Does China's Cyber Offense Obscure Woeful Defense?

Gunkerty Jeb writes "The official line in Washington D.C. is that there's a new Cold War brewing, with an ascendant China in the place of the old Soviet Union, and cyberspace as the new theater of war. But work done by an independent security researcher suggests that the Chinese government is woefully unprepared to fend off cyber attacks on its own infrastructure."

Cyber war

[nomorecwrd]

first to post, wins!

Re:

[Larryish]

So what you mean roundeye, pirated XP machines no good security?

Yu Dum.

Re:

[Luckyo]

On that topic, I ran a vanilla XP (no service packs) until 2008. Zero virii.

Firewall + anti-virus + only 3 users, all of whom weren't computer illiterate.

Often it's not the OS, it's the users or admin. That said, on an office machine, updates would be pretty much mandatory. But then, with huge amount of machines, wouldn't it be more sensible for China to fork their own linux distro for government usage?

Re:

[Pseudonym Authority]

On that topic, I ran a vanilla XP (no service packs) until 2008. Zero virii.

I'm sorry, I not familiar with these hard english words like that. What is a "virii"? It isn't anything that I've ever heard of before.

Back on topic, did that computer get any viruses?

Re:

[Luckyo]

Hence, firewall that stealths all ports and doesn't allow any software you haven't specifically OK'd out.

Re:

[Luckyo]

Step one: do not use IE for anything other then company/personal intranet. Block it on software firewall level from accessing anything else.
Step two: Install firefox.
Step three: Install the following add-ons: Adblock+, noscript. Properly white-list things you need.
Step four: Sandbox your browser if paranoid (sandboxie etc).
Step five: Avoid visiting shoddy sites.

You can never make a possibility of infection zero without rendering your machine completely autistic, just as you cannot totally nullify a risk of

And this is why...

[garcia]

...the US government is keeping mostly mum about the threats coming over from China. That and they want to keep getting their money.

Re:And this is why...

[h4rr4r]

What the 6% of our debt they own?
About the same amount the Japanese own.
Where does this "The Chinese own the US" myth come from?

Re:And this is why...

[bsDaemon]

From the interpretation that sensationalist news services give to the words of scaremonger politicians.

Re:

[hey!]

And if people stopped being scared for a moment and thought (which they won't), they'd realize exactly who has whom by the proverbial short hairs on the debt issue. China doesn't want to undermine our ability to pay, say by totally cutting off cash to fund our *deficit* (a different but obviously related issue). They can turn down the cash spigot and make us hurt, but not *too* much, and it'd probably be for our own long term good.

Re:

[cavreader]

It's get harder each day to find posts like this one that leaves out the ideological dogma when evaluating China.

Re:

[obergfellja]

oooo... major ownage...

Re:

[GodfatherofSoul]

It might be the rate at which they're acquiring our debts.

Re:

[h4rr4r]

http://en.wikipedia.org/wiki/United_States_public_debt#Foreign_ownership [wikipedia.org]

Is a good starting point. Basically 25% of our debt is in foreign hands, 23% of that the Chinese own. This means they own about 6% of the total US federal debt.

Re:

[Cwix]

Anonymous coward with a "fact" and no source.

Quick someone needs to mod this guy informative.

Sure about that?

[Anonymous Coward]

Basically 25% of our debt is in foreign hands, 23% of that the Chinese own. This means they own about 6% of the total US federal debt.

Err..

As of January 2011, foreigners owned $4.45 trillion of U.S. debt, or approximately 47% of the debt held by the public [...] rising from 25% of the public debt in 2007.

Re:

[h4rr4r]

I honestly had not seen that addition.
I only knew the 2007 numbers.

Re:

[Anonymous Coward]

Funny. I looked at the same article.
1,160.1, estimated, as of December 2010.

The debt end 2010 was listed as 13,529.

Divide one into the other and you get 8.6%

A bit larger than 6%.

Re:

[h4rr4r]

Seems to be correct sir.
Of course if you don't want higher taxes on the wealthy this is the price you pay. Either we tax them or we devalue the currency, when they are the ones making the campaign contributions this is what you see.

