114 comments

[ 3.0 ms ] story [ 95.3 ms ] thread
Here is a direct link to the 76 page report: http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
Does the report detail how the IP space is tracked to a physical neighborhood? That's....sort of critically important here.
It says the IPs were determined to geo-locate to the Pudong New Area in Shanghai, and jumped from there straight to the PLA Unit that happens to be in Shanghai.

No big leap, Pudong only has 5 million inhabitants, roughly the size of the Washington DC Metro area.

Shanghai is defined by a river. The old town to the west, the new town to the east. Pudong literally means ("east of the river"). Pudong is metaphorically as well as physically fully half of Shanghai.
From the article

"Mandiant discovered that two sets of I.P. addresses used in the attacks were registered in the same neighborhood as Unit 61398’s building.

“It’s where more than 90 percent of the attacks we followed come from,” said Mr. Mandia.

The only other possibility, the report concludes with a touch of sarcasm, is that “a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multiyear enterprise-scale computer espionage campaign right outside of Unit 61398’s gates.”"

Mandiant also released a video which is a screen capture of an alleged Chinese hacker ('doda') at work:

http://www.youtube.com/watch?v=6p7FqSav6Ho

edit: One quick conclusion. it looks like their teams are segmented - you have the guys like Doda who are doing the grunt work of sending out the emails and extracting information. These guys get discovered. Who isn't being discovered are the tools and exploit writers, a much more interesting target to uncover. Doda doesn't seem to be a terribly sophisticated hacker, he looks like an ordinary computer user that has been trained to use the tools.

Using emails with sequential ID's in them and opening your own computer up to being owned suggests further that he isn't very sophisticated.

I would like to quote a past comment http://www.reddit.com/r/netsec/comments/m0i93/_/c2x87tb

- the volume of attack coming from Chinese IP addresses but are essentially non-Chinese in origin is substantial. The windows xp piracy rate ends up in a very low uptake of windows update, leaving quite possibly the largest population of vulnerable hosts in the world. Attacks end up being false-flag even if not intended

- Attacks that are genuinely Chinese in origin tend towards being citizen initiatives. Imagine if you lived in a jurisdiction where instead of being treated like Garry McKinnon for attacking American infrastructure, just nobody gives a fuck. The reverse also applies, but has a limit that Chinese is not widely understood by American 'hackers'. Any Chinese skiddie can cause an international incident by trying out their tools on an American company. Universities that run courses in infosec, of which some are military, are commonly accused origin IPs for attacks. The likelihood is that complacence, rather than official sponsorship or policy is the prime driver behind this phenomenon.

- Instead of trying to build out \cough\\ cybercommands, Government sponsored CTF tournaments identify and reward talent, without bringing it on-board the National Security apparatus. Talent is left out in the community on the understanding it can be found if needed.

- The 'Chinese Government' is nowhere near as cohesive and controlling as is depicted in Western sources. Government sponsored economic espionage activities that are out of proportion to American efforts against the rest of the world will originate at the provincial level. Chinese industry is very regional, with whole provinces specializing in specific industries, hence the benefits of economic espionage is highly regional in nature too. It is not in the central government's interests to sustain the Chinese hacker folklore, nor would it be within their ability to rein in any provincial government involvement.

Yes a government response to this sort of guerrila warfare against unnamed attackers will be interesting. They cannot just create strong penalties as the attackers are beyond their jurisdiction. Punishing China for anything within their IP space is also a non-starter, something the authors do not mention.
This is a very recent report. Your comment is more than a year old. Are you asserting that nothing has changed?

Edit: From the report in the article

"Our research and observations indicate that the Communist Party of China (CPC,中国共产党) is tasking the Chinese People’s Liberation Army (PLA,中国人民解放军) to commit systematic cyber espionage and data theft against organizations around the world "

They have a whole section devoted to backing this up.

commit systematic cyber espionage and data theft

Most nations have something like this these days (eg. Australia, France, Germany, Korea, UK, US.)

The US military terms this move toward constant low-level conflict with a focus on information warfare the RMA or Revolution in Military Affairs.

Also note that quoting five words of mandarin (五个汉字) may function may make a commercially produced report appear more authoritative, but in practice it probably demonstrates the opposite.

> Most nations have something like this these days (eg. Australia, France, Germany, Korea, UK, US.)

Are you asserting that these nations have broken into non military infrastructure of some other nation they are at peace with?

You are also asserting that these countries are stealing corporate data.

Can you back that up? Do they compare with what China is doing?

> Also note that quoting five words of mandarin (五个汉字) may function may make a commercially produced report appear more authoritative, but in practice it probably demonstrates the opposite.

That doesn't hold for everyone. I agree with you that, in general, Mandarin is sort of fad-ish.

Are you asserting that these nations have broken into non military infrastructure of some other nation they are at peace with?

Certainly, they do it all the time. It's considered par for the course these days. It's not always breaking in to the infrastructure, sometimes it's providing it.

For just two well known examples, look at Israel's Mossad-affiliated AMDOCS company's widespread global telecommunications data theft with "hosted billing solutions" for major mobile and fixed-line telecommunications carriers worldwide (certainly US and EU-wide).

Or, look at the European Union's exposure of how the US has been constantly abusing surveillance capabilities for global geostrategic business purposes in their original report on Echelon; IIRC they had a very well documented case of Airbus vs. Boeing.

