Google Hacked, May Pull Out of China 687
D H NG writes "Following a sophisticated attack on Google infrastructure originating from China late last year, Google has decided to take 'a new approach' to China. In their investigation, Google found that more than 20 large companies had been infiltrated and dozens of Chinese human rights activists' Gmail accounts had been compromised. Google has decided to 'review the feasibility of [its] business operations in China,' no longer censoring results in Google.cn, and if necessary, to 'shut down Google.cn, and potentially [Google's] offices in China.'"
Google, FTW!!! (Score:3, Informative)
This is as close to "do no evil" as they have come in years. Way to grow some balls Google!
Re:So what will happen in practice? (Score:5, Informative)
What? The URL string is not available over an SSL connection. Here's a transcript, including headers, of an HTTPS request.
AW#$GAWE$gae3gtraweRGEGaergaweRGTawerGTAWERGTW#trgse3ryg35g
You get the idea. No URI string available. All they could detect is the destination server.
Re:So what will happen in practice? (Score:4, Informative)
Not true. The secure connection is established before the HTTP request (containing the URL) is transmitted.
For added irony, I'll refer you to Google.cn [google.cn] for an explanation.
Re:Google, FTW!!! (Score:2, Informative)
This is as close to "do no evil" as they have come in years. Way to grow some balls Google!
What do you think it would take to get people to quit using that "do no evil" crap? That's a pull quote from the Hippocratic Oath.
Google's motto is "Don't be evil" -- there's a big difference.
The government still controls the .cn TLD (Score:4, Informative)
The government still controls the .cn TLD, and they could take over the domain or remove it from the root zone at a whim.
Re:I want access to my logs (Score:5, Informative)
Re:Free trade of ideas, anyone? (Score:5, Informative)
The scary thing is, it is essentially impossible for a foreign company to do business in China without bribes, even a small company. The Rio Tinto case wasn't publicized much in the mainstream media (at least in the US), but it was fairly well covered in the Wall Street Journal, and I guarantee executives of a lot of companies paid attention. Being arrested in China because the government doesn't like you is a risk that can outweigh a huge profit margin.
I would honestly suggest that if you are considering outsourcing to China, that you do it instead to India or Eastern Europe, because the unknowns are much smaller.
Google NOT hacked! (Score:1, Informative)
http://googleblog.blogspot.com/2010/01/new-approach-to-china.html [blogspot.com]
Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.
Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers.
Get the headline right. It was an attempt, but as usual hacking Google was not successful.
Re:And the lesson is... (Score:3, Informative)
Yes. In hindsight, this is all very clear. However, there is a benefit to giving the benefit of the doubt early on: you are positively certain that you did what could be done, and the only option left is stop negotiating amicably. Google now can point to past behavior and say: You're not holding up your end of the bargain. We did. Until we see some change from you, we will ignore your requests. This is a fairly significant position change in negotiations, as you're basically saying that the other party lost all its soft leverage.
There is a similar argument being made in regards to Chamberlain: if he wouldn't have gone the appeasement route first, would the US have actually gotten involved in the War? If it wasn't so blatantly obvious to even the most peaceful of doves that there was no negotiating with Hitler, would the US have been as dedicated to crushing Hitler? Remember that there were plenty of people in the US advocating an isolationist position with regards to Europe, right up until '41.
Failed negotiations are still valuable, because they demonstrate the failure of negotiations.
Re:Free trade of ideas, anyone? (Score:3, Informative)
Re:Free trade of ideas, anyone? (Score:4, Informative)
According to the New York Times (http://www.nytimes.com/2010/01/13/world/asia/13beijing.html):
Google did not publicly link the Chinese government to the cyber attack, but people with knowledge of Google’s investigation said they had enough evidence to justify its actions.
So I think it's a matter of the Chinese government seeking to uncover the identities of human rights activists by actively attacking Google's and other people's corporate network.
Re:Google NOT hacked! (Score:3, Informative)
The subject lines of a few emails may very well be enough proof to result in certain human rights activists disappearance. Consider:
Fw: Re: increasing world awareness of china govt crimes against humanity
Google was hacked, Mr. Coward.
