93 comments

[ 5.0 ms ] story [ 112 ms ] thread
> Based on the timing of the attacks and clues in the computer code, researchers with the firm Symantec believe the Chinese did not steal the code but captured it from an N.S.A. attack on their own computers

Out of curiosity, I wonder who directed the NSA to attack Chinese computers?

And on that note, are choices like these autocratic top-down decisions, with each attack approved by those leading the NSA, or is it run-of-the-mill, and done without explicit authorization per target by each team? Or are teams separated by target?
I'd imagine it's just the digital extension of an historically ongoing effort to collect anything that could be used as leverage in a conflict, if and when one happens.
Even though the NSA-style attack was conducted by Chinese hackers in March 2016 (comfortably before the Shadow Brokers' leak of NSA tools in August 2016), it's possible that the tools were circulating outside the NSA earlier and thus used outside of NSA direction.

Edit: That was confusing. Basically, we don't know when exactly before Aug2016 the tools were leaked, so it could have been someone else probing the Chinese server.

After the Wikileaks Vault 7 releases, specifically the details about how Marble and Umbrage make it easy to implement a digital false-flag attack, I don't see how anyone can be certain of the identity of a sufficiently skilled attacker in the modern era. Any state security agency in any reasonably-advanced country likely has their own equivalents of the Marble and Umbrage tools at this point.

Was this attack from China? Was it from the US making it look like China to justify US economic and diplomatic retaliation? Was it from Germany looking to embarrass the US with a false-false-flag attack making it look like the US made a false-flag attack on China after the US spied on Merkel's phone conversations?

We could go down rabbit holes forever. Who can be completely trusted to speak openly, knowledgeably, and honestly on specific instances of attacks? Every last individual and organization in that world is neck-deep in their own agendas.

Who do you expect the NSA to attack? The French? (I know they probably do that too)

What do you think is NSA's mission?

How about you share your answers and we can compare notes.

Here's what I have.

https://www.nsa.gov/about/mission-values/

That page sounds like standard stuff that organizations put up. Based on James Clapper’s lies that the NSA didn’t collect telephone metadata on Americans, none of the points on that page seem to be truthful or respected.
>the Chinese did not steal the code but captured it from an N.S.A. attack on their own computers

I don't understand the US's relationship with China. The above seems to possibly suggest some mild cold war scenario?

(comment deleted)
We are in an advanced persistent cold war with multiple Nations. I've always been curious just how aggressive the nsa's tailored access operations and other groups were in terms of attacking other nation-states.
I don't know how much foreign relationships or China-US policy you follow but when it comes to China-US, the term "Thucylides' Trap" gets thrown around a bit ( https://foreignpolicy.com/2017/06/09/the-thucydides-trap/ - a term coined by this guy: https://en.wikipedia.org/wiki/Graham_T._Allison )

Rivalry between a rising power and an existing superpower is inevitable. How it gets resolved though is not certain.

China is on track to overtake the US economically in a decade or two (if you consider PPP adjusted GDP they've already surpassed us). That have implications in other areas too -- strategic, diplomatic, cultural, etc. How will the US respond to this? Will we simply let it happen or will we stop it and perhaps violently? What will it mean for our agendas in different areas since China and the US don't share the same goals in many areas. What's especially frightening to me is that Xi seems to advocate a view that China's rise is a return to a historical greatness and that China is destined to dominate -- similar in some sense to the old "manifest destiny" idea of the US. Xi's idea is now enshrined into the Chinese constitution along side Mao's ideas. My view is on this rather bleak but I think the US needs allies more than ever. Ironically I think two equally matched powers are more likely to come to a peaceful coexistence than if one side perceives the other to be weaker. Maybe a new cold (or cool-ish) war isn't so bad compared to a hot war.

never in our modern history has an up and coming superpower wanted or desired the mantle of top superpower.

the UK was economically beneath the US a full 3 decades before the US actually decided they wanted to be the world leading superpower. almost two years in a world war, and after a massive attack by the japanese empire did the US finally took the reigns.

the reason for this is that the top global superpower needs to have an extensive network of diplomacy and military, things that come with huge costs domestically. when you’re top dog, everyone looks at you for guidance and rules.