These things don't stand still, and the above examples are continuing but originated 10+ years ago.

IMHO it is now ignorant to believe that we live in anything less than a world of constant conflict where corporate-government mutual assistance and backscratching are the order of the day and citizens rights are nothing more than a quaint, antiquated notion you can easily put down in court given enough lawyers, legal entities, deniability, media gag orders (UK tops the world for these), assassinations (Singapore is up there), imprisonment (US after Wikileaks) or the odd, extreme, resignation.

Thanks for indirectly calling me ignorant. Don't see much of that on HN. Googling what you gave did not give me any reputable sources of nations doing both these two things

1. Attacking critical civilian infrastructure 2. Outright corporate theft

Once again, any reputable reports will be appreciated. (For any crazy statement X, one can always find a forum or website backing X. Thats why the insistence on reputable sources.)

Read http://cryptome.org/echelon-ep-fin.htm in particular section "10.6. Is ECHELON suitable for industrial espionage?" and the following "10.7. Published cases", then remember that's 10+ years ago. If you truly consider an in-depth report commissioned by the European Parliament combining the intelligence agency resources of multiple European governments untrustworthy, then perhaps our perspectives differ too far to communicate on this issue.

(Edit 1: Changed link from Cryptome's still-hosted draft-form to the final-form report.) (Edit 2: Added section reference.)

You are just throwing accusations right and left without comprehending the material that you linked to. I have pasted the whole section here.

Tell me which clause leads you to believe ECHELON actively breaks into corporate networks. It seems that what ECHELON has access to is something that anybody can lay their hands on. If you conduct your business by broadcasting messages over a public, then not only ECHELON, but the whole world can listen to it. This is much different than the ugly spearfishing and active breaking in by the Chinese.

Did you just keyword search and paste without understanding what the clauses meant?

"10.6. Is ECHELON suitable for industrial espionage suitable for industrial espionage?

The strategic monitoring of international telecommunications, can produce useful information for industrial espionage purposes, but only by chance. In fact, sensitive industrial information is primarily to be found in the firms themselves, which means that industrial espionage is carried out primarily by attempting to obtain the information via employees or infiltrators or by breaking into internal computer networks. Only where sensitive data is sent outside via cable or radio (satellite) can a communications surveillance system be used for industrial espionage. This occurs systematically in the following three cases:

- in connection with firms which operate in three times zones, so that interim results are sent from Europe to America and then on to Asia; - in the case of videoconferences in multinational companies conducted by VSAT or cable;

- when important contracts have to be negotiated locally (construction of facilities, telecommunications infrastructure, rebuilding of transport systems, etc.), and the firm's representatives have to consult their head office.

If firms fail to protect their communications in such cases, interception can provide competitors with valuable data"

You are just throwing accusations right and left without comprehending the material that you linked to.

Look, I am trying to point out the bigger picture here, internationally, and developments over the last couple of decades. I provided you with one of the key open sources that provided a public touchstone for those who were aware of the abuses over a decade ago. Understanding that document should put the fear in to most people. I am forced to question whether you have read the document, but reading your comments such as It seems that what ECHELON has access to is something that anybody can lay their hands on and I have pasted the whole section here it is clear that you have not. Put some effort in, educate yourself, then come back and have a discussion.

Tell me which clause leads you to believe ECHELON actively breaks into corporate networks.

Now you are putting words in to my mouth. I brought up Echelon as one part of the information warfare arsenal deployed by non-Chinese state actors for commercial espionage purposes, which was the original scope of discussion.

If you conduct your business by broadcasting messages over a public, then not only ECHELON, but the whole world can listen to it.

Oh right. "Everyone else deserves what they get", what a civic perspective! Show me how widespread encryption was in the mid '90s when the world was just getting on the internet. Now show me how widespread that was for VSAT systems and long-haul ISDN being shot out to NSA satellites over long-haul microwave links. I personally worked on video conferencing and surveillance systems in that era for multiple governments and I can tell you that as far as any deployed system I witnessed across five or so countries went, nobody used passwords, ever - to say nothing of encryption!

This is much different than the ugly spearfishing and active breaking in by the Chinese.

Believing there is no targeting capability within Echelon and similar systems is a huge and IMHO poorly supported assumption. Remember, that document is 10+ years old, discussing information on the state of the art ~15 years ago. Further, after Stuxnet and other revelations, believing the west does not develop offensive information warfare capabilities is laughable. Some of us knew this 10+ years ago. They were a lot less careful at hiding their tracks back then (eg. frequent use of IPs within reasonably.specific.descriptor.mil.somecountry reverse DNS to browse the web).

Did you just keyword search and paste without understanding what the clauses meant?

No, I read that document when it first came out, in fact I was reading about Echelon before it was published, and being labelled a nut-job. Since then I have occasionally glanced at it, usually to provide a reference to unbelievers. It's very rare that someone reads it and continues to argue.

While we're at it of a morning, here's some more information on how normal this stuff is. It is pretty well established that the Chinese routinely supply entire mobile telephony systems to developing nations (in Africa, etc.) in order to - on the face of it - sweeten resource extraction deals, but it is widely assumed to maintain a technical capacity for signals intelligence through that infrastructure (Huawei, etc.).

