Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

China's Cyber-Warfare Capabilities Overstated

Soulskill posted more than 2 years ago | from the but-aren't-we-supposed-to-be-afraid dept.

China 140

An anonymous reader writes "A new paper argues that China's cyber-warfare capability is actually pretty poor. '[China has] evinced little proficiency with more sophisticated hacking techniques. The viruses and Trojan Horses they have used have been fairly easy to detect and remove before any damage has been done or data stolen. There is no evidence that China's cyber-warriors can penetrate highly secure networks or covertly steal or falsify critical data,' the paper reads (PDF). 'They would be unable to systematically cripple selected command and control, air defense and intelligence networks and databases of advanced adversaries, or to conduct deception operations by secretly manipulating the data in these networks.'"

Sorry! There are no comments related to the filter you selected.

Yeah (2)

fragfoo (2018548) | more than 2 years ago | (#37913194)

Thats what they want you to think.

Re:Yeah (1)

notgm (1069012) | more than 2 years ago | (#37913210)

no, *that's* what they want you to think.

Re:Yeah (1)

SharkLaser (2495316) | more than 2 years ago | (#37913352)

No, US wants people to think China is some powerful enemy and that cyberwar is constant threat. This enables them to pass new more powerful laws, keeps citizens in constant fear and allows US to use things like Stuxnet against Iran.

Re:Yeah (2)

ackthpt (218170) | more than 2 years ago | (#37913534)

No, US wants people to think China is some powerful enemy and that cyberwar is constant threat. This enables them to pass new more powerful laws, keeps citizens in constant fear and allows US to use things like Stuxnet against Iran.

All US has to do is shut off a range of IP addresses from Mainland China - that would pretty much stop it. Drastic, yes, but perhaps they day will come. The US Government threatens some IP addresses in Russia, from time to time, so they certainly have dictated to those who route traffic they had best have some controls and a switch for Washington to flip if and when it wants to. Can't say I'd find the concept hard to believe.

It's actually all coming from an attempt by Elma Sniddle to hack a C64 ...

Re:Yeah (1)

SharkLaser (2495316) | more than 2 years ago | (#37913574)

Yes, because Chinese army is obviously attacking from their own IP addresses.

Re:Yeah (0)

Synerg1y (2169962) | more than 2 years ago | (#37913770)

Yes, because obviously you can connect to international IPs from your country over air when your trunk gets bombed for being a fag nation.

Re:Yeah (2)

RenderSeven (938535) | more than 2 years ago | (#37913910)

But, actually, they do. Dont know if they're naive or overconfident or just dont give a shit, but when I look at attacks on my firewall on a given day the source IP's all trace back to China. Maybe a couple from Korea or Eastern Europe, but 95% of the stuff I see is from China. Maybe its haxorz in Iowa using compromised servers in Beijing but... well, no, its not. Its China attacking from their own IP addresses.

Re:Yeah (1)

Anonymous Coward | more than 2 years ago | (#37914078)

China has a high software piracy rate, many systems are still running Windows XP, some without any service packs. They also have fairly large pipes that provide quicker scanning from an attackers perspective. Couple this with the fact that the compromised box is in China, and i doubt the authorities would release any sort of connection logs to the USA, or other nations.. It's pretty plausible the attackers are not actually even in China - just suing a compromised box there.

Re:Yeah (1)

Anonymous Coward | more than 2 years ago | (#37914570)

You're painting a scene of isolated/unrelated computers around China being hapless members of some great botnet out of reach of Chinese authorities, yet most of these attacks are traced to Chinese universities, and you can be sure those universities are running firewalls and running secured operating systems more often than the general public.

I question your veracity and motivation.

Re:Yeah (0)

Anonymous Coward | more than 2 years ago | (#37914540)

Yes, thank you. To believe otherwise you'd have to believe that Chinese government who owns the most sophisticated firewall in the world and has a lockdown on internal affairs somehow has completely porous network borders and has owned servers all over the place command and controlled from outside their borders. Nope, this stuff is all coming from mainland. Nobody wipes their ass in that country without the consent of the totalitarian government, so this is tacitly approved of or sponsered by the government without direct ties to allow them plausible deniability.

Re:Yeah (0)

Anonymous Coward | more than 2 years ago | (#37914542)

I wonder if you are trying to be funny.

Re:Yeah (1)

SharkLaser (2495316) | more than 2 years ago | (#37914592)

Yeah.. a hacker who wants to hide his tracks would NEVER choose China! It's much better to proxy via country that actually will investigate you!

Re:Yeah (1)

fragfoo (2018548) | more than 2 years ago | (#37913626)

Got to love guys correcting missing apostrophes but don't care to start phrases with a capital letter.

Re:Yeah (1)

Synerg1y (2169962) | more than 2 years ago | (#37913780)

You can tell that to the Chinese when they invade.

Re:Yeah (1)

TheCouchPotatoFamine (628797) | more than 2 years ago | (#37914036)

whargharrrbal-delight!

Re:Yeah (0)

Anonymous Coward | more than 2 years ago | (#37913912)

I would have used sentence instead of phrase, as I thought a phrase is a part of a sentence.
(sticks_out_tounge)

Re:Yeah (0)

Anonymous Coward | more than 2 years ago | (#37913222)

Google doesn't think so, either.

