit hole goes very deep. Practically too deep for anyone without a billion dollar R&D budget these days]
I made no such claim, but verifying bios and firmware signatures (and indeed detecting changes when they happen), and reinstalling them at scale is not a major challenge with a well managed IT infrastructure.
I can accept however that the Times may well have been running 10 year old PCs, with manual IT management processes, and outdated security software, and that replacement may have been overdue and economically more viable.
> verifying bios and firmware signatures (and indeed detecting changes when they happen), and reinstalling them at scale is not a major challenge with a well managed IT infrastructure.
Can you back up that claim with reference to a system that does that?
EVERY single management system I can think of trusts the system to report its status. You can't trust a compromised system to report its status.
Assume you have 5,000 desktop computers. How do you set them up so you can verify bios and firmware signatures without forcing a good bios reflash in the first place? (An action that does require soldering or jumper setting on modern motherboards!)
> I can accept however that the Times may well have been running 10 year old PCs
If you're running your business properly, 3-4 years is the oldest any PC should ever get. If you know a business running 10 year old PCs, tell them to get a new accountant. Today's $300 ATOM netbook (with your 10 year old screen and keyboard) will have positive ROI compared to maintaining a 10 year old machine (The best 2002 Pentium 4 is comparable to a modern ATOM, but needs 5-10 times as much power). You'll be saving money just with energy/cooling costs.
Good point, as in theory both the BIOS and the BIOS flash update routine could be replaced/virtualized... confirming a successful update even though the update was ignored.
> I made no such claim, but verifying bios and firmware signatures (and indeed detecting changes when they happen), and reinstalling them at scale is not a major challenge with a well managed IT infrastructure.
Uh, reprovision the VMs, reinstall your packages, QA everything and be back up and running in a couple hours. At least that's what they could do if they had a competent SE team running things.
If you believe that, than you are not part of a competent team, and do not understand enough to evaluate anyone's competence. See, e.g. http://en.wikipedia.org/wiki/Blue_Pill_%28software%29 - despite the (justified) criticism listed there, the principle holds.
According to the Wikipedia article, tptacek / matasano says he can detect it, and if tptacek says, I'll take his word for it. (And yes, timing attacks are inherently hard to fake, though -- since this is a targeted attack, there could be a blue pill version that targets a specific matasano detector version. Continues ad absurdum)
Regardless - the advice given by parent is useless against a BIOS or deepest-level hypervisor rootkit.
A note to all armchair security people: Security is not just another engineering field like (say) networking, UI or databases: It is pervasive and very different:
Engineering is the practice of making sure that whatever is in the spec, works.
Security is the practice of making sure that anything outside the spec, doesn't work (unless it is desirable for some reason, in which case it should be added to the spec).
"It then replaced every compromised computer and set up new defenses in hopes of keeping hackers out." I hope that's just poor reporting, or does the Times' IT department really have that poor an understanding of how computers work?
The audience of NYT understands "We replaced the compromised computers."
Whereas the audience won't understand "We rebuilt each compromised computer, taking care to ensure they weren't exposed to the internet (and, additionally, were isolated from our internal network) until we were certain we'd patched every security flaw the attackers had previously exploited. We've also made policy changes to minimize the attack surface of our new infrastructure."
Therefore, those are wasted words. In fact, those words are an unnecessary risk. It's a risk because it's a strategic mistake for a newspaper to publish confusing articles.
And I'm not buying the "we gave them free reign for four months on purpose" line. It makes no sense.
There's a sort of interesting journalistic gamble at work there. If you're confident that your backup systems are untouchable and you're able to track exactly what is going on, you could gather evidence for a truly ground-breaking story. Unfortunately like usual there's no iron-clad evidence that the Chinese government is behind the hacking, so it's not the story it could have been.
All of those things are technically true, but don't match up with the M.O. of the perpetrators in question (they're not actually using any super-fancy BIOS rootkits).
Also, the remediation process is exactly that, a process. It involves a pre-planned, direct remediation effort at a specific time, after which, egress traffic is monitored to look for any other outbound connections that pop up that were missed in the first "sweep." Passwords are all changed.