Re:Google, FTW!!! (Score:5, Informative)
http://www.google.cn/search?hl=zh-CN&source=hp&q=tianamen+square+massacre [google.cn] currently gives 1,350,000 results. If it's also doing that on the other side of the great firewall of China, then they have already done something BIG.
Re:Is it? (Score:5, Informative)
When google goes (and with that youtube etc etc) it will be noticed far more clearly then some dissident being locked up.
I don't know that Google will be missed as much as you think it will be, and foreign websites disappearing from the Chinese internet is a regular enough occurrence that it hardly rates a mention anymore.
YouTube has been gone (blocked) for a year+ now. Same with Facebook, which was blocked just as it was achieving some popularity in China.The average Chinese person doesn't use Google, YouTube or Facebook. They use the local versions: Baidu, Youku and Kaixinwang.
That said, I would prefer to see Google stay in China, even with a little bit of censorship. The Chinese internet is already so disconnected from the internet that we know, but having a player like Google is at least a small bridge over the divide.
Re:Free trade of ideas, anyone? (Score:3, Informative)
Don't forget China's population is 4,3 times the one of USA. That still makes and interesting market when you consider that there is always richer people in any population. Granted, it would constitute a smaller market than USA but still a larger market than many other countries.
Re:Free trade of ideas, anyone? (Score:3, Informative)
The ads are almost always localized and hence also have different click prices in different countries, based on competition. That's why the per capita GDP doesn't matter as much, it's all just scaled down lower. You also have to remember that Google needs to crawl all those websites anyway, and they don't have to do it in China. Also Google can almost endlessly optimize their ad systems for different markets. Not profitable enough? Show more ads or try to raise click prices in China until it's profitable enough.
The only thing that matters is that if Google doesn't understand how chinese market and culture work and how people have got used to things, which can be quite different from US and Europe.
Re:So what will happen in practice? (Score:2, Informative)
No, SSL is not vulnerable to man-in-the-middle attacks. The attack you describe only works as an attack on the certificate authority itself. It can only work if the Chinese government possesses the private keys of a CA which is in the default "trusted" list of the user's web browser. If the user knows which CA is compromised in this way, they can remove that CA from their trusted list and the attack will no longer work.
Do you know if any Chinese CAs come preinstalled in popular browsers? I don't think they do.
Re:So what will happen in practice? (Score:5, Informative)
So, what the parent proposed is this... you have a router that pretends to be an HTTPS server between you and https://www.bank.com./ [www.bank.com] So, when you connect to the website, you're actually negotiating an SSL session with the router while the router negotiates another SSL session with www.bank.com.
This sounds all well and dandy.. except, how can the router in between convince your browser that it isn't really the bank's website?
So the parent's argument is... the organization who owns the router, controls the CA who signed www.bank.com's certificate too. However, even this would give you problems...
Add in the fact that you have plenty of people in China who have found ways to bypass the GFW, and that browsers seeing different fingerprints from the same website's certificates would give out red warning screens, your scheme is already not working well.
Next, it's about the CAs themselves. Every major OS and browser comes with a list of trusted CAs. Do you see many Chinese names there? No? And seeing Green Dam's PR disaster - if the Chinese government bothers to "coerce" foreign CAs to give them private keys, you can guess what the response is.
So, the reality is, even the Chinese government has no way of pulling out the already imperfect man-in-the-middle I described above. Yes, they can still give you a website with a different CA and probably with a self-signed cert, but again any sensible browser would jump up and down about it, which is definitely a strong motivator for anyone interested in privacy to somehow get foreign VPN access or simply just go to a Tor-like network.
Next common question... the textbook version of DH can be man-in-the-middled. While it is theoretically possible to MITM basic non-authenticated Diffie-Hellman without touching all the cert related stuff, it's not really practical since anonymous Diffie-Hellman is disabled by most web servers (e.g. the !ADH SSL cipher suite option in default Apache config) and I think most modern browsers wouldn't allow it anyway. What most real web servers do during SSL key exchange these days is either fixed DH or ephemeral DH, which aren't known to be susceptible to MITM unless the authentication in question isn't meaningful (e.g. self-signed certs, again, which is guaranteed to give you browser warnings)
Re:What's the impact? (Score:3, Informative)
It is already happening : Youtube, Facebook, Dailymotion, Google groups, Twitter, Blogspot and others are all blocked. The educated Chinese who went abroad already know the extent of the censorship, but what can they do ?