Re:Yeah (0)

Anonymous Coward | more than 2 years ago | (#37914638)

There was a story on slashdot just the other day, about how the Chinese hacked in to satellite ground control stations are took over control of the satellites, sometimes even undetected.

http://tech.slashdot.org/story/11/10/27/1633233/hackers-briefly-controlled-us-government-satellites

I disagree... Sort of (0)

Anonymous Coward | more than 2 years ago | (#37914944)

I'd put the US and Israeli hackers up against anyone. But the fact is that most security in the US is non-existent to pathetic, and it would not be difficult to create enough havoc to disrupt military operations while a sneak attack was launched.

Stop using term cyber (0)

h4rr4r (612664) | more than 2 years ago | (#37913206)

Can we all just agree not to use the word "Cyber" anymore? It sound like some sort of silly late 80s early 90s grade B film.

Re:Stop using term cyber (1)

oodaloop (1229816) | more than 2 years ago | (#37913224)

Agreed. What is your proposed alternative?

Re:Stop using term cyber (0)

Anonymous Coward | more than 2 years ago | (#37913266)

"Techno"

Re:Stop using term cyber (1)

jd (1658) | more than 2 years ago | (#37913860)

That's only OK if China's national anthom is "Close to the Edit".

Re:Stop using term cyber (1)

h4rr4r (612664) | more than 2 years ago | (#37913308)

Online, electronic, internet, or lots of other normal words that can already describe these sort of things. No new alternative is needed.

Re:Stop using term cyber (2)

SharkLaser (2495316) | more than 2 years ago | (#37913374)

Online sex.. hm, no please.
Electronic sex.. hm, it could be kinky, but no thanks.
Internet sex.. well that's just boring.

Now cybersex. That's something, and it's kinky too!

Re:Stop using term cyber (1)

alamandrax (692121) | more than 2 years ago | (#37914032)

How about Technosex?

Re:Stop using term cyber (1)

oodaloop (1229816) | more than 2 years ago | (#37913438)

All of which have prior meanings.

"Online warfare" - Would that include stuxnet, which attacked stand alone systems and needed to be airgapped over?

"Electronic warfare" - Lots of prior art here. This includes stuff like radar jamming. Oh, and my calculator, thermostat, and car navigation system are electronic. Are they now in this war?

"Internet warfare" - What is that, World of Warcraft? Flame wars?

Changing a name in midstream, so to speak, would add to the confusion for most people, not decrease it. Whereas you propose abandoning a word commonly used for decades because it reminds you of "late 80s early 90s grade B films". Maybe you could just get over it instead.

Re:Stop using term cyber (0)

Anonymous Coward | more than 2 years ago | (#37913346)

Qwikster.

Re:Stop using term cyber (1)

CyberBill (526285) | more than 2 years ago | (#37913226)

awwwww...

Re:Stop using term cyber (1)

Aighearach (97333) | more than 2 years ago | (#37913746)

I'll agree to give it up as an adjective, but the verb is here to stay.

Would you rather? (3, Interesting)

SniperJoe (1984152) | more than 2 years ago | (#37913214)

Personally, I'd rather we far overstated China's abilities and designed our systems to counter such a threat.

Would you rather overestimate their abilities or underestimate them?

Re:Would you rather? (3, Insightful)

Fluffeh (1273756) | more than 2 years ago | (#37913532)

I wouldn't be so sure that it is the case. Given my experience with a few large scale projects, the ineptitude of middle managers and a summary of what was provided as a solution for what price, I would worry about how much it would end up costing a government to make systems "impregnable". While I could well be wrong, but I wouldn't at all be surprised if the final cost of such an undertaking ended up being simply astronomical.

If you worry too much about your neighbour getting too much advantage in manufacturing, stop buying ALL their stuff and stop sending your designs to be made there then sold back to your own country. It's not an easy fix, it's not a short term fix, but if a country doesn't have markets for anything and everything they sell, they won't be raking in all that much money - meaning that you can once again sit unfettered on the top of the SuperPower steps.

Re:Would you rather? (2)

vux984 (928602) | more than 2 years ago | (#37913740)

Personally, I'd rather we far overstated China's abilities and designed our systems to counter such a threat.

So, like terrorism, then?

Do you really want the TSA administering network security as well?

Re:Would you rather? (1)

Bucky24 (1943328) | more than 2 years ago | (#37914116)

Well they'd probably just set up some sort of privacy invasive scanner to scan every packet you send to make sure the packet isn't carrying questionable material.... Wait a minute don't certain ISPs do this already?

Re:Would you rather? (1)

vux984 (928602) | more than 2 years ago | (#37914762)

That's just the start.

I mean, consider that you aren't allowed to board a plane with dangerous objects like nail clippers or a can of sprite.

Do you really think they'd allow you to connect a personal computer that they didn't completely control to any network in their jurisdiction?

Good God man, you can't just attach your laptop to the internet... you could be the pawn of a chinese hacker group and that laptop could be full of attack tools. Better not chance it. You aren't allowed on the network.

Re:Would you rather? (1)

Bucky24 (1943328) | more than 2 years ago | (#37914820)

Haha that's funny you'd say that.... I actually got on a plane with nail clippers a few months ago (I forgot they were in my carry-on). TSA agent took my shampoo... my toothpaste (I also forgot about the "no liquids" thing. Apparently toothPASTE is a liquid). But they left my nail clippers... I mean if I had a mind to I could have busted those babies out on the plane and... Cut some serious nails I guess?

Perhaps the Mig-25 is a better comparison (1)

perpenso (1613749) | more than 2 years ago | (#37914848)

I get your point but I'd prefer to compare it to the overestimation of the Mig-25's capabilities. This seems more appropriate since it offers a comparable state vs state situation. So the Mig-25 is overestimated, the F-15 is designed to handle this "threat", and the F-15 go on to have a kill/loss ratio of 104:0. It seems there is something to be said for overestimating a potential foe.

