Ask HN: Why isn't the GitHub attack being covered by the news?

158 points by blamarvt ↗ HN
Why is this not in the mainstream news? Even if it's not the Chinese government directly it's a group with significant power inside China -- so why isn't this being considered a foreign attack on a US company?

103 comments

[ 2.9 ms ] story [ 183 ms ] thread
Well maybe no one at Github is allowed to contact local news sources, and if they can't get a quote or information from a reliable source at the company they won't run the story I guess?
(comment deleted)
What percentage of the medias audience cares about GitHub?
Because no one cares about GitHub. If it was Facebook...
I wonder if you created a page on FB for GreatFire and promoted it what would FB do? I imagine they are too big to be successfully DDOS'd but I would think they could kiss China goodbye forever. So I imagine they would simply ban it.
After a quick google search, it looks like last year they were brought down temporarily from what might have been a ddos.

http://techcrunch.com/2014/06/21/heres-video-of-the-cyber-at...

I've heard that the outage was a screw-up by a junior programmer that was accidentally given too much access to the system by his/her supervisor. Apparently a bad configuration was applied to their servers. This seems to match up with the official Facebook announcement linked in that article.
how hard would it be for someone to do this attack to facebook? I'm guessing Facebook has already faced this kind of attack and designed its systems to be resilient to it.
DDoS attacks and similar things are of very little significance to people who don't understand what they are. In their minds, all the damage is on virtual space and nothing is real. And they're somehow sure that all the damage done will be fixed soon.
Additionally a lot of non-tech people don't understand the cost implications of a DDoS.

If companies really want the media to get on board then create a figure for how many $/hour you're losing. Heck make a widget which counts upwards (e.g. we've lost $25,000 due to this DDoS since the start).

The downside is it might just encourage the DDoS-ers, the upside is the media might take it seriously.

I'm not sure anyone understands the cost implications of a DDoS, particularly one on a third-party service. Even if you absolutely need to make a change to something that has to be done by more than one collaborator and has to be deployed via github and it has to be patched right now and there's really no other way, how do you go about estimating the losses anyway? You can't just assume that whatever average income you would have collected over the last 72 hours has been lost forever.

Is anyone out there even attempting to estimate how much revenue they've lost as a result of this DDoS?

I'm sure a lot of companies have backup plans in place, for instance, Bitbucket repo clones or an internal copy
Wouldn't such news coverage only worsen the problem? After all, the attackers would receive a kind of confirmation of their goals.
The same can be said for a wide range of criminal activities covered by the news.
In this case the attack is motivated by desire to suppress knowledge of a project hosted on Github, publicity is what they fear most...

Now to get back to the OPs question:

1. Mainstream media might have too much to lose if they criticize China, just like in many countries where property bubbles burst the mainstream media suppressed any mention of bubble forming since they were making out like bandits from advertising property, could be something similar happening here.

2. The story is a non-story outside nerd circles, now if Facebook or Twitter was being DDOSed your sure would hear about it since journalists do care about these sites.

Only if github actually stopped hosting the attacked repositories. Otherwise it would be more of a Streisand effect, raising awareness of the workings of the great firewall and that there are effective tools that circumvent the filtering. The wider the attack is covered in the news the harder it is for censors to stop the flow of that particular information.
The tech press should be covering it.

As should the net-based political press.

Never mind what "most people" care about -- this is news.

The "tech" press is pretty much buzzfeed-ish these days.
Some of the tech press is covering it.

Gizmodo, slashdot, the register.

WashPo also had a blog, as did a few other non-tech sites.

The reason they don't show as Github specifically is because it is reported as "Anti-censorship group is under DDOS"

Perhaps because non-programmers (aka civilians) don't know what GitHub is, and it's difficult to explain.

Perhaps it's interesting to reframe in a language that affect most people:

"Linux development halted by ciberattack!!!"

That's not completely true and too linkbaity, especially with the three bang sings. Is there another huge mainstream project hosted there?

Another linkbait:

"Hackers break hackers site!!!"

Not so appealing to most people, but you can exploit curiosity. Also, you'll get a lot of complains about the incorrect use of the word "hackers" in both positions.

How about: "China Attacks US Rails System!!!"

Github still runs on Ruby on Rails, right?

Linux has a mirror on GitHub but they don’t use it for development.
Billion dollar US company under attack by Chinese!
You could namedrop Facebook, Google and Microsoft without too much exaggeration.
"Critical US Cyber-infrastructure under attack"
While it may be difficult to explain to civilians what Github is, the issues of any government overreach into the Internet domain are easy to understand. For instance, a state does not like particular content on the Internet. It wants to force a company to get rid of it by attempting to hamper the company's service. Google's clash in China over censorship has been wildly covered by the media.
(comment deleted)
"Who the Chinese hackers targeted this time might surprise you!"

"Massive blow to computer hobbyists as the Chinese government brings down their community website!"