Are they alone? Consider this: while physically on the ground for a month during the Tunisian revolution, the first of the Arab spring, I found that Vodafone offered the fastest 3G I'd ever experienced - anywhere in the world. I even had Facebook and Gmail access. To assume that communications capability was not a targetable intelligence asset for the west in some measure seems ... highly unlikely to me.

More to the point, Applebaum of the Tor project also visited Tunisia later on as a precursor to his being in touch with people in other Arab Spring nations. Many (most? all?) of the revolutions uncovered vast, turnkey, state-level mass surveillance and censorship tools -- supplied to these regimes by individual companies in the west. W...

> Are you asserting that these nations have broken into non military infrastructure of some other nation they are at peace with?

I'm not sure people understand how huge of a deal that is to a) accuse and b) be guilty of.

The central point of that comment is that cyber espionage may not be strategically organized by the central government. China is a large country with complex power structures, while Chinese cyberspace is also underregulated and chaotic. Evidence of Chinese hackers being related to CPC or PLA doesn't imply the decision bodies in CPC and PLA all have such political or economic motives.

Edit: Here is the conclusion of the report:

In a State that rigorously monitors Internet use, it is highly unlikely that the Chinese Government is unaware of an attack group that operates from the Pudong New Area of Shanghai.

This is likely false and demonstrating the authors do not understand what the Chinese government is monitoring. The Chinese government monitors Internet speech and content. It doesn't care about how many viruses or hackers are there.

"Monitoring" is an unspeakably mild term for the mass censorship of the web that the Chinese government undertakes.

The Chinese military is an appendage of the Chinese government, and acts according to the government's demands. As with StuxNet, it's highly likely that these attacks had officials calling the shots (if not writing the code).

> The Chinese government monitors Internet speech and content. It doesn't care about how many viruses or hackers are there.

This is counter to the public position of the Chinese government, which is that they consider cyber attacks to be crimes that they aggressively pursue and prevent.

It's also a meaningless distinction, as most viruses and cyber attacks originating from Chinese IP space use content as a vector.

Does the US risk being seen as a dog with a loud bark but no bite here? If you're going to make pronouncements that hacking will be considered an act of war (1), don't you kinda paint yourself into a corner when you get hacked?

(1) http://www.guardian.co.uk/world/2011/may/31/washington-moves...

I don't know why they (Obama and his advisers) ever thought that was a good idea. Whoever was planning to hack US never took that seriously anyway, and now that they've seen they won't actually do it, they can take them even less seriously.

I guess they couldn't just say "you hack us, we hack you back". Or more realistically: "We hack you first in secret. Then you hack us back in secret. And then we have an excuse to go public to get the public's support to hack you back, and get more funding and bills passed for whatever other secret operations we want to do next". Case in point: Iran.

OK, so the link you provided is a gross simplification of current thinking. Government officials have been quite clear that CNE[1] is NOT generally considered an act of war, rather, it's part of the usual intelligence operations expected during peacetime.

It's CNA (e.g. operations designed specifically to disrupt or destroy civilian or military targets) which is "on the table" for act-of-war status, particularly if there is kinetic effect. An example would be if something like Stuxnet were deployed against the U.S. power grid.

The idea is that it doesn't matter whether a power plant was disabled via a bomb or a backdoor. Both the intent and the outcome are the same. So the declaration of policy you linked to is really a clarification rather than a "change of course".

The lines are blurry when it comes to CNE and critical infrastructure. The problem you have is that if, say, 3 competing agencies are all vying for control of the same powerplant for CNE reasons (e.g. not trying to cause damage), the plant might nonetheless get taken out by accident. I'm not sure anyone is clear on what to do in that kind of a situation.

[1] We can divide "cyber" operations into the following categories (straight from wikipedia):

* Computer Network Attack (CNA): Includes actions taken via computer networks to disrupt, deny, degrade, or destroy the information within computers and computer networks and/or the computers/networks themselves.

* Computer Network Defense (CND): Includes actions taken via computer networks to protect, monitor, analyze, detect and respond to network attacks, intrusions, disruptions or other unauthorized actions that would compromise or cripple defense information systems and networks. Joint Pub 6.0 further outlines Computer Network Defense as an aspect of NetOps

* Computer Network Exploitation (CNE): Includes enabling actions and intelligence collection via computer networks that exploit data gathered from target or enemy information systems or networks.

Any irrationality on our part can and will be exploited using false flag attacks. A third party who is not a friend of either US or China would benefit perhaps from hacking Chinese infrastructure then use it to launch an attack on US infrastructure -- a false flag attack.

Same applies to lower level stuff. If there is say a hypothetical an irrational policy for mandatory arrest of anyone suspected of terrorism, one shouldn't be surprised that neighbors will start reporting each other over the color of fence or wrong type of shutters installed.

Thanks for the explanation. Hopefully we can agree that it still puts the US in a precarious public spotlight...not sure that the public will make as detailed a distinction as appears to be required.
May be, not will be. Even the article you linked to is clear on that. The point is that attacks on US infrastructure using computers will not automatically be treated as less severe than dropping bombs simply by virtue of how they were carried out. That doesn't come anywhere near "all hacking == war".
I've been in China on and off for ~7 of the last 10-11 years. During that time I was once asked to write an online forum / comment scanning system by an employer in Shanghai that could trace keyword usage. It was supposed to be for marketing purposes but I didn't trust that claim. Needless to say I didn't write the system. No idea who the employer was, or whether it's related. I've also met some people that have worked on the public security bureau's CCTV systems, and others who work in Beijing/Tianjin with government for computer security projects.