Re:Would you rather? (1)

Synerg1y (2169962) | more than 2 years ago | (#37913792)

I'm sure the states have a plan to disable china's internet access physically, no system is impenetrable.

Re:Would you rather? (2)

jd (1658) | more than 2 years ago | (#37914424)

It depends on whether it's done for action or voter consumption. For the former, I'd far prefer it to be overestimated and dealt with. However, I despair of DHS or DoD actually being capable of countering anything more threatening than house flies.

For voter consumption, I'd far prefer there to be no estimate at all. The use of estimates to manipulate the population is very Humphrey Appleby. It is Psych Ops against the population the government is sworn to protect and serve, regardless of which way it is done. Even if it were 100% accurate, it would STILL be a Psych Ops attack against the populace.

I see nothing wrong with the government supplying useful information (eg: pressure companies to use OpenBSD or a hardened Linux for appliances and embedded systems, not Windows under any circumstance; don't use randomly-discarded USB thumb drives in nuclear reactors; keep confidential information offline or strongly encrypted). I also don't see anything wrong with the government being required to report large-scale DDoS attacks, so long as attribution of the attacks is provable and verifiable by some independent body (even if not by the public) and where it is either not provable or not verifiable, no attribution is given no matter how politically tempting.

I also see nothing wrong with the government actually taking cybersecurity seriously and mandating a rolling minimum standard of security for corporations. The main objection to minimum standards is that they are static and thus obsolete. So don't define it statically or in terms of specific technologies or specific threats. It's entirely possible to say that an incident involving any given compromised system will affect X number of people, given a total of Y people, by Z amount. You then mandate that companies cannot permit either X*Z or (X/Y)*Z to exceed certain totals for any given year. Compromises below those totals are fined at a modest rate but enough to create impetus to improve, compromises above those totals are fined to apocalyptic proportions. Let the companies take care of how to go about this.

You can also specify rolling standards in other ways. Instead of stating the number of bits in an encryption key, specify that operations critical to the security of the infrastructure and economy must be either FIPS-compliant OR use encryption classified as "minimal risk" (no known weaknesses, not subject to brute force attacks with available technology, that sort of thing) within some sensible window of time. Six months sound reasonable from the time of a security announcement of a potential hazard to the end of testing and full roll-out of replacement systems in mission-critical systems? Too long and you will be attacked. Too short and the consequences of a mistake will be worse than an attack.

In the case of systems where encryption is too difficult - for example, in automotive systems which currently use Ethernet for cabling between modules and which are starting to support wireless systems control - then specify things in terms of authentication and authority, under the same relative measure. (eg: A car should be X% certain, given known cyberthreats at the time of last maintenance, that it is the authorized user who is turning off the ignition or slamming on the brakes, where X is some well-published value that vendors and cybersecurity experts jointly agree is acceptable in terms of cost per unit mitigation). If a car isn't maintained for a year, then the vendor should be liable for any excessive exposure to risk known about at that time but not for risks discovered after then. Because there's no specific threat stated, only the permissible relative risk, no update is needed.

(We expect the same in other industries. We care if an airline took reasonable precautions in last maintenance to ensure everything was OK, we care that the regulations ensure that critical components are tested thoroughly enough, but do we care that much as to whether the regulations specified BY NAME every nut and bolt? Should we, or should we be entitled to regulations that would be just as valid no matter what the specifics were? If it's possible to describe maximum permissible threat and minimum permissible precaution in the abstract, then surely we'd actually WANT all industries to freely choose how those limits were met provided they could prove to auditors and experts as needed that they were indeed doing so.)

Re:Would you rather? (0)

Anonymous Coward | more than 2 years ago | (#37914650)

How about accurately estimate them?

ITS ONE

NO ITS THE OTHER!

NO ITS ONE

NO ITS THE OTHER!

when actually, it is neither.

AC's Cyber-First Posting Capabilities Understated (-1, Troll)

Anonymous Coward | more than 2 years ago | (#37913216)

An anonymous cocksmoker writes

"A new paper argues that AC's cyber-first posting capability is actually pretty fucking solid. '[AC has] evinced major proficiency with more sophisticated hacking techniques. The lubrication and Trojan condoms they have used have been fairly easy to detect and remove before any jacking has been done or fluids swapped. There is ample evidence that AC's cyber-frosters can penetrate highly secure networks and covertly obtain Frostius Postius,' the paper reads (PDF). 'They would be able to systematically cripple selected command and control, air defense and intelligence networks and databases of advanced adversaries by continually first posting them into oblivion."

No Evidence (4, Insightful)

jeff4747 (256583) | more than 2 years ago | (#37913230)

There is no evidence that China's cyber-warriors can penetrate highly secure networks or covertly steal or falsify critical data,'

Because governments love to publicize when someone breaks into their highly secure networks. Every day, the spokespeople for various government agencies get to work and say to themselves, "Boy, I really wish I could announce that our networks have been hacked! That would really make my day!!". The leaders of said agencies go to sleep every night wishing that they could spend tomorrow being grilled by a legislative body over their swiss-cheese network defenses. But alas, tomorrow just brings another boring day of budget meetings.

Or just maybe they don't talk about it.

Re:No Evidence (0)

Anonymous Coward | more than 2 years ago | (#37913716)

How will i get a raise and prove my agency is necessary and deserves more funding?