Its important to point out that American entry into WW2 did not establish American hegemony, but only accelerated it. Roosevelt had been supplying Allied forces with Material for a long time before Japan bombed Pearl Harbor (from historical records, its pretty clear that the Japanese understood it was only a matter of time before the US entered the war and thus attacked pre-emptively).

The event that solidified US as the superpower was actually the Suez crisis, where the UK and French had to begrudgingly agree to American demands, making it clear who was the top dog.

Kind of reminds me of how Nintendo decided with the Wii not to compete with Sony and Microsoft on graphics and raw compute capabilities. By offering a machine that was much cheaper to manufacture than Sony or Microsoft, Nintendo was able to solidly occupy the #3 spot in the market (on graphics quality) without huge expenses on hardware development. They intentionally chose not to compete for first place because it was so much more cost effective not to.
That seems to presume a lot about superpower motivations.

I think a more realistic assessment is that there is a high degree of uncertainty in the relative balance of power between two nations, made worse by nationalism, ethnocentrism, and the tendency of charismatic leaders to believe their own hype. Peaceful, commerce-based regimes - the ones most likely to become economic superpowers - tend to be risk averse when it comes to pushing geopolitical boundaries, because war destroys the economic development that led to them becoming superpowers. Militaristic or fundamentalist regimes tend to be risk-embracing, because you don't come to power as a militaristic regime unless the populace believes they can win (a belief which is often distorted in fundamentalist or fascist regimes).

WW2 proved that the U.S. was light years ahead of Japan's industrial capacity. This was known to Japanese military officers who had visited the U.S, but the ruling cabal in Japan discounted their assessment as impossible. Similarly, Cold War propaganda (in both the U.S. and Russia) painted them both as roughly equal superpowers, but we learned after the Iron Curtain fell that the Soviet Union was never really an economic threat to the U.S. The U.S. may have passed the UK as an industrial superpower in WW1, but in the eyes of much of the world they were still an unknown quantity, enough that Japan directed simultaneous attacks on Hong Kong, Singapore, and Malaya at the same time as Pearl Harbor and the Philippines.

Its not clear what the ideological lines are though. With USSR, it was a very clear Capitalism v/s Communism ideological battle. Its not clear to me that the rivalry would escalate to the same levels as it did during the Cold War.

There is one thing that does give a lot of hope to me personally: the close economic relationship between the US and China has created a tight bond between the countries even if they are unwilling to admit it openly.

Its not inconceivable for world powers to co-exist in peace. There will be a lot more frontiers in the future that can be competed on without wanting to destroy one another.

Agreed, all other data points we have of the theuclydes traps did not have countries with as interconnected economies or cultures. Maybe I am over playing it a bit since I live in a densely Chinese populated area in US
There need not be an ideological conflict. Ideology was a mobilizing idea in the 20th century but has lost mindshare. France and Britain vied for centuries having similar societies and economies. There can be a tribal aspect to conflict, as well as simply a competition for the spoils of world dominance, which are many.
> Ideology was a mobilizing idea in the 20th century but has lost mindshare.

Ironic then that it is called the Thucydides trap then, since the ideological lines between Athens and Sparta were very stark indeed.

The "ideological" battle is largely just a matter of how conflict is packaged and sold to the general population, which doesn't have clear and obvious reasons to support empire building for its own sake. Such perceived conflicts are usually just pretense for the realpolitik, and can come and go as the empire's interests evolve.
Oh man. Your question really hits the nail on the head and what I think most people fail to realize about China's threat. China represents a form of capitalism divorced from democracy. Their message to the world is this: you can have a thriving, well-off authoritarian state at scale. We've had small successful authoritarian capitalistic states for a while now (Gulf States and Singapore). China is managing to do it at scale -- at Chinese scale at that. China is basically saying a model when people trade individual liberty and guaranteed human rights for security and prosperity is not only workable but even preferred. They're saying concentration of power in the hands of the few as long as those in power can give wealth and security to everyone else is the winning model. This to me is the real danger of China because of this allure of authoritarianism coupled with capitalism. I think people often forget that capitalism doesn't have to be tied to democracy and classical Western liberal ideas. There only needs to be just enough rule of law, property protection, and economic freedom for capitalism to flourish -- at least for the short term.
It's quite simple really: everyone is spying on everyone to further their own strategic interests.
So when the US hacked Angela Merkel's phone, it was also a mild cold war?
US sees China as incompatible partner, a competitor, and is quickly decoupling from China. It's already a cold war.