I think the western military-industrial and government security industry wants to daemonize China as justification for spending. Realistically, at the global geostrategic level, China is already beating them at their own game, ie. pure capitalism behind a facade of diplomacy and social concern.

Personally I would posit that the major area of conflict right now between China and the US is probably Burma, not some random server providing a pitifully limited window in to the vast bureaucratic engines of US governance.

Do you really think they are just trying to demonize China given that there have been attacks to control critical infrastructure?
Considering the degree that defense spending props up the US economy, yes.
That does not show anything. A motive perhaps, but nothing more. On the other hand, we have stark evidence of China being nefarious right in front of us.
Eh, most of what they are doing is corporate espionage with the intent of copying and cost cutting. If your business is susceptible to being undercut on price alone, your days are numbered regardless.
This is getting off-topic, but:

I put in $E amount of effort to produce a product priced at $X (let us say a software product). Somebody steals the source code I use to produce the product and sells the same product at $X-E killing my business. How is this justified in any sense?

Yes, there have been cases of Chinese hackers stealing source code.

There is a lot more to running a successful business than dev cost A and price B. and this is why so many Chinese clones fail
"There is a lot more to running a successful business than dev cost A and price B. and this is why so many Chinese clones fail"

Aargh. That does not make it moral or legal.

> the degree that defense spending props up the US economy

US defense spending was 4.7% of GDP in 2011. What do you call the other 95.3%?

(context: Russia 3.9%, China 2.0%, World 2.5%) --SIPRI

It's a lot more useful to compare defense spending to the budget, not GDP. Would also be nice to see your sources.

In 2011 defense spending was 20% of the budget, and in real terms the US spent more than the next 13 highest spending nations combined (China, Russia, UK, France, Japan, India, Saudi Arabia, Germany, to name a few). [0]

[0] http://www.washingtonpost.com/blogs/wonkblog/wp/2013/01/07/e...

http://data.worldbank.org/indicator/MS.MIL.XPND.GD.ZS?order=... (with nice description of what it includes and excludes)

> It's a lot more useful to compare defense spending to the budget, not GDP

Different types of government will lead to the same expenditures being handled within the government's budget and not. US budget/GDP is low, so using that ratio instead makes it look misleadingly high (since you get to 4x it).

budget/GDP ratio examples: Cuba 86.5%, France 55.7%, UK 50.9%, US 23.6%, China 23.0%, India 17.5%

https://www.cia.gov/library/publications/the-world-factbook/...

> US spent more than the next 13 highest spending nations combined

If you're comparing how countries allocate their resources, you divide their absolute numbers by the amount of resources they have (debt-to-GDP, etc).

By example: the US produced 46,500,000 tonnes of salt in 2006, and France 7,000,000 tonnes. US salt epidemic! But that salt production ratio is 6.64, and their 2006 GDP ratio is 5.837.

edit: if you like 80s-90s US/NATO/world military expenditure comparisons, this is comprehensive: http://csis.org/files/media/csis/pubs/bwcfcompsummary%5B1%5D...

What kind of control critical infrastructure did they target? And no, a chemical plant is no control critical infrastructure. ;)
(comment deleted)
I would assume that the most effective counter-strategy would be something like a poisoned honey-pot approach: Make a large scale effort to start feeding fake information to intruders and see what happens.

You probably couldn't do something like this but it's interesting to think about: http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage

This is what allegedly happend with concodrski (the Russian version of concord) blueprints with design flaws where leaked to the russians.
What about AAMRAM-ski and Raptor-ski? (I just like the sound.)
"Mandiant discovered several cases in which attackers logged into their Facebook and Twitter accounts to get around China’s firewall that blocks ordinary citizen’s access, making it easier to track down their real identities."

Amazing.

could you explain this further? I re-read this line a few times but didn't understand. How would logging into their FB and Twitter accounts get them around the Great Firewall?
I assumed that this meant the attackers logged into their own social network accounts while they were "inside" (i.e. using) compromised machines in the target locations.
That makes sense, thanks. I didn't think they would be silly enough to do that.
(comment deleted)
(comment deleted)
Great, now these Chinese hackers will be more careful in the future and harder to track.
I believe that Chinese hackers are the scariest thing in the world today. I think that the threat from cyber warfare might be slightly overblown (though the next pearl harbor will most likely be a cyber attack). The real threat is the fact that no digital information can be kept secret anymore. If Chinese hackers want what's on a given hard disk, there's no way to stop them.

People absolutely freak out when they suspect the US government of spying on a citizen. But chinese hackers, state sponsored or not, seem to be able to roam with impunity. Several US companies have had their ip stolen and their businesses ruined. Companies have lost as much as a billion dollars in ip in a single night. [1] There are so many of them with such diversity of skills that almost no one is safe.

I'm not trying to rattle sabers here, just pointing out that the world is facing a threat to privacy and secrecy that is greater than we have ever known. Chinese hackers have more power than the CIA, KGB and Gestapo combined, and nothing short of WWIII can slow them down.