Tiger Trapped --- Not!!! (1)

sgt_doom (655561) | more than 2 years ago | (#37914602)

You should read the shill, David Wise's book, Tiger Trap, where he inverts everything and when one views the situation without Wise's assumptions, it becomes evident that it supports what Sibel Edmonds said about a secret weapons-selling network within the government (not to mention that his book was rife with errors: pay close attention to pp. 101, 106, 107, and p. 88). Although it's been long obvious to many that the FBI has been completely compromised, both the Wall Street and the Chinese Ministry of State Security.

evidence of something covert is contradictory (1)

MichaelKristopeit501 (2018074) | more than 2 years ago | (#37913274)

if such evidence existed, then the actions were not truly covert.

truisms are true.

slashdot = stagnated.

There is plenty of proof (2)

strobe74 (617588) | more than 2 years ago | (#37913282)

Look at their stealth bomber and their stealth fighter.. look familiar? You might think to yourself "hmm.. their stealth bomber looks nearly identical to ours.. and hey!! so does their stealth fighter!" And they just magic'd them out of nowhere. No decades of research.. no skunk-works or area 51 for testing.. just POOF.. a few years after we come up with them and BAM.. China has nearly identical copies. Just a coincidence i'm sure.

looks like top gun! buzz the tower!! (1)

Joe_Dragon (2206452) | more than 2 years ago | (#37913340)

looks like top gun! buzz the tower!!

Re:There is plenty of proof (2)

Thruen (753567) | more than 2 years ago | (#37913376)

Actually... This article [telegraph.co.uk] seems to suggest the Chinese aren't hacking to steal our secrets. I'd find it amusing if they were just repeatedly making silly half-hearted attempts at breaking into our systems just to throw us off the trail of the real problem: people who've lost faith in their country. Well, that and greed. Probably mostly greed. Still, not the TECHNO-warriors of China.... that does sound better.

Re:There is plenty of proof (1)

h4rr4r (612664) | more than 2 years ago | (#37913390)

What stealth bomber?
Links?
As far as I can tell they don't have one, and only some internet rumors claimed they did.

Re:There is plenty of proof (2, Funny)

Anonymous Coward | more than 2 years ago | (#37913696)

That's because it's invisible, duh!

Re:There is plenty of proof (1)

cyfer2000 (548592) | more than 2 years ago | (#37914740)

http://www.youtube.com/watch?v=MuyrsdmTqvY [youtube.com] http://www.youtube.com/watch?v=V9rvBLxGs-8 [youtube.com] http://www.youtube.com/watch?v=WM7Tka5ir70&feature=related [youtube.com]

BTW, the first flight of YF22/YF23 was in 1990, 7 years before the birth of /., the first flight of this J20 is 2011, that's 21 years, not "a few years" as in the GP. And F117 was publicly revealed in 1988 ...

Re:There is plenty of proof (4, Insightful)

bmo (77928) | more than 2 years ago | (#37913444)

So you're going to fault them for taking shortcuts instead of reinventing the wheel?

That's nuts. Nobody reinvents wheels if they can get clues/technology/etc, from elsewhere. Absolutely nobody. Only idiots make stuff from scratch without referring to other technology and practices.

Come the fuck on, the industrial revolution was started in the US along the Blackstone River with "stolen" British ideas. Samuel Slater was no dummy.

What a load of crap, sir.

--
BMO

China high speed rail is a cheap copy of japan (1)

Joe_Dragon (2206452) | more than 2 years ago | (#37913654)

with out the safety
In the japan system there is a 45-year, nearly 7 billion-passenger history, there have been no passenger fatalities due to derailments or collisions,

China system is no where near that.

Re:China high speed rail is a cheap copy of japan (1)

Bucky24 (1943328) | more than 2 years ago | (#37914140)

Probably because their regulatory bodies are nowhere near as complex as Japan's as far as transport ion and bullet trains.

Re:There is plenty of proof (2)

strobe74 (617588) | more than 2 years ago | (#37914296)

No i'm just refuting the statement that they're not hacking anything. it's clear they've been through a fair amount of the RnD info from most of our defense contractors already. If there's any blame to be handed out it's that our defense contractors don't take security as seriously as they should.

Re:There is plenty of proof (1)

bmo (77928) | more than 2 years ago | (#37914934)

Yeah, I'll buy that argument.

The stereotype of American companies being shortsighted is a stereotype because it's true. It's not just defense contractors.

--
BMO

Re:There is plenty of proof (1)

SCVirus (774240) | more than 2 years ago | (#37914538)

.... he was implying that perhaps 'cyberattacks' were the method by which sufficient wheel-schematics were acquired, not that it is immoral or odd that they would attempt to acquire such.

fool (1)

unity100 (970058) | more than 2 years ago | (#37913584)

the principles behind how geometric shapes deflect, refract or break the radio waves have been known since 1950s. any object made to do that, would resemble another object built to do that.

Re:fool (0)

Anonymous Coward | more than 2 years ago | (#37913680)

Exactly. Look at our stealth bomber and our stealth fighter. They look very similar. Geeze.

Re:fool (1)

strobe74 (617588) | more than 2 years ago | (#37914214)

This one..
http://www.defenceaviation.com/2007/11/xian-h-8-chinese-stealth-bomber.html [defenceaviation.com]

The fighter is called the J-20 which is nearly identical to the F-22

They look familiar don't you think?

Re:fool (1)

ColdWetDog (752185) | more than 2 years ago | (#37914314)

It may look similar but it's not likely to have the fancy internals that the F-22 has. For one thing, it lacks the thrust vectoring nozzles on the engines. That is a significant component of the aircraft's capabilities. You can copy the outside by looking at a recent copy of Aviation Week. It doesn't mean you downloaded the PCBs and code.