Re:

[timeOday]

The trend [wikipedia.org] of China's holdings is amazing though - from a distant second (less than half of Japan's) to first, in a mere 5 years.

Re:

[Dutchmaan]

Where does this "The Chinese own the US" myth come from?

From the same place that "The Japanese own the US" myth came from in the 80's... Ironically the British owned the most US assets followed by the Dutch then the Japanese in the 80's... I have no idea who owns what in what capacity these days.

Re:

[CaptainLard]

Here you go:

http://www.treasury.gov/resource-center/data-chart-center/tic/Documents/mfh.txt

I'd say the amount china owns is substantial. I'm against sensationalism as much as the next guy but a trillion dollars held by a foreign country is a shitload no matter how you slice it. Sure Japan has over 75% as much as china but there is a HUGE drop off after that. If we're going to say Japan owns almost as much as China to downplay foreign debt, we should also say Japan and China hold almost as much US debt as

Re:

[cavreader]

Owning foreign debt is a slight misnomer. China's purchase of government debt instruments is an investment for them. And when you invest you want to chose the most stable and the most likely to fulfill the terms of the investment. In essence they are placing their trust in the US economy. Should they attempt to weaken the US economy it will most likely hurt them worse than the US. A big part of Chinese economy is the US market. Without access to that market they stand to lose big time. Also remember that Ch

Re:

[smelch]

Are you counting US citizens as holders of US debt in your "rest of the world combined" comparison? I bet you are not. Foreign entities only own a total of 4ish trillion dollars, domestic entities own 10ish trillion. http://www.usdebtclock.org [usdebtclock.org]

Re:

[CaptainLard]

You are correct. I did not include US citizens as part of "the rest of the world" in holding FOREIGN debt. To your credit I forgot to put the word foreign in front of debt in that second to last sentence leaving myself open to semantic attack. Curse you slashdot! You win again. (I just hope I didn't misspell anything...)

Re:And this is why...

[ObsessiveMathsFreak]

Well, they own all your factories.

Re:

[econolog]

It's not 6%... http://www.usdebtclock.org/ [usdebtclock.org] Quotes US national debt at ~14 trillion. China holds ~3 trillion in US bonds. That is ~21% of our national debt. Citation:http://news.xinhuanet.com/english2010/china/2011-04/23/c_13842843.htm [xinhuanet.com] Also, bonds aren't the only form of obligations the US sells to cover its debts. I think its safe to assume China likely owns a larger chunk of US debt than the bonds alone. In a world of nuclear weapons, economic domination is king. You may also want to look at the allia

Re:

[zach_the_lizard]

Probably from their currency manipulation schemes that lower the value of their currency (and, in turn, lower the cost to buy their goods). That scheme subsidizes Americans more than any debt ownership. Still, we're mutually dependent, I'm not worried about them.

Re:

[c0lo]

Probably from their currency manipulation schemes that lower the value of their currency (and, in turn, lower the cost to buy their goods). That scheme subsidizes Americans more than any debt ownership. Still, we're mutually dependent, I'm not worried about them.

While China does something to work itself out [indiatimes.com] from the "mutual dependency" with US, what is US doing (or even able to do)?

Re:

[nobodie]

I don't know about your numbers, but I do know that there is beginning to be a ... well what appears to be a planned and deliberate media attack against China. Yes I know China appears scary because they have grabbed so much power so quickly and they really do not have the finesse to know how to use it, work with it or manage it effectively, but they are in an accrual phase anyway.

Case 1 for me was the frenzy last weekend about the "Chinese church stopped from having Easter services". This was sheer BS. The

Re:

[Dutchmaan]

$11 million is pretty much chump change in this day and age when it comes to corps.. whether the story is "propoganda" or not, who knows, but it'd be on the same level as saying a story about China counterfeiting goods is a propaganda story. Actually the counterfeiting of goods would be a bigger story. Basically, nothing to see here.. move along.