[1] http://www.nytimes.com/2012/04/03/opinion/how-china-steals-o...

>I believe that Chinese hackers are the scariest thing in the world today.

I'm much more worried about nuclear weapons, Authoritarianism, and biological warfare.

The Chinese government?
I'm not exceptionally worried about China's nukes. They understand MAD. I'm more worried about the middle east.

Authoritarianism is more worrying if it's in the country I'm standing on.

My main fear with biological warfare is non-state actors. As it becomes possible to do more with less, the chances of fundamentalists and other malicious parties using biological agents for terrorism or worse go up.

The Chinese government made a statement last year about MAD. It basically boiled down to their population being so large and spread out so far across china that they would still have a large enough population base to continue on past past the Armageddon to rebuild while everywhere else would suffer a lot higher casualty rates because a lot of the developed world is concentrated in large cities.

IIRC one of the main reasons MAD was a threat to the Russians was because they're populated centres are mostly in one area of the country.

Its all saber rattling regardless I guess, as china develops they'll be more so concentrated in cities like everyone else.

All of the most populous, productive area of China are concentrated along the coast and around the four main inland cities: over 3/4s of Chinese GDP comes from these, which cover relatively little area. China might be less vulnerable than the USSR was to targetted nuclear strikes, but I doubt it is less so than the US, and I doubt Chinese leadership believe China would have the advantage against the US if a military conflict turned nuclear.

Who made the statement?

There was a Chinese general (Zhu Chenghu) who has made several controversial statements to this end, including that initiating nuclear war would be acceptable in case of US intrusion in Taiwan (still considered by most mainland Chinese as a Chinese possession). However, to the best of my knowledge he hasn't been in the press the last couple of years.
As far as I'm aware, their strategy is based on a scenario where the US can and does defeat it in a nuclear war.

And hence that strategy works to prevent that attack, not defeat it...

Have a bunch of relatively large (much larger that the US's) warheads strike American cities exclusively. Forget about military targets.

The Chinese nuclear arsenal was built to deter the Soviet Union. That is why it consists primarily of medium-range missiles. The Russian population is concentrated in European Russia, which is easily within range of a medium-range nuclear deterrent based in Western China.

This deterrent is ineffective against the United States. The medium-range missiles cannot even hit Seattle, much less Miami. The entire Chinese ICBM force consists of 20 missiles with non-MIRVed 5-megaton thermonuclear warheads.

Thus, in terms of nuclear weaponry, the United States outguns China by about 2000-to-20. This is why their plans assume defeat in a nuclear exchange -- because it is a virtual certainty.

http://en.wikipedia.org/wiki/People%27s_Republic_of_China_an...

You are correct on the number. But the part about the Soviet Union, Im not so sure...

> History

Mao Zedong decided to begin a Chinese nuclear-weapons program during the First Taiwan Strait Crisis of 1954-1955 over the Quemoy and Matsu Islands. While he did not expect to be able to match the large American nuclear arsenal, Mao believed that even a few bombs would increase China's diplomatic credibility. Construction of uranium enrichment plants in Baotou and Lanzhou began in 1958, and a plutonium facility in Jiuquan and the Lop Nur nuclear test site by 1960. The Soviet Union provided assistance in the early Chinese program by sending advisers to help in the facilities devoted to fissile material production, and promised to provide a prototype bomb.[12] In July 1960, however, during the Sino-Soviet split, all Soviet assistance with the Chinese nuclear program was abruptly terminated and all Soviet technicians were withdrawn from the program.[13]

Whatever the original reasons for China's atomic bomb program, they became completely irrelevant after relations with the Soviet Union deteriorated.

By 1964, when the first Chinese atomic bomb was tested, China was barely on speaking terms with the Soviet Union. By 1969, China and the Soviet Union were on the brink of war. The Soviets tripled their forces in the Far East during the 1960s, deploying fully one-quarter of the Soviet military along the Chinese border. (They did this without drawing down their forces in Europe, which placed quite a strain on the Soviet economy.)

After Nixon visited China in 1972, Henry Kissinger even gave security briefings to Chinese generals, supplying them with satellite imagery and the location of Soviet forces.

They have to say things like that, because you need the other side to believe you will use your nukes for them to be an effective deterrent. Nobody actually wants to use them.
> As it becomes possible to do more with less, the chances of fundamentalists and other malicious parties using biological agents for terrorism or worse go up.

I just thinking the other day, once home-made drones become capable enough of carrying loads of up to 5kg then what would stop such a potential malicious "non-state actor" of using such a drone fully-loaded with chemical nasty stuff to bypass all the obsolete ground-security system at a big open-air event (say, the Super-Bowl or any other sports event attended by 70,000+ people) and cause harm to most of all those present?

Also drunk drivers, lightning strikes, and spiders...

Seriously, who actually experiences fear because of chinese hackers?

After reading the article, that would be me. Why do you think they've worked their asses off to be able to shut off our power grid? Can you think of an explanation that isn't just a little bit spooky?
You think the US government doesn't do similar things in China? Should people living in China be spooked?
Thats really not an answer.

Just because people in both countries can now face a new angle of attack doesn't mean that there is something to not be spooked about. People in both countries should be equally spooked.