Re:fool (1)

strobe74 (617588) | more than 2 years ago | (#37914272)

Funny how boeing and other companies are coming out with stealth vehicles that don't look *exactly* the same as the F-22. Even the boeing plane that competed against the F-22 looked nothing like it and it was stealth. I'm not sure you know what you're talking about.

http://www.retrothing.com/2009/03/boeing-f-15se-stealth-fighter.html [retrothing.com]

Doesn't like the a duplicate of the F-22 to me.

Tradition (0)

Anonymous Coward | more than 2 years ago | (#37913870)

Making nearly identically looking copies of American products is an art the Chinese have perfected in generations.

Re:There is plenty of proof (1)

farble1670 (803356) | more than 2 years ago | (#37914082)

i have a plastic model at home that looks like the stealth bomber as well. however, if you really press me on it, i'd have to come clean and admit it doesn't fly, it's made out of plastic, and exhibits no stealth capabilities whatsoever.

Beware teh Chinese (2)

sneakyimp (1161443) | more than 2 years ago | (#37913332)

Does the summary strike anyone else as a bit xenophobic? Or perhaps a bit skewed toward occidental cultures?

Re:Beware teh Chinese (0)

Anonymous Coward | more than 2 years ago | (#37914100)

Or...

Perhaps the oldest civilization in the world (or so they claim) is stupider than a 300 year old one.

But of course, *that* would be "xenophobic" or "racist". Because everyone knows that is Imperial America's fault. That China is such a shitty country. Definitely not China's.

Re:Beware teh Chinese (0)

Anonymous Coward | more than 2 years ago | (#37914230)

No, not really. There's a fairly well established perception that the authoritarian Chinese government runs a large, sophisticated hacking campaign against everyone and the US in particular. All the summary does is take that perception and undermine it slightly.

It's not a racial perception either. There aren't similar ideas about Japan or South Korea, for example. And it's not like the "all Russians pirate everything" meme, which Valve recently attempted to debunk. It's an accusation levelled specifically at the Chinese authorities, not the people.

If the US runs an equivalent campaign, then there's a case for a more balanced approach to reporting this topic.

Re:Beware teh Chinese (1)

poity (465672) | more than 2 years ago | (#37914822)

How so? Because there are instances of "China" and "they"? I'm not really feeling it -- replace it with "American" or "the Americans" and you'll find thousands of instances on this site, especially in articles about the US throwing its weight around. I'm Chinese-American and I can assure you you'll have a far more interesting time analyzing the possible linguistic indicators of xenophobia in the Chinese language. For example, "foreigner" is is a common word in Chinese that most people don't give much thought to when speaking, yet in the US it's almost taboo even in private conversation. Of course that's from a history of invasions and rightly understandable, but it's something that still hasn't been shed through decades of China striving to join the modern cosmopolitan world.

I'm not convinced.. (0)

Anonymous Coward | more than 2 years ago | (#37913394)

Maybe the low level attacks are noise to mask something higher, I find it hard to believe China can't muster a sophisticated attack, very hard to believe.

It's even amusing that the report is in PDF form, not like there's any danger there ::eyeball roll::

Re:I'm not convinced.. (1)

pcxmac (608673) | more than 2 years ago | (#37913420)

dang those Chinese

We're Americans, it's our job to be afraid (1)

Anonymous Coward | more than 2 years ago | (#37913426)

Did we really need this paper to tell us that China's pathetic, underpaid skeleton of a software industry was no match for the NSA?

  The Imperial mindset is this - if a potential rival or adversary is capable of even token resistance, then this is a major emergency and they are a threat to our entire way of life! See also, Sandanistas three days drive from Texas, the peril posed by Sioux and Mexicans, Saddam and his mushroom cloud, and of course the Yellow Peril.

  I don't doubt that the Chinese would love to develop some kind of "cyberwarfare" capability as a deterrent to a potential attack we might launch. You may get an occasional Chinese loose cannon who'll hack into something state-side, but they'd have to be insane to actually start anything. Meanwhile, our massive "cyberwarfare" capability would let us take their entire grid dark, if they had the poor taste to introduce modern computer control to their infrastructure, which they'll probably do anyway, counting on the continued alliance between the CPC and the 0.1% of Americans getting rich off of exploiting the slave labor the CPC sells them.

Not great, but good enough (0)

Anonymous Coward | more than 2 years ago | (#37913436)

They were good enough to compromise the RSA token database and then use that information to compromise lockheed martin. I suppose it would be more impressive if neither company had noticed it, but of course it is very likely they have compromised other companies who have no idea it happened.

They certainly aren't world leaders in this space, but they get the job done pretty regularly.

Oh Noes! (1)

Anonymous Coward | more than 2 years ago | (#37913456)

A few years ago, in Ramadi Iraq I got shot by a sniper (twice!). It was pretty bad, but not nearly as horrific as if a foreign nation had totally crashed my web domain and/or email server. God help me if those bastard wrecked my telnet... I probably wouldn't be here today to tell the tale.

Re:Oh Noes! (0)

Anonymous Coward | more than 2 years ago | (#37914168)

I'd think the ramifications would be greater if they had taken "state secrets"

What a relief! (1)

TwineLogic (1679802) | more than 2 years ago | (#37913462)

Surely if Desmond Ball says it was not the Chinese military which took over control of U.S. Weather Satellites, potentially rendering them into anti-satellite weapons, then I guess we can stop worrying about it.
I don't know who this Desmond Ball person is, but... he published a paper! Wow.
Slashdot = Disinformative

Desmond Ball, A.K.A. Hu Chin (0)

Anonymous Coward | more than 2 years ago | (#37913474)

title says it all

This sounds a lot like... (3, Insightful)

bmo (77928) | more than 2 years ago | (#37913502)

..whistling past the graveyard. It sounds a /lot/ like what US automobile manufacturers said about the Japanese in the 60s and 70s. And then the Japanese whipped Ford, Chrysler, and GM's collective asses.