Re:Is it? (Score:2, Informative)
Double standards ? (Score:4, Informative)
Google appears to be a proud protector of the gmail accounts of China's Human Rights activists, when it says that "Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.".
Is this the same Google which Hands over IP addresses of activists to Indian Police [techgoss.com] ?
What about Google Sets Censorship Precedent In India [slashdot.org] ?
Mumbai Cyber Sleuths are a law unto themselves, ordering Americans around: Mumbai Police Order American to delete Cartoon [chillingeffects.org]
Why does Google co-operate so tamely with Mumbai Cyber police ? Why did Google hand over IPs in 2007 [nartv.org] entangling an innocent man in the Police web ?
And yet talk of Human Rights in China ? Don't the Indians have Human Rights too ?
Re:culture is an addendum to humanity (Score:3, Informative)
You're missing a key concept: the idea that the group, and, more importantly, the nation, is more important than the individual. Remember the story of the guy who fell/jumped into a Panda bear enclosure in China, and got mauled as a result? In the US, the guy would be suing the zoo. In China, the guy apologized for having disturbed the bear, and said that it was an honor to have been mauled by a national icon.
Crazy, right? No. That's par for the course in China.
I do strongly believe that the reason the West kicked China's butt at the turn of the last century was because we had the Enlightenment period, and its huge growth spurts, behind us. However, that has no bearing on whether human rights declared in the human rights charter are fundamental or not. After all, even in the US, people are quite happy to suspend human rights if someone is suspected of being a terrorist.
Re:Free trade of ideas, anyone? (Score:5, Informative)
Hell look at the current debacle with Cadmium. One of the excuses given that it's even used is that jewlery made of it is usually marked for sale only in China. At least people here have the ability to find out in retrospect lil-Jamie's necklace you gave her for X-Mas impairs brain function. In China that junk is sold all over without someone even thinking about it.
I travel to China frequently, and see this kind of thing happening all over. Market of over a billion my ass. More like market of just over a billion waiting to see what they can copy next.
Re:Guess what Baidu has already censored? (Score:5, Informative)
Re:Free trade of ideas, anyone? (Score:2, Informative)
You might want to read Google's Blog post about the introduction of google.cn: http://googleblog.blogspot.com/2006/02/testimony-internet-in-china.html [blogspot.com]
The short of it is that since google.com wasn't self-filtering, the government was filtering at the border, which led to slow and unreliable service, in addition to the filtering. Google decided that on the whole, it was better to provide an additional filtered local (and thus reliable) service than to leave the chineese with only a service that didn't work well (from the user's standpoint). And since it was additional, they didn't take away anything.
That, and it was good for business.
From the 2006 post, edited for length:
[In the fall of 2002, Google suddenly became completely unreachable from within China. Google did nothing, and about two weeks later, it could be reached again.]
However, we soon discovered new problems. Many queries, especially politically sensitive queries, were not making it through to Google’s servers. And access became often slow and unreliable, meaning that our service in China was not something we felt proud of. Even though we weren’t doing any self-censorship, our results were being filtered anyway, and our service was being actively degraded on top of that. Indeed, at some times users were even being redirected to local Chinese search engines Nevertheless, we continued to offer our service from outside China while other Internet companies were entering China and building operations there.
[much later in the testimony]
Since 2000, Google has been offering a Chinese-language version of Google.com, designed to make Google just as easy, intuitive, and useful to Chinese-speaking users worldwide as it is for speakers of English. Within China, however, Google.com has proven to be both slow and unreliable. Indeed, Google’s users in China struggle with a service that is often unavailable. According to our measurements, Google.com appears to be unreachable around 10% of the time. Even when Chinese users can get to Google.com, the website is slow (sometimes painfully so, and nearly always slower than our local competitors), and sometimes produces results that, when clicked on, stall out the user’s browser. The net result is a bad user experience for those in China.
The cause of the slowness and unreliability appears to be, in large measure, the extensive filtering performed by China’s licensed Internet Service Providers (ISPs). ... China has nine licensed international gateway data carriers, and many hundreds of smaller local ISPs. Each ISP is legally obligated to implement its own filtering mechanisms, leading to diverse and sometimes inconsistent outcomes across the network at any given moment. For example, some of Google’s services appear to be unavailable to Chinese users nearly always, including Google News, the Google cache..., and Blogspot... . Other services, such as Google Image Search, can be reached about half the time. Still others, such as Google.com, Froogle, and Google Maps, are unavailable only around 10% of the time.