The USA has more to lose in this battle - for a nation moving away from manufacturing and aiming to keep a tech lead for its economy - China's actions eventually would mean check mate.

Problem is, they would probably shut themself out if they turned off the power...
Why would the Chinese want to shut off the US power grid? The reason why they built nukes to defend against Russia and none to defend against the US is they want to take over the US by immigrating there in large numbers. Australia/NZ and Canada today were just trial runs. There were 1 million ethnic Chinese in the US in 1990; by 2010 there were 3 million. Extrapolating the geometric series, 10 million by 2030, 30 million by 2050, and 100 million by 2070. Their students are coming to rent the houses, get jobs afterwards, then buy the houses. Americans will vote for the government that lets in more rich Asian immigrants, so house prices go up higher. By 2100, the US will be a majority Chinese nation, and the Ming Dynasty's big mistake of closing down Zheng He's 15th century treasure fleet will have been rectified.
Any Engineering or Security employee on any non-Chinese big tech company. He'll I'm not even sure if Chinese companies, maybe the ones who are backed by China govt., are not worried.
I don't think you know what saber rattling actually means.
If Chinese hackers want what's on a given hard disk, there's no way to stop them.

To which I answer, air gap.

Yes, the air gap can be compromised, but at that point you aren't just talking hackers in China. You're talking organized crime with cat burglars breaking into US facilities.

You're talking organized crime with cat burglars breaking into US facilities.

Another method is Social Engineering.

Sure we can secure a certain piece of information if no one has to ever access it. Hard drive in a locked box inside some bunker type of thing. It becomes hard when the information must be easily accessible to multiple persons operating from different places.
> People absolutely freak out when they suspect the US government of spying on a citizen.

Why would they only spy on citizens? They have a long history of sharing corporate espionage when corporate data is snatched in their net (http://archive.newsmax.com/archives/ic/2005/12/19/114807.sht... and https://en.wikipedia.org/wiki/ECHELON#Controversy). Economic espionage by governments began way before internet even was a thing.

Not that this makes it right for china to use hackers for the same goal, but at the same time it is nothing new. The biggest difference between NSA and the Chinese hackers are that the NSA are mostly passive listeners on the wire, passing along what they "hear" to corporations. Chinese hackers are more active listeners, and pass along what they "find" to corporations. Still, not much of a difference in my book.

I hear that a lot, but the truth is that the next Perl Harbour has already happened. It was a surprise aerial attack on a strategic port city back in 2001. Almost 3,000 people were killed.

I don't believe any cyber attack is likely to be that dramatic or destructive for the same reasons that computer systems are hard to protect. Complexity. It's hard to protect a computer system because there are so many potential vulnerabilities. It's easier to take one down, but that won't necessarily result in much damage. To do that you need to take over a complex system and exercise sophisticated and dynamic control of it, to orchestrate very specific behaviour, which is not easy. For example shutting down the computers at a nuclear power plant may be feasible. However taking control of it and manipulating it with enough sophistication to engineer a meltdown, while overcoming all the computerised and physical safeguards would be a lot more complex to pull off.

"I hear that a lot, but the truth is that the next Perl Harbour has already happened. It was a surprise aerial attack on a strategic port city back in 2001. Almost 3,000 people were killed."

The Pearl Harbour attack was an attempt by a government to cripple an enemy's capability to project power in the Pacific ocean, with the attacker's intent to then establish dominance in that region. What you describe was nothing of the sort and to call it another Pearl Harbour is simply wrong.

Fair point, I stand corrected.

I think the rest of my point in the second paragraph stands though.

this is why i love HN where reasonable people are willing to consider different perspectives and make their choices of conviction. thanks for the conversation.
If you define Pearl Harbour as a military attack, then yes. But if you look at the cultural and political impact of 9/11 and Pearl Harbour, then they are quite similar. Both did change US policy and politics, have both generated treatment in movies and books and perhaps most strikingly are used in a phrase like "The next ..."
The Pearl Harbour attack forced a nation that was reticent into an actual, real war against a serious foe that presented a genuine threat; a war that would dictate cultural and economic supremacy over the Pacific region for the next half-century. It also pushed the US into the genuine battle for national existence raging over the other half of the planet in which millions of people were already under the yoke of an invader. The ensuing economic activity towards the war effort created the situation post-war in which the U.S. dominated the world whilst at the same time providing massive, massive increases in living standards for the U.S. population and also in large parts of Europe via the Marshall Plan. The echoes continue to ring today.

Comparing this to 9/11 is like comparing a tank to a soap box racer. I might as well say that the price of pork belly futures is the next Pearl Harbour as that also affects US policy.

Well, hold on there. Think about the comparison: The 9/11 attacks DID force a nation into an actual, real war (two, actually, in Iraq and Afghanistan, and three if you want to count the generic "War on Terror" that was stepped up dramatically after the attack). The war in Afghanistan has become the longest in United States history, and those wars together HAVE clearly helped set in motion a series of events that will dictate the balance of power in the Middle East for a generation to come, from the deposition and removal of dictators by force to the Arab Spring to the ongoing civil war in Syria. Though there was no contiguous threat in the Middle East to rival Nazi Germany, the Middle East was and is still characterized by a number of oppressive dictatorships.