Go ahead, dismiss your opponent as incompetent. Down that road lies complacency and defeat.

--
BMO

So... (1)

binaryhat (2494814) | more than 2 years ago | (#37913548)

Who or what entity has been hacking into major US companies if it's not China? North Korea, nope. Russia? Not their style.

Newsflash (1)

instagib (879544) | more than 2 years ago | (#37913572)

Politicians and journalists from English speaking countries ALWAYS overstate the potential of national threats. And boy do they love their security theatre. The best one: The American president giving a speech abroad. Hilarious!

Re:Newsflash (1)

Aighearach (97333) | more than 2 years ago | (#37913788)

The American president giving a speech abroad. Hilarious!

You've got a derp on your chin, you might want to wipe that.

But... (1)

Krater76 (810350) | more than 2 years ago | (#37913594)

They would be unable to systematically cripple selected command and control, air defense and intelligence networks and databases of advanced adversaries, or to conduct deception operations by secretly manipulating the data in these networks.

But, could we (as in the US) do those things? Because that would be super.

PsyOp Trolling (0)

Anonymous Coward | more than 2 years ago | (#37913618)

Just a PsyOp article to get China to show their full strength. Trollin the Chinese.

Apologist much? (2)

FyberOptic (813904) | more than 2 years ago | (#37913630)

What difference does it make whether the attacks are detectable? DDoS for example is detectable, but that doesn't make it any less potent of a weapon. As someone who has dealt with blocking Chinese break-in attempts for years, and at one point blacklisted IP blocks from the entire region, I can tell you that China is a scourge on the internet at best, and a damaging force against major targets at worst. There's more than enough evidence of that.

yoMU fail it? (-1)

Anonymous Coward | more than 2 years ago | (#37913652)

Came as a complete Don't be a sling LIKE I SHOULD BE Raymond in his the chaanel to sign WASTE OF BITS AND has brought upon Awesome and committees knows that ever

Its more complicated than that (0)

Anonymous Coward | more than 2 years ago | (#37913758)

To dismiss all of the attacks from China is a little naive.

There is a lot of spyware that comes out of China, and most of it is crap. They have different levels however, much like in the army you have lots of grunts who can perform simple attacks, and a small number of highly trained specialists who can perform very sophisticated attacks (and multiple levels in-between).

I've worked with a lot of companies that have gotten themselves caught out by the simple (grunt level) attacks because they haven't invested in security (or have does so poorly). I've also seen some very sophisticated attacks that have taken considerable effort and were entirely targeted at that organisation.

Getting the basics right is something that everyone should be doing in terms of IT security, but there's a lot more that should be done beyond that for large companies and critical infrastructure.

The really good hackers (5, Insightful)

Hentes (2461350) | more than 2 years ago | (#37913882)

are the ones that don't get caught. Americans only detect the lousy attempts.

Don't need sophistication when your enemies use MS (0)

antifoidulus (807088) | more than 2 years ago | (#37913892)

They don't need particularly sophisticated techniques when their favored targets insist on using that steaming pile of insecure shit known as Windows. Using Windows for anything critical is sort of like being a gazelle and bathing in meat tenderizer, you are just making it too easy and too tempting for the lion to come and eat you.

How'd Linux do @ CA's breached recently? (-1)

Anonymous Coward | more than 2 years ago | (#37914046)

That ran Linux?? 3/4 of them were that, see here:

http://uptime.netcraft.com/up/graph?site=StartCom.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=GlobalSign.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=Comodo.com [netcraft.com]

Each was compromised, per this article's proof thereof -> http://itproafrica.com/technology/security/cas-hacked/ [itproafrica.com]

(The only one that doesn't was diginotar.nl, & they either didn't update properly, and ought to use Windows Server 2008 + IIS7 (vs. Windows Server 2003 + IIS6)).

However, antifoidulus, since you in the business of "ribbing on Windows", well, then it's my "civic duty" to show even MORE CURRENT INFORMATION about Linux being "so secure" (not) as you seem to insinuate:

---

KERNEL.ORG COMPROMISED:

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised [slashdot.org]

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/ [theregister.co.uk]

---

Breaching Fort Apache.org - What went wrong?

http://www.theregister.co.uk/2009/09/03/apache_website_breach_postmortem/ [theregister.co.uk]

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware [slashdot.org]

---

  *That's ALL pretty current information... very recent too!

APK

P.S.=> And, lastly of course? There's ANDROID (a Linux variant) so please, tell us - how's THAT doing on the security front?? Not very well...

This is sort of funny on that note in fact: I tried to post all of the known security issues I have catalogued here for it, & SLASHDOT's FORUM ENGINE CAN'T EVEN HANDLE THE LOAD (too many is why)...

Fact is, Android shows anyone that once Linux got a decent share of market on a platform, it too, can be found to be insecure & was benefitting on PC's via "security-by-obscurity" only (lack of widespread usage vs. competitors) & since nobody was using it? Why bother attack it (mindset of hacker/cracker types is this)

There in ANDROID also? Bugs in the kernel too, not just bugs in the JAVA/Dalvik front end have been found on that note also.

Guys, listen - they ALL need work on the security front, every OS there is!