South China Sea: Chinese admiral wants to 'sink two US aircraft carriers'- https://www.news.com.au/technology/innovation/military/sink-...

Trump says tariffs on $200 billion of Chinese goods will increase to 25%. Additional tariffs on $350 billion goods as well - https://www.cnbc.com/2019/05/05/trump-says-tariffs-on-200-bi...

US accuses China of using 'concentration camps' against Muslim minority - https://www.theguardian.com/world/2019/may/04/us-accuses-chi...

Golly, who could have ever expected this? Hopefully everyone remembers this when authoritarians cry about needing backdoors in all of our encryption.
Do you think cybersecurity or ai is a better field to dive deeper into as a career/business field? I feel like in some ways ai has already been hyped up but cybersecurity tends to be quite niche in its demands?
Every company with valuable data is interested in computer security. I have never seen a shortage of positions for qualified candidates.

AI has way too much hype behind it. Deep learning is not the best solution for most business data problems.

Why only pick one?
Because one has limited time
But shouldn't you at least try both? They seem to me to be two very different things.
ackbar03 didn't seem to be asking about what to try, but about what to dedicate a career to.
I've already been dabbling in both but if Im to either start a business or pursue a career in a single field I feel it's probably going to require more more dedication to one thing, but thanks for the response
Cyber security has a much lower bar of entry, AI requires much more technical and theoretical knowledge to tackle.

Cyber Security can be anything form a SOC analyst who looks at system logs and monitoring systems to a cryptographer.

For the most part Cyber Security is as varied as IT itself.

AI on the other hand would require a very specific set of skills and theoretical knowledge and a very good grasp of mathematics the latter is where most people fail even if they know the maths without being a mathematician at heart and being able to use it essentially as a language you likely won’t get too far even with all of the abstractions deep learning frameworks provide.

This isn’t just because of the mathematical nature of deep learning but also because the applications themselves are also mathematically complex e.g. computer vision.

This is basically the equivalent of asking what should you do website development or signal processing as a developer these aren’t exactly on the same level.

So China ran a network sniffer and captured and reversed some 0day that the NSA lobbed at them? I'd be pretty surprised if this sort of thing didn't happen all the time in cyberwar, considering the NSA has a massive, worldwide sniffing operation and China has the GFW. I feel like this story is omitting some important fact that makes this a bigger deal.
Agree, this reminds me of a 'limited hangout' [0] where a small bit of the big story was released for people to talk about so that the real story never gets revealed.

[0] https://en.wikipedia.org/wiki/Limited_hangout

Lately this seems to be virtually every story related to “spygate” from the times. One persons “scoop” is another powerful person’s attempt to shape narrative.
The ufo conspiracies are an example of this. The government promoted ufo stories to distract from the real stories.
As an insider please let us know, what are the real stories?
"According to later estimates from CIA officials who worked on the U-2 project and the OXCART (SR-71, or Blackbird) project, over half of all UFO reports from the late 1950s through the 1960s were accounted for by manned reconnaissance flights (namely the U-2) over the United States. (45) This led the Air Force to make misleading and deceptive statements to the public in order to allay public fears and to protect an extraordinarily sensitive national security project. While perhaps justified, this deception added fuel to the later conspiracy theories and the coverup controversy of the 1970s. The percentage of what the Air Force considered unexplained UFO sightings fell to 5.9 percent in 1955 and to 4 percent in 1956. (46)"

Source: https://www.cia.gov/library/center-for-the-study-of-intellig...

Listened to their daily podcast today on my way to work. It was about China's spying on it citizens. It focused on the number and type of CCTV cameras they are exposed to - specifically license plate readers at intersections.

Not more than a mile later I passed an intersection with license plate readers for every lane in every direction. I seriously doubt there are strict controls on the police who have access to this data. But the article somehow suggested I should be worried about they spying China is doing.

Perhaps this is one of the few times evidence of it happening escaped to the public. That doesn't necessarily mean any particular powerful people wanted it to, they don't control everything; although it's possible, I agree.