Even when Google is reachable, the data indicates that we are almost always slower than our local competitors. Third-party measurements of latency ... suggest that the average total time to download a Google webpage is more than seven times slower than for Baidu, the leading Chinese search engine.
Based on our analysis of the available data, we believe that the filtering performed by the international gateway ISPs is far more disruptive to our services than that performed by smaller local ISPs. Because Google’s servers have, to date, been located exclusively outside China, all traffic to and from Google must traverse at least one of China’s international gateway ISPs. Accordingly, Google’s access problems can only be s
Re:Stereotype (Score:5, Informative)
Thanks to Internet, we Chinese ppl these days could get these information easier than before. We know about these things like Tienanmen event, etc. Well we have some places to share these information(p2p rocks, doesnt it?) As far as i know, most student in my college have knowledges of what happened those years and sometime we chat about that.
Admittedly, there is GFW trying to block some websites. But in the age of Internet, there is really nothing that could block us from the facts.
Re:Free trade of ideas, anyone? (Score:4, Informative)
Re:Is it? (Score:3, Informative)
Google as a search engine is not particularly interesting to the ordinary citizen in China.
I don't know enough about google's presence in China from their corporate perspective, but from the perspective of someone who lived in China and who works with many Chinese, much more importantly than their google.com, are their backend tools, their technical abilities, their industrial and commercial applications. And I think that is where the strife is taking place, not with the public at large.
While I lived over there I introduced a lot of my friends to gmail and gchat. They provided a means out of the Chinese ecosystem through which they could communicate with friends/others around the world. They liked those tools. I think google's decision may in fact affect mostly those people who are in the know, and have less affect on those who tow the common line.
Re:Guess what Baidu has already censored? (Score:4, Informative)
Same for googleblog.blogspot.com
Probable reason: ``At the time we made clear that "we will carefully monitor conditions in China, including new laws and other restrictions on our services. If we determine that we are unable to achieve the objectives outlined we will not hesitate to reconsider our approach to China.",,
Re:Free trade of ideas, anyone? (Score:3, Informative)
1. Almost all glaciers are receding precipitously [nasa.gov] due to AGW, the slashdot article you point to is about the fact that Himalayan glaciers are retrtreating at a faster rate due to soot. The effect of soot on ice [google.com.au] has been well documented over the last 50yrs.
2. Your magic eight ball is more informative than Anthony Watts. Watts is either a popogandist or a crank [slashdot.org].
3. The world is not heading into 30 years of mini-ice age [youtube.com].
4. There will always be cold spells [youtube.com].
However I agree with your conclusion, the IPCC has been pointing out for over a decade now that the delta's in southern China, India and Bangladesh which currently support well over a billion people are "toast". I doubt the rest of the world will suddenly forget nationalisim and allow those people to simply "get out of Dodge".
Re:Free trade of ideas, anyone? (Score:2, Informative)
According to this site: http://www.internetworldstats.com/asia.htm [internetworldstats.com], roughly 360,000,000 citizens have access to internet of which 83,366,000 have broadband.
Even though it's not a billion, 360 million is still a very big audience.
Re:Google, FTW!!! (Score:3, Informative)
http://www.google.cn/search?hl=zh-CN&source=hp&q=tianamen+square+massacre [google.cn] currently gives 1,350,000 results. If it's also doing that on the other side of the great firewall of China, then they have already done something BIG.
Ok, now try that with the right spelling of "tiananmen", and you'll see that there's only 41,000 results left... (Not to mention that the most effective part of the Great Firewall is the automatic connection reset for clients where this sort of string is detected in the traffic - which of course only happens inside of China.)
Re:Guess what Baidu has already censored? (Score:2, Informative)
That's not Baidu, that's the Great Firewall. Try it with any Chinese web site and a dodgy phrase, e.g. http://www.petrochina.com.cn/falungong [petrochina.com.cn] and you will be locked out of that web site for a few minutes.
Re:Stereotype (Score:3, Informative)
Thanks for taking the time to post that.