Even though Windows Server 2008 shows less unpatched security vulnerabilities http://secunia.com/advisories/product/18255/?task=advisories [secunia.com] than the Linux CURRENT KERNEL ALONE http://secunia.com/advisories/product/2719/?task=advisories [secunia.com]

(Mind you, it would be more unpatched security bugs present on a full linux distro most likely due to app bugs that come in said distro beyond the kernel, unless vendors fixed them OR omitted putting those buggy programs into said distro)

4x++ less unpatched security vulnerabilities in Windows Server 2008 vs. Linux current mainstream kernel only, in fact - see for yourself!

... apk

Re:How'd Linux do @ CA's breached recently? (1)

antifoidulus (807088) | more than 2 years ago | (#37914134)

HAHAHAHAHA, it's so adorable that you believe that Microsoft bullshit. You want to know why Microsoft servers are so rarely hacked? Because so many people got burned running Windows bullshit that very, VERY few websites actually run Windows or IIS, and thus they are not compromised. Also, the # of vulnerabilities is a bullshit metric that Microsoft likes to tout because it's the ONLY metric that makes them look good, the thing is the vast majority of Linux kernel bugs are actually escalation of privilege attacks that require a local account and even then they are mostly theoretical, now compare that to Windows where the patched vulnerabilities are serious remote exploit bugs that represent real threats. Not to mention that Linux, being OPEN, actually accurately reports it's vulnerabilities, whereas Microsoft does not.NOt to mention that huge security vulnerability that Microsoft calls a feature called Genuine Advantage.

But yeah, continue to use that toy called Windows and consider yourself secure, I'm sure the hackers will enjoy just how easy you are making it to hack you.

There's NO DENYING the current data I put up (-1)

Anonymous Coward | more than 2 years ago | (#37914222)

Regarding Linux & it's "fine security" (not - ESPECIALLY ANDROID (a linux variant)), here http://it.slashdot.org/comments.pl?sid=2504516&cid=37914046 [slashdot.org] that's VERY CURRENT on all points I posted (of sites running linux being cracked into, including ironically enough LINUX.COM &/or KERNEL.ORG as well, amongst others... including the extremely recently breached CA's too!)

Now, on this note from you? Hehe, ok:

"But yeah, continue to use that toy called Windows and consider yourself secure, I'm sure the hackers will enjoy just how easy you are making it to hack you" - by antifoidulus (807088) on Tuesday November 01, @07:28PM (#37914134) Homepage

You're talking to "the guy that wrote the book" practically, on how to secure Windows, per this evidence thereof, & yes, it really works and CAN be done (patching, security hardening, & 'smart/judicious' websurfing - user education etc. + more):

To "immunize" a Windows system, I effectively use the principles in "layered security" possibles!

http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE [bing.com]

I.E./E.G.-> I have done so since 1997-1998 with the most viewed, highly rated guide online for Windows security there really is which came from the fact I also created the 1st guide for securing Windows, highly rated @ NEOWIN (as far back as 1998-2001) here:

http://www.neowin.net/news/apk-a-to-z-internet-speedup--security-text [neowin.net]

& from as far back as 1997 -> http://web.archive.org/web/20020205091023/www.ntcompatible.com/article1.shtml [archive.org] which Neowin above picked up on & rated very highly.

That has evolved more currently, into the MOST viewed & highly rated one there is for years now since 2008 online in the 1st URL link above...

Which has well over 500,000++ views online (actually MORE, but 1 site with 75,000 views of it went offline/out-of-business) & it's been made either:

---

1.) An Essential Guide
2.) 5-5 star rated
3.) A "sticky-pinned" thread
4.) Most viewed in the category it's in (usually security)
5.) Got me PAID by winning a contest @ PCPitStop (quite unexpectedly - I was only posting it for the good of all, & yes, "the Lord works in mysterious ways", it even got me PAID -> http://techtalk.pcpitstop.com/2007/09/04/pc-pitstop-winners/ [pcpitstop.com] (see January 2008))

---

Across 15-20 or so sites I posted it on back in 2008... & here is the IMPORTANT part, in some sample testimonials to the "layered security" methodology efficacy:

---

SOME QUOTED TESTIMONIALS TO THE EFFECTIVENESS OF SAID LAYERED SECURITY GUIDE I AUTHORED:

http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2 [xtremepccentral.com]

"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral

AND

"APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures. Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS!" - THRONKA, user of my guide @ XTremePcCentral

AND

http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=3 [xtremepccentral.com]

"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)" - THRONKA, user of my guide @ XTremePcCentral

---

And, as to how my posts on that guide have done, HERE on /. (of all places, the "home of the Penguin online" practically, lol)?

Ok:

* THE APK SECURITY GUIDE GROUP 11++ THUSFAR (from +5 -> +1 RATINGS, usually "informative" or "interesting" etc./et al):