You "rinse, lather, repeat" that process until you stop seeing the communications. It can take several times before you sound an "all-clear".
The MO is that they are a state attacker, not a one trick pony.
Until proven otherwise, you should assume that in addition to what you know they did, they did everything you can think of that is within their known capabilities. Super fancy BIOS rootkits are not outside their known capabilities.
Also monitoring egress traffic is easier said than done. For example you could have a special gmail account that you connect to over https while the user is actively using the computer. This account receives and sends commands as email messages. Since it is normal for that computer to connect to gmail, and the connection is normally encrypted, that communications channel could be rather hard to detect.
Sorry, I should have stated that better. I'm not talking about, "best practice for an advanced attack from an unknown perpetrator". I absolutely agree with you in general.
I'm saying that, this particular attacker, is a known, identifiable actor. They have names, they have huge reams of files in manilla envelopes. If you are privy, you get to know their actual names, see photos of them.
They have a very specific methodology which they use. You use that methodology to determine the extent of what they've accomplished. This specific actor is not using any super fancy BIOS rootkits.
If one of their campaigns ever gets to the point that they are unable to obtain repeatable persistent access, that campaign is sent to a different actor (with a completely different big manilla envelope about) who will then attempt a more advanced campaign.
The tools and tactics for these intrusions are very specific to the actual actors responsible.
Your reply has a lot of very specific information about the attack, attacker, and state of the compromise that I find rather dubious and cannot find in the article. Do you have a source that you would care to share?
Furthermore in this case we've been told that the attacker managed to achieve a rather thorough compromise of the network. And managed to persist through multiple attempts to remove them. Even if the attack proceeded by the rules that you describe, it would be foolhardy to assume that they were not subjected to the advanced campaign.
You aren't assuming, you are looking on all machines for IOC's (specifically machines that have been compromised before), and hopefully making use of all that fancy network security monitoring technology you paid entirely too much money for.
And you're monitoring outbound connections to any of the places which are known to be "bad neighborhoods", as well as any other suspicious traffic.
In the gmail example you used, it would indeed be difficult to see that on the network. If that was sent out by some BIOS rootkit it would indeed be very difficult to detect.
I have no idea why we don't see more of that stuff (I suppose you could argue that we wouldn't recognize it even if we did), but that's not been the level of attack associated with these actors.
I suppose the main reason they don't do that is because they don't need to. They will just keep sending malicious emails over and over again until they get someone to click on one.
Or, if the company does a good job with protecting email, they'll compromise another company that partners with the target company (which is what ensnares a lot of small companies today, who are partners with larger defense contractors) and exploit a trust relationship there.
It might just be that the five guys they have who can write BIOS rootkits are all busy being used on projects that have more strategic importance. The shortage of good programmers isn't just a problem in the west.
I was trying to figure out how you think you know all of this when I clicked on your profile. Then the thought suddenly hit me that publicly disclosing details about how we think they work, and what we actually look for in cleaning up, might not be the best thing to do on a forum that is world accessible.
Also if you're right, I'm depressed that they don't in practice use ideas that have been publicly known for decades.
One final thought. The gmail approach would leave fingerprints in Google's system. The actor in question could easily have some paranoia about doing that, even though Google would be unlikely to notice.
So I've tried to be careful to not discuss anything on here that I wouldn't give in a talk in a public forum (we are working on sharing nonclass information, as many of the companies in my area are all particular targets for these attacks. It's almost like a 12-step program.)
And I share your sadness that we're still dealing with these types of attacks, when we could make things so much more difficult for attackers by just implementing the things we've learned in the past thirty years.
I feel a little torn, though, because I also worry about what unintended consequences would arise if we actually replaced all of our infrastructure with things like hardware roots of trust, and trusted network connect implementations (which are systems which really provide very little value unless everything on your network uses them). Whether that's just moving the ball ten yards forward, when we still struggle to engineer large systems in a secure manner.