Either way, as you say, it does seem like this probably happens frequently. It's the nature of the thing.

The article says "The losses have touched off a debate within the intelligence community over whether the United States should continue to develop some of the world’s most high-tech, stealthy cyberweapons if it is unable to keep them under lock and key."

But we know: of course you can't keep valuable software 'under lock and key', that's not how software works (at least not if it's intended to run on non-secure networks).

So that to me raises the question: Wouldn't it better for our national security if our well-funded military infosec aparatus were focused much more disproporationately on defense, instead of creating, perserving, and escalating available attacks? If the NSA knows about a 0day, how about they get it patched (so it can't be used against American and allied civilian networks, as it was in this story), instead of trying to keep it exploitable? I'd feel a lot safer if my tax dollars were used that way.

Ok, so Edward Snowden runs off with few terabytes of NSA data. He briefly stops in China, before finally going to Russia. Now NSA hacking tools are used against US and we are supposed to believe that "Chinese did not steal the code but captured it from an N.S.A. attack on their own computers".

Somehow I'm not convinced.

> He briefly stops in China, before finally going to Russia.

Hong Kong is NOT China.

Well, it is and it isn't. But I think any tools he had that long ago would not be newsworthy by now.
Yeah that's what I was thinking. 4 years between Snowden's releases and Vault 7, and another 2 years from then until now. Most 0-days don't live that long. Not to mention the fact that Snowden has always refused to work with Wikileaks... The conspiracies that people treasure are quite revealing.
While I don't believe the allegation about ES and CN.

> Hong Kong is NOT China. It actually is, while HK enjoys a high degree of autonomy, it is still a "special administrative regions" of China and has been since 1997 when the 99 year lease expired.

There isn't a clear definition of what counts as part of a country. For this purpose, it's about access to intelligence. By that standard, Britain is part of America too because they share intelligence. If it's decided by the country that claims it, then many disputed regions belong to more than one country. If it's decided by international agreement, then what happens when they don't agree? Like Taiwan and other disputed regions. What about Puerto Rico? Is that part of the US? If it's about control of the government and military, was Iraq part of the US when it was occupied?
Hong Kong is China like Puerto Rico is USA.
That is a poor comparison. Hong Kong has a judicial system unto itself that was inherited from its colonial occupiers, which is why aspects of Common Law are often recognized in Hong Kong. Puerto Rico has no governmental autonomy.
Having spent some time in Hong Kong, I'm well aware of that.

But I meant in the context of this discussion. China's intelligence agencies consider Hong Kong to be home turf just like the Puerto Rico is home soil for the NSA.

What about American Samoa? Currently, only people with sufficient American Samoan heritage are allowed to own land. According to people interviewed in Radiolab, this law is in conflict with the American constitution, which is why some American Samoans resist having full citizenship, as presumably that would force them to adhere to the American constitution.

[0]: https://www.wnycstudios.org/story/americanish

(comment deleted)
You have a high standard for being convinced so more news stories won't convince you than normal people. That's fine, but be careful that the ones which do convince you (Snowden stayed in Hong Kong, for instance), really are stronger than those that don't. Otherwise you probably have a bias that's making judgments for you.
China is becoming an increasingly big threat to the west and it’s values, only because it’s a communist dictatorship. With the rise of the middle class and the ultra rich in China, I dont know for how long with the communist party stay in power. It seems the government censorship and all the spying does work for controlling the people into believing the government is doing good to them...
China hasn't actually been communist in a long time. I think the current situation is that the growing middle class will give at least tacit support, so long as they keep growing. With memories of the late 60's still hanging over that nation, they prize stability more than nations that haven't lost it in living memory.

Now, if the economy turns really sour, then like Indonesia in the 90's they may discover that the populace gets restless very quickly. But, for now, I think the Chinese middle class is not in the mood to make big trouble.

The Chinese have found (or been given) the modern Middle Kingdom under the rule of the Communist Party. What is happening in China is what has always happened in China. Certain invariables that even the Cultural Revolution could not erase from the Chinese nation. What China dislodged during the reign of Mao was out dated forms of these invariables. Confucius is out, Party Chairman's 'thoughts' are in.