Re:

[mlts]

I disagree about it being US propaganda, because the US can royally lose and lose big in a pissing contest these days. China can do three things in less than 24 hours to royally fsck the US and her economy:

1: Allow the yuan to trade freely.

2: Push for a "currency basket", or have oil be traded by the yuan.

3: Start arming countries or factions that don't like the US. For example, if the Taliban started getting access to UCAVs from a mysterious source. Or Ahmadinejad showing off his new technology of ICB

Re:

[russotto]

I disagree about it being US propaganda, because the US can royally lose and lose big in a pissing contest these days. China can do three things in less than 24 hours to royally fsck the US and her economy:

1: Allow the yuan to trade freely.

And price Chinese manufactured goods out of reach? Yeah, that would fsck the US economy. It would fsck the Chinese economy a whole lot more.

2: Push for a "currency basket", or have oil be traded by the yuan.

#1 is a precondition to this.

3: Start arming countries or facti

Re:

[TheRaven64]

Been there and done that, during the Cold War. That wouldn't royally fsck the US economy by any means.

Last time, the US was very successful at it. For every dollar the US spent in Afghanistan, the Russians needed to spend a hundred dollars. A stinger missile is a lot cheaper than a helicopter. The massive overexpenditure on the military is usually held up as one of the main reasons for the fall of the USSR. The Star Wars program also helped this - it didn't work as a defence shield, but the Soviets thought it did, so they thought that they needed ten times as many ICBMs to ensure that enough got through

Re:

[hedwards]

The Chinese can't allow the yuan to trade freely. Their economy is heavily dependent upon exports, if they were to allow the yuan to strengthen they'd have to completely redo their economic policy, hence why they refuse to do it. Remember that even with the growth of their economy, they still don't have enough to go around, and that's assuming that they allowed the rural workers to get a piece of it.

Re:

[rtb61]

China is no longer a communist nation, it is a corporate fascist nation. An autocracy largely run for the benefit and ego of those at the top.

They intrinsically will do nothing that threatens the power and wealth of those at the top. Of course those at the top will use the power of the Government of China for their personal advantage mainly locally but also more internationally in the future.

Corporate wars are very likely to have a made in China origin. Executive corruption, blackmail and even eliminat

Re:

[brit74]

... because, God knows, the Chinese government is trustworthy.

Really?

[TheNinjaroach]

The official line in Washington D.C. is that there's a new Cold War brewing

Since when?

Revised story

[Biff Stu]

The official line in Washington D.C. is that there's a new Cold War brewing

The official line from Fox News is that there's a new Cold War brewing

Re:

[tater86]

Yeah, but it's the fox news office with the white house in the background.

Re:

[quenda]

The official line from Fox News is that there's a new Cold War brewing

The official line from Fox is we have always had a cold war with Eastasia.

Re:

[unjedai]

The official line in Washington D.C. is that there's a new Cold War brewing

Citation needed. Oh wait. It's in the summary. You can make up whatever bullsh#t you like. Nevermind.

Retaliation?

[xanthines-R-yummy]

I wonder why China never thought of securing their systems more tightly. Surely they must have realized that retaliation would come their way at some point, no? I mean, aside from the fact secure systems are usually preferably to ones that are not...

Re:Retaliation?

[Ancantus]

TFA answers your question:

A lot of what is running in China is developed in-house by Chinese firms. They're not using Western products or open source platforms, because they don't trust them or they're worried that someone might put a back door into them.

So they are rebuilding from the ground up without taking advice from other people who have tried it. Eliminates back doors (unless your own coders are putting them in) but it seems the front door is wide open...

Re:Retaliation?

[jandersen]

I wonder why China never thought of securing their systems more tightly. Surely they must have realized that retaliation would come their way at some point, no? I mean, aside from the fact secure systems are usually preferably to ones that are not...

Quite so. It is also worth noting that we have never actually seen anything that looks like evidence for the Chinese state organising "cyberattacks" on the US - all we have to go on is allegations spread on places like /. in the form of rumours.

Can it really have escaped anybody's attention that it is extremely easy to spread false rumours, especially on the internet, and it is extremely easy to spoof the origins of any attack?