Here's how to make this news interesting to the mainstream:

"Chinese hackers cost US economy $100,000 / h"

Well, replace random accusations and numbers by facts of course, but that's a valid question: How many employees can currently not to any meaningful work because they don't have access to what they're supposed to work on? This times salaries spent on them anyway is a good lower bound for the damage done to the economy (actual damage should be higher since employees should of course add more value to the economy than their salary).

I do all my work via Github and honestly haven't noticed a single burp in the service. Is anyone other than Github employees who have to deal with this even affected?
I've had troubles with the web interface and with pushing/pulling on and off since Friday
I pushed around 5-6 times and it failed only once.
I had issues pushing with an application key that was not being recognized.

Now I don't know if this was directly related, but the timing raises an eyebrow.

Github pages is pretty sluggish right now. Github's actual Web interface is much slower than, say, pushing and pulling.
I could not work for a few hours yesterday. push/pull/rebase was not working for me.
Due to git's distributed nature, there should be very few people who are not able to work on their code.

Also, it's Sunday, so very few employees are expected to be working today.

That would be true if enterprises had their own local git repositories, and if employees pushed against those local git repositories. But this is not what happens, when enterprises use github, employees directly push to github.

Continuous integration tools directly pull from github.

When github is down, all exchange of patches between employes essentially halts, as does continuous integration and testing.

Of course, this is not the fault of git.

This is the fault of people keeping using centralized servers, instead of setting up and using their own local servers.

The same goes for email (gmail anybody? Really???)

The Internet is meant to be a decentralized, peer-to-peer, meshed network. Not a centralized, star network!!!

In a pinch, you can always pull from a coworker's local repository.
You can just pull from someone's local copy, a git checkout is just like a remote (bare) repository that happens to have a tree.
If you're an enterprise you're using github's on-premise appliance and aren't affected at all.
> Due to git's distributed nature, there should be very few people who are not able to work on their code.

Oh the irony! Actually I bet many developers are sitting on their hands when they can't access github.

I don't want to dump on github. It has been a great driver of open-source software. But by making itself a single-point-of-... so much, it kind of defeats the purpose of git sometimes.

Ideally we'd be able to download not just the repo but all the meta-info; issues, comments, pull requests, etc.

> Well, replace random accusations and numbers by facts of course

What mainstream news do you read?

New York Times, Washington Post, The Guardian, San Francisco Chronicle, and many others.

I'm sick of this mentality that old-media news is all evil. Fox News and MSNBC are not the industry.

Disclaimer: I do not work in journalism.

They're not evil, well some of them are, but more like lazy when it comes to fact gathering/checking.
I can almost guarantee that most of those outlets have more stringent policies regarding fact-checking and quotation than the "average" internet source.
"Lazy" might not be the right word...all of the tech journalists I have personally interacted with seemed to be pretty good at their craft overall and actually cared about what they wrote. However, this doesn't change the fact that almost all media companies and their journalists are woefully inept at fact-checking or writing stories concerning information security, including DDoS attacks.
That's one specific (and extremely counter-intuitive and complicated) area where reporters probably have weak domain knowledge. It's somewhat unfair to extend that criticism to every other part of human existence that journalists report on.
What are your thoughts on Al Jazeera America? I've been liking them as my replacement lately, but there seems to be some hate floating around for their main(?) brand Al Jazeera
I don't follow Al Jazeera America personally (I think they are mostly focused on TV?) but I know there are a lot of parallels to RT.

It's not blind "hate" for Al Jeezera as much as concerns that the parent organization is owned by the rulers of Qatar.

I've heard that their reporting is fairly good, so long as you don't look to them as a source of truth about matters regarding Qatar.
I agree that monetary loss is a big motivator, however I am still curious (US citizen) as to the political implications of doing nothing as a nation when companies are quite obviously being attack by foreign governments. Normally these kind of attacks are much less obviously perpetrated by nation-states.
quite obviously being attack by foreign governments

Nothing is "obvious".

For all we know this could be a bored teenager sitting in his basement in New York, Paris, Tokyo or Moscow.

It could also be a false flag operation by the NSA, to massage the western adolescent nerd's mindset into quietly accepting their next round of mass surveillance ("Must protect from the evil chinese!").

The Chinese openly attacking GitHub is the least plausible scenario, unless you think they are stupid.

At least they are keeping the attack going...

At least as guilty, imho.

How do you know what "they" do or not do?

And who is "they"? Baidu? The Chinese Government? The great firewall administrator himself?

http://insight-labs.org/?p=1682

Sorry but how would a bored teenager somewhere have control over injecting attacks in traffic passing through the "Great Firewall of China". This really doesn't seem like a typical attack to me but you are right in that I should not be claiming this an obvious attack by a nation-state without the facts.

how would a bored teenager somewhere have control over injecting attacks in traffic passing through the "Great Firewall of China

The same way a 15yr old once took out Yahoo, CNN, eBay, Dell and Amazon: Dedication.

Perhaps it's even a Chinese activist, looking to draw attention to the firewall or to spark a little diplomatic quarrel with the US?