Did post-9/11 have the same economic effects for the US as the post-WWII era? No, but that's not really the effect of any particular difference between the events that precipitated WWII and the wars of the last decade. And, if anything, the post-9/11 landscape HAS seen a dramatic shift in the global balance of power, specifically in challenges to US supremacy and an internal reconsideration of how we project the power we do have.

The point to be made here, which I think backs up the whole "digital attack as next Pearl Harbor" argument, is that unconventional warfare is the new conventional warfare. We're less likely to see a direct military challenge along the lines of Pearl Harbor, and much more likely to see indirect challenges to US supremacy through digital or terrorist attacks. There are a lot of parallels to be drawn here, and you made many of them yourself.

"The 9/11 attacks DID force a nation into an actual, real war (two, actually, in Iraq and Afghanistan, and three if you want to count the generic "War on Terror" that was stepped up dramatically after the attack). "

The US was not forced into those wars. Iraq posed no threat to the US. Afghanistan posed no threat to the US. Pearl Harbour was an act of war by a nation; Japan had serious intent to dominate the Pacific and become the regional economic and military power, and was prepared to do serious damage to the US in order to achieve those aims. 9/11 was an act of terrorism by non-national actors. Iraq and Afghanistan were no threat; the US was not pushed into those wars. The US chose them.

Fine, if you want to be nit-picky about the necessity of the Iraq and Afghanistan Wars, you're more than welcome. But either way, it's abundantly clear that the 9/11 attacks precipitated both of those wars. There is simply no way the neoconservatives could have convinced Congress of the need to invade Afghanistan or Iraq without the 9/11 attacks. Pearl Harbor may have forced our hand more clearly, so to speak, but both attacks were deep provocations. You can separate out the intent of the attacks if you want to be precise--Japan's to establish military domination in the Pacific, and Al Qaeda's simply to wreak havoc, or what have you--but in broader terms each represented a physical challenge to the United States' influence over particular spheres. And besides, the point that's trying to be made here is exactly that: There may not be any more "Pearl Harbors," if you want to define Pearl Harbor as a military attack by a sovereign nation. But if you want to define "Pearl Harbors" as serious, potentially dangerous attacks against the US, they are more likely these days to be of a terroristic or digital nature. You're missing the forest through the trees, my friend.
Nit-picky about the necessity? Two countries were invaded without posing any threat to the US!

"Pearl Harbor may have forced our hand more clearly, so to speak, but both attacks were deep provocations."

What exactly was 9/11 a provocation to do? Most of the people involved were already dead, and they weren't state actors - they were private citizens. What exactly was that a provocation for the US to do?

"each represented a physical challenge to the United States' influence over particular spheres."

One represented a challenge to physically and economically dominate the Pacific for the foreseeable future. One represented a challenge to the structural integrity of some buildings in New York. The scale, effect and consequences are so fantastically different that I genuinely struggle to understand how they can be seen in principle as the same thing.

"But if you want to define "Pearl Harbors" as serious, potentially dangerous attacks against the US"

By this definition, 9/11, which was not a serious, potentially dangerous attack against the US, was not a Pearl Harbour. It was a criminal act that killed a lot of people and caused a lot of damage. It was not a serious threat to the US.

(comment deleted)
9/11 pushed the US into a war with Iraq and Afghanistan, created the climate in which things like the Patriot Act flourished and turned the US from a clear supporter of human rights into a nation whose use or non use of torture is a question of semantics. [1]

In addition my perception from outside of the US is, that since 9/11 US popular culture uses terrorists as villains in a similar manner as Nazis or Russian spies before that. (Atop of that, I have a hard time remembering a movie in which the torture of an SS member is depicted as a necessary evil.)

So I am not arguing that the twelve years 9/11 did change the world in a similar magnitude as WWII did, I am arguing that the cultural significance of 9/11 is similar to the cultural significance of Pearl Harbour. Especially considering that the US would have been drawn into WWII anyhow, while at least the Afghanistan war is a direct consequence of 9/11.

[1]https://en.wikipedia.org/wiki/Waterboarding#Classification_i....

"9/11 pushed the US into a war with Iraq and Afghanistan,"

I disagree. The US was not pushed into those wars; the US chose both those wars. Neither of those nations presented a threat to the US, and Iraq had no links to 9/11 (and Afghanistan's links were laughably circumstantial - some of the planners lived there; let's have a war!) - it was simply a convenient excuse for the US to launch into a badly thought-out war.

"Pushed" is indeed a poor choice of wording. But Bush would have had a hard time to get enough political support to invade without 9/11.
The 10-year prelude to each was similar also. The U.S. blockaded trade with Japan from about 1930 so Japan had almost run out of oil by 1941. The U.S. and allies ran a no-fly-zone over Iraq from 1991 onwards.
With somewhat different results, though. Japan blockade - Japan starts a war to secure the natural resources it needs. Iraq blockade - Iraq poses no threat and gets invaded anyway.
>Chinese hackers have more power than the CIA, KGB and Gestapo combined, and nothing short of WWIII can slow them down.

A bit over the top? You really aren't suggesting a start to WWIII over a couple of nytimes articles right?

> Companies have lost as much as a billion dollars in ip in a single night.