And how can anybody credit a tall tale about some anonymous source "knowing" that some "Chinese secret service" is orchestrating hacker attacks? It that really all that likely - a guy sits in his parents' garage and just knows this? What happened to simple, common sense and critical thinking? I mean, with Wikileaks you have documents - mr Assange doesn't go around saying "somebody told me ...", does he?

Until this kind of accusations are accompanied by sound references, I can't regard it as more than an attempt to poison the well.

Re:

[jandrese]

Cyber attacks are real. The Advanced Persistent Threat has been targeting government contractors for some time now with varying degrees of success. The reason it works is because the APT is very smart and very good at what they do, and the people on the defense are mostly just wage slaves that don't really understand security. That's also how a country can be so good at attack and so poor at defense at the same time. It is of no surprise at all to me that random government ministries in China are vulner

Re:

[T.E.D.]

It is also worth noting that we have never actually seen anything that looks like evidence for the Chinese state organising "cyberattacks"

Of course not. It could just be a total coincidence that all the top known Chinese hackers just happen to be employed by the government [thedarkvisitor.com] in some capacity.

Re:

[Mn3m0nic]

Believe it or not, but there are a lot of govies that read and post on Slashdot. Sure, you have to take everything said online with a grain of salt, but not everything is purely nonsense.

Re:

[jandersen]

When you have enough indications that a thing is happening, that thing eventually becomes the sensible assumption, and the burden of proof switches to those who want to deny it.

The danger of this view, as I am sure you realise, is that it is so easy to whip up a lot of "indications" without ever saying anything explicitly. And there is no lack of groups and individuals who for whatever reason see their advantage in doing so.

It is the same in every country - America have a large number of 'patriots' who play with vigilante activism, and there is no reason to think that China doesn't have its share of morons too. You know how easy it is to organise cyber attacks, and it is only a sh

Re:

[Khopesh]

I wonder why China never thought of securing their systems more tightly. Surely they must have realized that retaliation would come their way at some point, no? I mean, aside from the fact secure systems are usually preferably to ones that are not...

That might be related to their lack of confidence in their enemies' ability to attack. Alternatively, they might be considering it like nuclear warfare, in that there's no way to do a perfect job, so the threat of retaliation is more potent. Therefore, they're focusing all resources on aggression.

Additionally, everything is built in-house (for a very large "house"), so they have some security-through-obscurity for the items that aren't just forked F/OSS projects. If I were them, I'd lull other nations

Re:

[timeOday]

I wonder why China never thought of securing their systems more tightly.

More tightly than what? The article says the US is as bad or worse. There are no large, well-secured networks. It has never been demonstrated that it is even remotely feasible to do such a thing. Day after day we see these articles about security issues, and eveybody saying, "how could this happen?" as if vulnerabilities were avoidable and abnormal, in the absence of any evidence that this is the case.

Re:

[gnick]

There are no large, well-secured networks.

Actually we have multiple large VERY well secured networks. The drawback is that they're only used by government agencies for transmission of classified data and not by our general infrastructure/industry. To my knowledge those have never been victim to attack except by insiders. It would be nice if we had kind of a "yellow" network in between the "green wild west level and "red" classified networks for use on power grids and the like.

Lessons from football

[Mr Krinkle]

"Best defense is a good offense"

If you can attack them quick and well enough, they won't have any non compromised systems left to come back at you. :)

Re:

[MarkvW]

But "Defense wins Championships."

Re:

[Isaac Remuant]

Yeah well, but the Referee System seems to have been compromised... :P

Re:

[Skarecrow77]

I vaguely remember a super bowl from the early 2000's where the Baltimore Ravens defense pretty much -was- the game. They did their job and the offense's job and won the Superbowl all by themselves.

Wikipedia says it was superbowl XXXV, and Ray Lewis (a linebacker!) was named superbowl MVP, if you want an idea just how dominate that D was. All 16 of the Giants possessions ended with punts or interceptions.