Come Monday, here's what you'll get: "GitHub attack shows the dangers of relying on cloud." Or "Government software to protect children from Phil Robertson held hostage to attacks on a popular cloud service. This demonstrates the dangers of cloud. How can we be protected from the cyber criminals and pedophiles in their clouds? Here is are usual panel of people who didn't quite rate their own panel show. None of them know anything about computers, really and at least one uses their iPhone to prop up the short leg of their kitchen table. Panel, what do you think?"

"It's Obama's fault."

"It's the republicans."

"I make pee pee."

Do we have any indication how big the attack is? If the attack volume isn't very big, this isn't news.
What is the attack? Who is effected? How much is the impact? When did it start? Why is it being done? Answer those questions, create a blog post, and send a link to that post to your local news, the national news and any outlet focused on nationalism since it is China - think right wing political sites. Make the job easy and this will get more coverage.
So if I want a news outlet to pay more attention to a particular issue, the solution is to do the reporting myself and serve it up to them on a silver platter? Maybe that's true, but it hardly seems practical in general, nor does it answer the OP's question...
>So if I want a news outlet to pay more attention to a particular issue the solution is to do the reporting myself

Yes. Why not? People complain about it not being in the "mainstream" news, but then say, "well, that's someone else's problem to deal with".

The very basics I learned in ... grade school, in flyover county in the early '70s. As Wikipedia renders it, https://en.wikipedia.org/wiki/Five_Ws

Although I'll note that it's just now getting to be a big enough story for this, i.e. how long it's gone on and how clear it's become that it is a state action.

DDoS attacks are very common. Every large web based company will deal with an attack on this vector sooner or later and more than once. I think itwould be an issue if we started considering every single instance as a foreign attack.

It seems to me like you trying to make a parallel to the Sony hacking. These two instances are very different. The Sony hackers used a much more diverse toolset to inflict damage on a number of different vectors.

All I'm trying to say is that this DDoS is pretty obviously being perpetrated by the PRC. Regardless of the attack vector, isn't this an important global political issue? Most attacks are carried out by fringe groups, and while I'm sure governments carry out attacks like this all the time... normally they aren't so obvious.
I think it would be relatively easy to obfuscate the origin of a DDoS attack. Consider how easy it is to even spoof IP and MAC addresses. Now consider that a typical attack of this scale is most likely utilizing a botnet. It's pretty clear that much of the 'evidence' used in placing blame for attacks is just unreliable.
Because it's totally irrelevant to someone who is not directly related, not to just programming but Github.

I'd like to ask back some questions:

1) What makes you think it's a worthy topic?

2) What makes you think China or any powerful group - not sure in what terms this group is supposed to be powerful - has anything to do with it?

There's a Lack of relevance outside our filterbubble.
>Why is this not in the mainstream news?

HackerNews, Reddit, Twitter, and Facebook aren't mainstream? I beg to differ.

If this event was reported on any other media, I'd have no idea that it was occurring.

(comment deleted)
(comment deleted)
It's a developer oriented site. Why would a non-developer care that it's down? The main outlets want the attention of the majority - so we don't get alerts when HN, Github, etc go down or get attacked but we do when Facebook drops for 15 minutes
If there was an attack on the distribution network of American manufacturer would it matter what they produce? The precedent set by doing nothing politically here is pretty scary to me!

(Of course, political conversations could be going on but not publicized.)

That's a very different scenario than what's actually happening, and it's very interesting that you jump to "American company, defend it!" instead of pointing out that it's a valuable tool worldwide.
I've had a fair number of press people contact me about this. I think the issue is: github isn't a consumer service, and the attack is novel enough, that explaining it requires explaining several things at the same time. Adding In the gfw/China aspect makes it even more confusing.

This is the kind of story where a tech individual should probably do a compressive blog post which gets syndicated, rather than relying on journalists. I can understand why no one at Baidu, GitHub, or Fastly is doing this, though.

The mainstream press also has an interest in operating on the ground in China. Promoting the attack on Github as newsworthy has some potential for making that work on the ground more difficult or impossible. It's as simple as a business decision that reflects the greater profit tweets about presidential contenders as the subject of journalism.
"Why is this not in the mainstream news? "

Ironically, you realize of course that if something is mainstream news (or any news at all) then that's a trophy that creates a greater likelihood of future copycat events happening. Notoriety is certainly part of the buzz of doing something like this.

How about this title: China suck the Internet since March 27th !!!
The mainstream media no longer exists. It's all a level playing field on the Internet.

The bigger question is where do you get your news? If it's here, guess what, it's the #1 story.

If you follow entertainment news sources, like CBS, NBC, etc, what do you expect? They are more interested in production of entertainment.

I'm sure it will be. Give them a minute. After all, I bet there are plenty of media folks reading this thread. And plenty of media orgs use GitHub themselves.
Because, simply, the ability for the Technorati to push and pull code from a website does not an act-of-war make, no matter how you and I may view it.

It seems almost certain, however, that in the coming week, this story will be told in the "mainstream news" (I don't really know what that is anymore tho, TBH)

I am sure, when things shake out, the attacks will be used in some political-posturing kind of way and by some politician who will judiciously use it to drum up support among an interested group.