The West is used to seeing the decrepit aspect of the Chinese and associates that with its characteristic societal structure. But this nation also has an aspect of splendor. This renewed splendor appears to bother some in the West. In fact, any sort of renewal of Asia not under the control of the West is "alarming" to the West.

Don't worry. Asians don't hold grudges .. ;)

every country has its history. That does not justify China’s human rights violations. I am all for China overtaking the throne as the global hegemony, if they cared about human rights outside of the Han people. Stopping the genocide on the western part of China would be a start. Either way, US being number two may give us a much needed gut punch. We can trim some of our collective fat.
I mean, China only got where it's now by stealing tech from the US and EU. Either with spies, or by letting foreign companies "compete" in China, only if they partner up with a local company, and then for the government to clench the foreign company so that they finally quit the market. Also, if the IP was actually protected, Chinese companies would have to pay billions back to the US and EU... I only like Trump because he sees the bigger picture in terms of China being a threat, how much China is making a fool of the west, and also due to the tax cuts.
are you sure that you've gone through some critical thinking before saying that?
Are you perhaps Chinese? All your comments are about defending China regarding the same issues. Its funny. Have you heard of those government actors in China that are paid to flag comments and write good comments about the government
For the vast majority of Chinese, the government is doing good to them. They keep getting wealthier and their quality of life keeps going up. You might think it's better to be a starving peasant in a country with western values than a middle class programmer who can't vote, but not everyone agrees. Western values are invented by and for western people and are only really a few decades old (remember when gay sex was illegal by western values? Remember the Vietnam war draft?). Chinese people don't necessarily copy the same values, just as we don't copy Confucian or Islamic values.
(comment deleted)
Please don't tell me this is true... The US government can't be this fucked.
This NYT article is paywalled but Symantec's blog post [0] (on which much of the NYT article is based) is not.

---

According to the blog post, "Buckeye", a group allegedly working on behalf of the Chinese state, also used an "exploit of a previously unknown Windows zero-day vulnerability. This zero day was reported by Symantec to Microsoft in September 2018 and patched in March 2019."

So Symantec reported a zero-day -- which was being actively exploited in the wild by a state-based actor -- to Microsoft and Microsoft STILL didn't release a patch for it until six months later?

[0]: https://www.symantec.com/blogs/threat-intelligence/buckeye-w...

What an unexpected and wholly unforeseen consequence of backdooring domestic technology while pretending to the opposite. Let's hear it, IC apologists: Get your mob of astroturfers out her to tell us why this is a specious concern.
Did you read the article? There is no backdoor of any technology involved, let alone domestic technology.
So China pretty much pulled the reverse card in UNO?
Sounds like it. They arranged to be rubber to our glue.
Yet more evidence that you can't trust anyone with magic software that defeats device security without making the devices insecure.
OS makers have that magic software and seem to keep it secure enough. They can update your device and potentially hack if it they want to. If you think that's a bad idea, what alternative would you propose for automatic security updates?
Linux distros can all be configured to update automatically. This does not require external control - the machine is capable of checking update servers on its own and updating if configured to do so. I don’t see how external control would be required for automatic updates.
Automatic updates give the update server the ability to compromise your machine.
But at least you get to choose who is on the list of potential suppliers.
Most software updates risk compromising your machine, no?

I’m talking about whether external control is required for software updates to occur. As with Windows, where Microsoft can replace software on your machine at any time. On Ubuntu, canonical can add backdoored software to their repositories but they can’t forcibly install software on your machine AFAIK. Maybe I just misunderstood the comment I was responding to.

well they kinda can... if they do any update to include software, that software can be anything... update systemd to include remote execution, or to install any package they want (but why would it be a package??)
you're right, an automatic update could install malicious software, but the common request has been to have software that law enforcement can use with any device.

e.g. law inforcement gets a tool "BreakEveryonesSecurity.exe/app" that can talk to any device they find. For that to work all devices have to be pre-compromised. Another work for pre-compromised is "insecure".

The "magic software" is, at its core, just strong encryption and an unbroken chain of trust.

You trust your OS updates because your machine trusts the certificate it is presented with. Your machine trusts that certificate because it is signed by an authority which is in your machine's local list of trusted authorities.

If people mess up that list of trusted certificate authorities, it can easily compromise the system. Remember this?

https://en.wikipedia.org/wiki/Superfish#Lenovo_security_inci...