Re:

[Skarecrow77]

spend some time with one of the head coach games. You can get head coach 09 used for like $5 now, and it's a tremendous game. it will tickle all your favorite nerd micromanagement strategy places, while simultaneously giving you an appreciation for football.

Re:

[Nidi62]

Offense wins games, defense loses them.

Re:

[_Sprocket_]

Which is fine when you're playing football. Oddly enough, every situation in life is not football. Football involves two set teams with a set roster on a defined playing field attempting to achieve limited and directly contradictory goals through the application of a defined set of rules (as well as fundamental undefined rules - the laws of physics) over a limited and defined period of time. What we're dealing with is the exact opposite on every single point. There are not set teams. There are not set

Don't be too sure

[microcentillion]

Did he hit a bunch of honeypots? If China is better defended than he though, he'll dead by morning.

and then the us can bill china 1B for his death

[Joe The Dragon]

and then the usa can bill china 1B for his death.

Re:

[lolcutusofbong]

At that point why not just charge them $50 trillion and wipe out the national debt?

I miss the cold war

[rsilvergun]

Fear over a the cold war kept jobs in the United States... Maybe if I had enough $$$ to be 'global' I'd be happier, but as it stands I'm stuck here locally...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[rsilvergun]

Nope, not joking. If you look into it, there really never was much, if any danger. The USSR was a broken country with few, if any, missiles that could reach us. Hell, after WWII they didn't have enough gas to get their tanks back home. They pulled them with horses & mules (look it up). The entire thing was an invention of Eisenhower. He thought w/o a credible threat our entire economy would collapse. There are quotes floating around where he talks about regretting the decisions; he basically created the

Re:

[account_deleted]

Comment removed based on user account deletion

"everything on the server was running as root"

[chemicaldave]

Holy shit.

Another example is China's National University of Defense Technology. They had a bunch of Web servers that weren't using SSL or HTTPS

This is basic stuff...good lord are they bad.

I'd estimate that 40% of logins are user name and either all numerical or all lowercase passwords. There are no hash or space characters.

I'm just going to stop here.

MicroSoft Security is US gift to the world

[peter303]

Everyone copied it illegally to save a buck.

Re:MicroSoft Security ?? is US gift = poison

[kubitus]

The funny thing is: I have a single copy of a Chinese WinXP.

and it got only one Trojan within one year of operation

in contrast to a European and US version!

Re:MicroSoft Security?? is US gift = poison

[kubitus]

I own a Chinese Win XP

-

It caught 1 Trojan over three years of operation

in contrast to a European and a US copy of XP

Re:

[_0xd0ad]

Premise: Trojans try to make themselves really obvious so I can easily spot them and remove them.
Observation: I've never noticed a trojan in my system.
Conclusion: I've never had a trojan in my system.

Re:

[kubitus]

May I send you my self-collected assortment of malware?

Stuxnet included !

China doesn't need as much defense as the West...

[Anonymous Coward]

This sounds crazy, but why does China need to put effort into as much defense as other places?

If one thinks about it, they really don't have much to lose, compared to American or European businesses. Militarily, China may have trade rivals, but no true enemies. They have no terrorist groups wanting to level Shanghai, there is no such thing as an Al-Qaeda like threat to the PRC in any shape or form.

Because China really has no world enemies, combined with the fact that their IP is already known to others, a

Re:

[ElectricTurtle]

They have no terrorist groups wanting to level Shanghai, there is no such thing as an Al-Qaeda like threat to the PRC in any shape or form.

The Uyghurs are trying. They aren't half the threat that the PRC makes them out to be (the same could be said for Al-Qaeda), but they are still a threat and they still do blow stuff up and kill people.

Re:

[Anonymous Coward]

"The Uyghurs" are trying? As an entire race? Really?

If anyone here says something along the lines of "the Muslims are trying to level NYC" they'd be buried. Rightfully.

The feeling is mutual

[HikingStick]

Mutually assured cyber destruction. I can't wait for the made-for-TV movie!

well, noone is really prepared

[MasterPatricko]

"the Chinese government is woefully unprepared to fend off cyber attacks on its own infrastructure."