If that depresses you, I worry how you'd react when most organizations balk even at the prospect of a mass password reset. How many try to argue why can't they just reset the ones that you "know" are compromised? Or how long it takes to get said password reset signed-off and put into the change management process.
For what it's worth, I work a lot now with TPM's, and even the places that have actually gone through the trouble of rolling out bios measurements and signed firmware, are still getting breached.
> but don't match up with the M.O. of the perpetrators in question
Oh, the hubris.
This statement may be true (and probably is), but the perpetrators might also be running a BIOS rootkit at the same time - unless you actually pull the bios chip out and read it in another machine, you cannot tell. If you haven't already, read Ken Thompson's "Reflections on Trusting Trust", and mentally replace every occurrence of "C compiler" with "BIOS" and "login" with "Hypervisor".
> It can take several times before you sound an "all-clear".
I seriously hope no one takes this as security advice. You should read on "covert channels" (e.g. in Tannenbaum's OS book) - this advice is rubbish if you are dealing with a targeted attack (which is known to be the case here).
It's probably acceptable advice against "drive by" and other opportunistic malware.
An important pillar of real (rather than perceived) IT security is that once a system has been compromised, you can hardly trust anything about it anymore. Things were simpler in the past, when BIOS was an EPROM (not rewritable by software), CPUs had no virtualization support (so you knew what you see from the inside is what's really there), and the world wasn't as connected.
Nowadays, if you really care about targeted attacks, and you trust your suppliers (a given; if you don't, you can't use a computer), it is always cheaper to replace a system than attempt to verify it clean.
I don't disagree with anything you've written, but remediation from these attacks almost never involves replacing any of the hardware (with the possible exception of when a laptop belongs to an executive, and it becomes easier to just set them up with a new one and swap it out).
> remediation from these attacks almost never involves replacing any of the hardware
That's true. But it should, if you care about security.
Equivalent: Proper backup procedures are seldom made or tested. They should (and they do happen once there's enough CYA involved, or one of the involved parties has experienced some previous catastrophic event)
"Security experts found evidence that the hackers stole the corporate passwords for every Times employee and used those to gain access to the personal computers of 53 employees"
Does this mean the NYTimes is storing passwords in plaintext?
That means that the hackers pivoted from one system to the Domain Controller (with an account they cracked previously, or the results of a pass-the-hash attack), and got access to all of the account hashes (which they then would crack offline).
The passwords aren't stored in plaintext, but with the computational power available to anyone (or substituting that, time), you start getting actual passwords in a couple of minutes (the worst ones), and maybe 90% in a few hours.
"From there they snooped around The Times’s systems for at least two weeks before they identified the domain controller that contains user names and hashed, or scrambled, passwords for every Times employee."
I hope all the NYT employees didn't reuse those passwords anywhere else...I think if you work at a big political target like the NYT, you just have to treat it as sacrosanct as your personal email and bank accounts, even if the corporate account is just a formality (I.e. you forward all your emails to your gmail account...which is not a good idea if you're a reporter, but I know several who do it for the convenience)
they probably found the place where windows stores the passwords. All 8 character passwords under the unsalted scheme (NTLM) used by Microsoft can be cracked within minutes via use of rainbow tables. Even easier if LANMAN passwords are enabled.
Not necessarily. All we know is that they stole the password files. We don't know if the passwords were encrypted (but I'm assuming they were), and we don't know if the thieves were able to decrypt the passwords (they probably did for some fraction >0 and <= 100%).
not sure, I think the article was careful to not disclose how their passwords are stored, but the article did make mention of encryped passwords and the use of rainbow tables to crack them.
I think if they have the ability to steal the passwords, even if they weren't plain text, they didn't do the proper precautions of encrypting with a salt. So either way, they failed.
At this point, passwords should be considered obsolete when it comes to securing things. We should be using smartcards and cryptographic techniques; humans are just not good enough at generating or remembering random strings for passwords to be considered a good idea.
Are these state-independent actors capable of orchestrating intrusions of such sophistication?
Judge for yourself.