I guess the Chinese should know a thing or two about failing to keep ownership of "intellectual property" and the dangers associated on relying only on IP alone. I took this from here http://en.wikipedia.org/wiki/Silk_Road#Roman_Empire:

> Byzantine historian Procopius stated that two Christian monks eventually uncovered the way of how silk was made. From this revelation spies were sent to steal the silkworm eggs, resulting in silk production in the Mediterranean.[18]

Fwiw, they also had their tea monopoly stolen by the British in the 1800s [1].

Additionally, the US turned a blind eye to its own theft of Europe's IP in the 1800s and early 1900s as we were developing.

Not that we shouldn't defend against it when used against us, but it seems par for the course for developing nations to catch up this way.

[1]: http://en.wikipedia.org/wiki/Tea#Origin_and_history

Step #1 to protect your private data - Have a separate computer, Ubuntu (or some secure OS) installed and disconnect it from the internet permanently. If you want to access any data, just go use the computer and save the data then and there. If you want to transfer data from this computer to another computer, just use a separate encrypted pen drive to transfer between files securely.

If you don't want to use it, just turn it off. I'd love to see how the Chinese/Russian hackers can hack such a machine, unless they have physical access to them.

But what is a gigacorp to do? Make all their employees never use Windows/email/internet again during work hours, and run around the office building carrying USBs?

Also, how can you be sure that Ubuntu is secure? It seems to me that there is a general problem with all *NIX systems with regards of how they (mis)manage permissions (either file permissions or OS permissions), and I'm very sad that not even the newly-developed OSes (Android) have not fixed that!

How does Unix mismanage file permissions?

User, group, other and read, write execute has been around for decades. You won't find a simpler, more understandable system for file permissions. There are many more complex systems added on top of this, but the basics are simple and easy to manage.

All permissions are inherited by all user's processes, with no better granularity possible. That is a recipe for disaster and the core issue with most of our security problems. Android is a bit better, since it has specific permissions on a per-process level (or so it looks like), but you can't really manage them.
Didn't stuxnet spread itself to air gaped machines through USB sticks?
From a US perspective, foreign hackers are a threat--but I think mostly to companies and to individual cases of identity theft.

I'd argue that a government spying on its own citizens is a much greater threat. If a Chinese hacker steals your identity, maybe you're out some (possibly significant) amount of money, and a lot of hassle. Your physical well-being is typically not threatened.

If, however, the government reads through your email, listens in to your Skype calls, and then decides that you've committed some crime (and by virtue of living day-to-day in our hyper-criminalized society, almost all of us are guilty of some crime these days), you can be harrassed physically, legally, and financially for what might be the rest of your life by our crushing-revenge-driven legal system--you might even be imprisoned.

Chinese hackers can't imprison you, or sue you until you choose to exit early. So from a regular person's perspective, we should be way more worried about what's going on at home.

Chinese hackers can be beaten. The reason they are so successful right now is that the average level of computer and network and security competence in the world is extremely low.

In corporate America, the average employee is not sophisticated enough to resist spearfishing, which is how the vast majority of Chinese intrusions begin. But if the IT dept puts in place technologies or restrictions to protect against spearfishing (like quarantined browsers or blocking attachments), the average employees complain bitterly about the impact on their habits. And they don't like training. When management sides with employees, well-known security holes are left open.

Even upgrading operating systems, which is one of the most effective tools against intrusions, is met with fear and anger at many organizations.

Even without those front-line defenses, it is possible to find, stop, and eject the Chinese from corporate networks...but it is extremely time consuming and expensive to do so. Although they would never admit it, it's likely that many corporations make the calculation of "how much" intrusion they are willing to fight, and tacitly permit the rest. What they really want is not to stop the Chinese "at all costs", but to stop the Chinese for a given cost.

> Chinese hackers can be beaten. The reason they are so successful right now is that the average level of computer and network and security competence in the world is extremely low.

I bet they're constantly having laughs at our expense. They must think of the US as a bunch of flubby overrated dimwits.

Meanwhile... Touchscreens and centralized tabulators weren't nearly unreliable and insecure enough. The new thing is internet voting, meaning casting ballots via email. What could possibly go wrong?

The motivator is the election vendors are pushing for a per-registered-voter fee business model. Election integrity be damned.

By DAVID E. SANGER, DAVID BARBOZA and NICOLE PERLROTH

I hope you have no dirty laundry in your e-mail accounts, the Chinese military is probably reading them right now.

Lit it or not, what the Chinese are doing is pretty smart, let' face it. Countries launch (ed) wars to get what they want, the Chinese get it the easy way.

Time for some technically literate people in Washington and some patriotic hackers.
NY Times is just making bullshit...
>> NY Times is just making bullshit...

50 cent army? :-)

Timing of this news is interesting, for the lack of a better word in describing it. This article is published the same week as CISPA comes back.

The news on Chinese cyber attacks to the US can help give a boost in public support to these laws, giving them valid reasoning to give away our online privacy.

"In vague to non-existent evidence, Gray Lady hacks see absolute proof of what their government handlers want you to believe". Word must have come down from the White House to start pushing the "Cold War with China" kick.
I wonder if the New York Times and other high profile News papers could be more easy on such allegations. This only improves the Cold War atmosphere some political analysts predict since years.

It is also naive to assume that there is a G8 nation without a cyber warfare unit in the Army. Or to assume that other nations don't do covert operations.

FUD has finally arrived in the mainstream.