Now imagine if, instead of having an identifiable certificate authority which accidentally allowed third parties to intercept and modify your encrypted traffic, that were an undetectable feature of the encryption algorithm.

If that were the case, no matter how much you trusted the entity that understands the nature of the backdoor, you would not trust your OS.

So the problem is more about transparency and reliability of the software than about government access? I don't think so though because otherwise anyone proposing government backdoors would neutralize opposition by saying let's make it a front door, we'll have our certificate trusted by those same CAs and be open about it.
No, that's a misrepresentation of how these things work.

An iOS device cannot install an update without an unlock, and any updates it does push are signed by an apple key, and does not make software with compromised security.

Apple then designs the system so that someone hacking Apple doesn't give them the ability to hack iOS devices. The way apple achieves this is to make the phones require a user unlock to update the device or to connect to another machine.

The only way to make magic software work would be for apple to deliberately compromise the device security. The moment they did that, that would mean there was a tool that would only need to be leaked once to compromise all apple devices. The solution is to not design a broken security model.

I assume the high end android devices are similar, but given android phones are still being shipped without a Secure Enclave I can imagine there are some trivially compromised devices.

So then let's get to how the update itself works.

The device gets a user unlock to occur (iirc if you have automatic updates enabled this means that your device has to have been unlocked in the last 24 hours?[1]). The device pulls an update from an apple server, verifies both the server it pulls from, and the bundle itself. No one else can publish or mitm the update. There's no magic software that can just be passed around - you would need to compromise apple itself, and compromise it to the point that you can get the updates signed by their production signing keys without anyone noticing.

If you're really unsure how all this works feel free to read their documentation: https://www.apple.com/business/site/docs/iOS_Security_Guide....

[1] I re-read the white paper's update mechanism and it sounds like it always requires an unlock before updating. So it's not a hysteresis. So automatic update is gated on an unlock before bed and asking permission to perform the update.

I understand how it works but you said we can't trust anyone with magic software. I assume you count secret keys as part of that magic software. Apple has such software and keys, so we can't trust Apple. Perhaps you really meant "we can't trust anyone except Apple, Microsoft, Google, Samsung, Lenovo, etc."? If you don't count secret keys, then are you happy for governments to have their own OS update keys and use their own servers that are quietly accessed by devices?

That's not quite applicable to this story though which seems to be just observing network traffic.

If someone steals a gun and kills someone, I'm mostly mad at the murderer, but I'm at least a little mad at the irresponsible gun owner.
It’s more like one murderer stealing a gun from another murderer, since they both use the tools against everyone else.
> Chinese intelligence agents acquired National Security Agency hacking tools and repurposed them in 2016 to attack American allies and private companies in Europe and Asia, a leading cybersecurity firm has discovered.

Does that open up the NSA to a lawsuit from those U.S. companies that were attacked by the same tools the NSA created and used against targets in China?

It seems like there ought to be some liability for any organization that gives this kind of technology to another organization who is likely to misuse it, even if "give" in this instance means "use it against them".

Of course not. The NSA didn’t put those vulnerabilities there. If we want to start pointing fingers, the first point of liability would be with whoever released the vulnerable software.
I do and you probably do too. Of course we can fantasize that these vulns have been planted, maybe even a couple have been. But most of them are probably just uncaught mistakes and subtle semantic errors. I believe in proving software (and other stuff) correct, but that doesn't mean we'll arrive at some point to the one true software. The problem is about defining formally what it is to be correct, having a model that encompasses all things you care about. You can't blame people for writing faulty software and shipping exploitable hardware, that's just what one does. I think it makes sense to blame people for discovering exploits and not disclosing them properly tho. That's what one is expected to do... Some wishful thinking: let's hope the US will see that the only move with positive outcome is to start a global disarmament initiative. We seem to have forgotten the days of fighting for de-weaponizing encryption, this should apply to cyber-security in general.
188 upvotes in 3 hours and already off the front page. Clearly people are flagging this post. The question is why...
Something about this whole article is bullshit. In fact, it could be a planted story BY NSA.

The Shadow Brokers released source code and the USA still doesn't know how it was leaked. There's no source code in an "interception".