They operate from a bare apartment on a Chinese island.
They are intelligent 20-somethings who seem harmless.
But they are hard-core hackers who claim to have gained
access to the world's most sensitive sites, including
the Pentagon.
In fact, they say they are sometimes paid secretly by the
Chinese government -- a claim the Beijing government
denies.
"No Web site is one hundred percent safe. There are Web
sites with high-level security, but there is always a
weakness," says Xiao Chen, the leader of this group.
"Xiao Chen" is his online name. Along with his two
colleagues, he does not want to reveal his true identity.
The three belong to what some Western experts say is a
civilian cyber militia in China, launching attacks on
government and private Web sites around the world.
If there is a profile of a cyber hacker, these three are
straight from central casting -- young and thin, with skin
pale from spending too many long nights in front of a
computer.
One hacker says he is a former computer operator in the
People's Liberation Army; another is a marketing graduate;
and Xiao Chen says he is a self-taught programmer.
"First, you must know about the Web site you want to
attack. You must know what program it is written with,"
says Xiao Chen. "There is a saying, 'Know about both
yourself and the enemy, and you will be invincible.'"
CNN decided to withhold the address of these hackers' Web
site, but Xiao Chen says it has been operating for more
than three years, with 10,000 registered users. The site
offers tools, articles, news and flash tutorials about
hacking.
Private computer experts in the United States from
iDefense Security Intelligence, which provides
cybersecurity advice to governments and Fortune 500
companies, say the group's site "appears to be an
important site in the broader Chinese hacking community."
Arranging a meeting with the hackers took weeks of on-
again, off-again e-mail exchanges. When they finally
agreed, CNN was told to meet them on the island of
Zhoushan, just south of Shanghai and a major port for
China's navy.
The apartment has cement floors and almost no furniture.
What they do have are three of the latest computers. They
are cautious when it comes to naming the Web sites they
have hacked.
On camera, Xiao Chen denies knowing anyone who has
targetted U.S. government Web sites. But off-camera, in
conversations over three days, he claims two of his
colleagues -- not the ones with him in the room -- hacked
into the Pentagon and downloaded information, although he
wouldn't specify what was gleaned. CNN has no way to
confirm if his claim is true.
"They would not publicize this," he says of someone who
hacks the U.S. Defense Department. "It is very sensitive."
This week, the Pentagon said computer networks in the
United States, Germany, Britain and France were hit last
year by what they call "multiple intrusions," many of them
originating from China.
At a congressional hearing in Washington last week,
administration officials testified that the government's
cyber initiative has fallen far short of what is required.
Most alarming, the officials said, there has never been a
full damage assessment of federal agency networks.
"We are here today because we must do more," said Robert
Jamison, a top official in the U.S. Department of Homeland
Security. "Defending the federal system in its current
configuration is a significant challenge."
U.S. officials have been cautious not to directly accuse
the Chinese military or its government of hacking into its
network.
But David Sedney, the deputy assistant secretary of
defense for East Asia, says, "The way these intrusions are
conducted are certainly consistent with what you would
need if you were going to actually carry out cyber
warfare."
Beijing hit back at that, denying such an allegation and
calling on the United States to provide proof. "If they
have any evidence, I hope they would provide it. Then, we
can cooperate on this issue," Qin Gang, a spokesman for
the Chinese Foreign Ministry, said during a regular press
briefing this week.
But again off-camera, Xiao Chen says after the alleged
Pentagon attack, his colleagues were paid by the Chinese
government. CNN has no way to independently confirm if
that is true.
His allegations brought strenuous denials from Beijing. "I
am telling you honestly, the Chinese government does not
do such a thing," Qin said.
But if Xiao Chen is telling the truth, it appears his
colleagues launched a freelance attack -- not initiated by
Beijing, but paid for after the fact. "These hacker groups
in my opinion are not agents of the Chinese state," says
James Mulvenon from the Center for Intelligence Research
and Analysis, which works with the U.S. intelligence
community.
"They are sort of useful idiots for the Beijing regime."