I don't think anyone is, or even can be, prepared to fend off large-scale "cyber attacks".
If there's one thing that you can rely on, its that big organizations are always several years behind on implementing new technology in a large scale. Sure, the NSA etc might be doing cutting edge security research and stuff, but how long does it take to get defences against new attacks actually implemented across the re

Re:

[lwsimon]

Yep - physical isolation. That's what has protected the Iranian nuclear program's computer so thoroughly :)

Re:

[Em Adespoton]

Just imagine what would have happened if those machines had had direct internet access....

Meaningful security does not imply complete security. The fact that the machines were depending solely on the airgap (which was bridged by unsecured USB keys) for security wasn't all that good either. They needed ACLs and a locked down system at minimum.

Rosetta Stone?

[otaku244]

So... what you're saying is that the only thing that keeps American hackers from overrunning China with viruses, spam, and various forms of hackery is that we haven't taken the time to learn their language? That's either impossibly inaccurate or we are incredibly lazy. Hey Anonymous! Go learn some Chinese.

China CERT?

[theamarand]

It was probably "nice" of him to report his findings to China CERT but as a citizen of the U.S. (I'm assuming, if he's working for NSS) couldn't that be considered something, I dunno...bad? I mean, China is an enemy of the U.S., and the cold war is based on information. "Hey, dude, your fortifications are weak here, here and...oh here." Seems a little off. I would probably have submitted the information to someone on our side, but I do see his neutrality point - a bit.

USA Infrastructure

[jimmerz28]

I'd be interested to see how well prepared our (USA) infrastructure is.

Let me guess...

Re:

[account_deleted]

Comment removed based on user account deletion

In truth I doubt either government is prepared

[gubers33]

In all reality, I doubt either country would be in position to fend off cyber attacks. I mean the US government tried to go after Anonymous and ended up having the security firm they hired get a huge black eye and multiple government websites getting smacked up as well. In terms of China, they have attacked multiple countries, but it seems when they get hit themselves they stop what they were doing and being denial of the facts.

It has already started

[D3]

There is not a cyber 'cold war' brewing. It is already happening. I've seen it at the company I work for first hand. The Chinese are infiltrating and stealing everything they can copy the bits of from US corporate infrastructure. Most companies don't even have the awareness to know they are infected. They believe having a firewall and Anti-Virus is protecting them. Anyone who thinks the US isn't doing the same things to China is just being willfully ignorant.

It's a trap!

[greymond]

There firewall is fully operational!

Re:

[account_deleted]

Comment removed based on user account deletion

Good.

[Johnny Mnemonic]

I was at Google when the Chinese attacked, and I felt personally violated. I would be more than happy to see the favor returned.

And anyone who doesn't think it was actually the Chinese intelligence agency that mounted that attack against Google is a victim of wishful thinking.

Propaganda News Reporting?

[cloudsinmycoffee]

I hope this young man is correct in his assessments which pretty much trash / emasculate Chinas own Cyber vulnerability in the eyes of the readers. I had read for some time already that since many or most Chinese computers run on pirated Microsoft Window products that this could be the case. I always wonder when odd perspectives like this are injected into a volatile mix in the area of Warfare / Public Opinion / Technology if their isn't some attempt being made to mold, test or to shape popular opinion.

Re:

[David Gerard]

The cyberwar hype exists to sell juicy defense contracts to supply snake oil. That's it. That's the whole "threat".

Story avoids saying the bloody obvious

[David Gerard]

That there is not and never has been a credible threat from China on this. That the entire purpose of the cyberwar hype is to generate juicy defense contracts selling snake oil to the government. Your taxes at work.

Maybe

[argStyopa]

I don't think there's been much discussion of China's vulnerability, mainly because their society seems so much less DEPENDENT on tech than the West (particularly the US).

To pick a superficial example:
- person A has a top of the line firewall, and orders all their groceries online every other day
- person B has a garden and farm animals.

Clearly, person A has far better 'defenses' than person B, but who's really more vulnerable.