He adds, "These young hackers are tolerated by the regime
provided that they do not conduct attacks inside of
China."
One of the biggest problems experts say is trying to prove
where a cyber attack originates from, and that they say
allows hackers like Xiao Chen to operate in a virtual
world of deniability.
And across China, there could be thousands just like him,
all trying to prove themselves against some of the most
secure Web sites in the world.
Most valuable point in this otherwise very interesting discussion.
MFA neutralizes most hacker threats. Organizations like the NYT that are sensitive should implement them. I know we do for banking, per industry standards (FFIEC). Fraudsters aren't about to defeat RSA tokens or multiple channels of authentication in the near future, as far as I know. It's just too logistically difficult and an order of magnitude harder to then compromise the MFA servers (via MITM or otherwise), etc. If implemented correctly, they make access to individual personal data significantly more distributed and difficult to breach.
Is MFA for e-mail each time extremely annoying? Probably. But logging into a system with just a username and password for a new ip address should not be the standard for authentication. This has got to be the solution eventually, and one which will essentially de-emphasize nation states or any large organizations from surveilling lists of accounts.
MFA and Authentication has a much larger scope than what you've brought up here. I should start by I think passwords have atrophied and should be replaced, and MFA is the best option we have to replace passwords at this time. However, MFA has flaws many people are unaware of.
I apologize for starting with a contradiction to something you state, but MFA does not neutralize most hacker threats. It only addresses authentication, it's unable to help against software compromises or user compromises -- Phishing attacks would still be effective, as the user will input a valid temporary token. What is MFA effective at preventing? Brute force password attacks, and users choosing bad passwords.
An attacker who compromises an internal system or is successful in egressing a login database will gain the session tokens for logged in users and be abel to use that to access compromised accounts (subverting the entire logged in process.)
But, you covered this, so I will digress to mentioning MFA's authentication concerns:
The "forgot password" or "lost my token" systems are always a weak link. Frankly, it's improbable (due to overhead costs) that any bulk service provider (twitter, gmail, etc...) enact a strict verification process beyond automated email/phone verification (and this has been compromised before, lookup the attack against cloudflare's google services.)
Second to the "lost password/token" attacks, there is the simple attack against the session ID/token. Remember, once you're logged in, your computer will store a token that it shares with the service to verify you are still authentication. While the token will expire, if the token is active then system will accept the session ID or token to verify you are logged in. The egress of data from the twitter login database included these session IDs. Of course, this requires a compromise of the system and not a MFA login compromise.
Finally, on your discussion of using an MFA token for every login, every time. This is actually not true in all cases. A reasonable approach most implementations use is to require MFA for logins from unknown computers/IPs, once a system is verified via MFA a user would likely have a grace period when they would have to enter only their password until that grace period expires and then they would have to verify via MFA again, this could be 1 week, 1 month or 1 year+
Of course these statements I've made are really up to the environment's configuration, ideally in a very strict environment it's expected you verify via MFA each and every time, session IDs are updated automatically with every action and users are aware of security risks. But we don't live in this security/paranoia utopia (and perhaps that's all for the better.)
Hope I've helped spark some discussions on MFA here. Bam, i'm out!
Interesting to think about. And you're right, phishing, breaches of the MFA database, and session jacking (via breaching the session database) are all big problems still.
But it's significantly more difficult to compromise certain accounts with another channel of authentication. Whether it's the initial attack vector (trying to crack some random employee's password) or secondary attack vectors (once access is gained, trying to go up a security level or compromise servers upstream, etc.), if each of those authentications require (after initial setup) a secondary device, it's just so much harder to crack.
Anyway, I think there's got to be a way to design a security system that partitions secure information. MFA secure cookies (or whatever we want to call long-term session ids associated with authenticated secondary channels), I would hope could slow down access to individual accounts.
Ideally, secure cookies get more sophisticated in the future and truly lend a 'distributed' quality to the architecture (i.e., are just one-time RSA private keys, maybe?). Thus making it very difficult to login without actual access to the device that the user setup MFA with.