APK SECURITY GUIDE:2005 -> http://developers.slashdot.org/comments.pl?sid=167071&cid=13931198 [slashdot.org]
APK SECURITY GUIDE:2009 -> http://it.slashdot.org/comments.pl?sid=1361585&cid=29360367 [slashdot.org]
APK SECURITY GUIDE:2009 -> http://yro.slashdot.org/comments.pl?sid=1218837&cid=27787281 [slashdot.org]
APK SECURITY GUIDE:2008 -> http://ask.slashdot.org/comments.pl?sid=970939&cid=25093275 [slashdot.org]
APK SECURITY GUIDE:2010 -> http://tech.slashdot.org/comments.pl?sid=1885890&cid=34358316 [slashdot.org]
APK SYSTEM TUNING:2010 -> http://hardware.slashdot.org/comments.pl?sid=1497268&threshold=-1&commentsort=0&mode=thread&cid=30649722 [slashdot.org]
APK SYSTEM TUNING:2010 -> http://hardware.slashdot.org/comments.pl?sid=1497268&cid=30649722 [slashdot.org]
APK SECURITY GUIDE (old one):2005 -> http://it.slashdot.org/comments.pl?sid=154868&cid=12988150 [slashdot.org]
APK SECURITY GUIDE:2008 -> http://ask.slashdot.org/comments.pl?sid=970939&threshold=-1&commentsort=0&mode=thread&no_d2=1&cid=25092677 [slashdot.org]
APK SECURITY GUIDE:2008 -> http://tech.slashdot.org/comments.pl?sid=1027095&cid=25747655 [slashdot.org]
APK SECURITY TEST CHALLENGE LINUX vs. WINDOWS:2007 -> http://it.slashdot.org/comments.pl?sid=267599&threshold=1&commentsort=0&mode=thread&cid=20203061 [slashdot.org]

APK

P.S.=> You can say what you want to, & try to "brainwash yourself" but facts, ARE FACTS, period... no denying them either, per my last post and yes, this one also!

... apk

Re:There's NO DENYING the current data I put up (1)

antifoidulus (807088) | more than 2 years ago | (#37914304)

All I had to do was read the first line of your post to realize that you have 0 clue about anything, so there was no reason to even bother with the rest, you are just some MSCE who is worried because your platform is becoming irrelevant. Android uses the Linux kernel yes, but that doesn't make it some sort of "Linux variant", at least not in the same way that you seem to think it is. Unlike Windows, anyone is free to modify Linux, and the overwhelming majority of the "flaws" you point out are with things that Google or other parties have added on to the Linux kernel, Android and the OS that runs on web servers are very different beasts. But yeah, I'm sure with that MSCE cert you will go far in a world that is ditching Windows as fast as it can because it's such flaming pile of insecure shit.

Re:There's NO DENYING the current data I put up (0)

Anonymous Coward | more than 2 years ago | (#37914464)

Time to dismantle you, point-by-point, as is my "usual style":

"and the overwhelming majority of the "flaws" you point out are with things that Google or other parties have added on to the Linux kernel" - by antifoidulus (807088) on Tuesday November 01, @07:47PM (#37914304) Homepage

WTF? I pointed out FLAWS IN THE LINUX KERNEL ITSELF - THE CURRENT MAINSTREAM ONE NO LESS!

(With 3 remotely vulnerable unpatched ones as well, the WORST TYPE, & 4x++ the # of unpatched security vulnerabilities in Windows Server 2008 too, mind you)

See again, here:

http://secunia.com/advisories/product/2719/?task=advisories [secunia.com]

vs. this:

http://secunia.com/advisories/product/18255/?task=advisories [secunia.com]

Now, you may not LIKE that, but it's documented fact!

---

"Android uses the Linux kernel yes, but that doesn't make it some sort of "Linux variant", at least not in the same way that you seem to think it is." - by antifoidulus (807088) on Tuesday November 01, @07:47PM (#37914304) Homepage

LOL, that's the DUMBEST THING you've said here so you know... it uses the LINUX KERNEL - it is THUS, a Linux!

---

"Android and the OS that runs on web servers are very different beasts." - by antifoidulus (807088) on Tuesday November 01, @07:47PM (#37914304) Homepage

That use the same core/kernel... lol, both Linux kernel, mind you, and apparently LATELY, per my 1st post to you here:

http://it.slashdot.org/comments.pl?sid=2504516&cid=37914046 [slashdot.org]

NEITHER ARE DOING VERY WELL ON THE SECURITY FRONT LATELY, since that information is VERY RECENT TOO, no less!

"Read 'em, & weep"...

---

"All I had to do was read the first line of your post to realize that you have 0 clue about anything, so there was no reason to even bother with the rest, you are just some MSCE who is worried because your platform is becoming irrelevant." - by antifoidulus (807088) on Tuesday November 01, @07:47PM (#37914304) Homepage

Linux already IS "irrelevant" in the eyes of the majority of users out there. See here on that note (marketshare):

http://www.netmarketshare.com/ [netmarketshare.com]

So much for Linux eh? Damn near last place... it IS irrelevant in the eyes of the majority of the users on the planet.

---

"Unlike Windows, anyone is free to modify Linux" - by antifoidulus (807088) on Tuesday November 01, @07:47PM (#37914304) Homepage

Anyone is free to step trace said code to find flaws, which is far, Far, FAR EASIER than using debuggers/disassemblers on closed source code (or using fuzzers) to find flaws that way, mind you...

---

"But yeah, I'm sure with that MSCE cert you will go far in a world that is ditching Windows as fast as it can because it's such flaming pile of insecure shit." - by antifoidulus (807088) on Tuesday November 01, @07:47PM (#37914304) Homepage

I used to have MCSE (Windows NT 3.51 days) but have since moved onto coding solely (rather mostly), since 1996 onwards to presently.

APK

P.S.=> You can use all the "frustrated profanity" & name calling adhominem attack b.s. you like, but it only shows that TRUTH HURTS & you? You can't HANDLE THE TRUTH!

... apk

Cyber Gap (1)

Logreybaby (451105) | more than 2 years ago | (#37914064)

Sounds kind of like the Bomber Gap [wikipedia.org] .

Do they need to be able to? (0)

Anonymous Coward | more than 2 years ago | (#37914268)

The summary talks about 'command and control, air defense and intelligence networks', but what about plain old infrastructure networks such as electricity grids, hospitals, power utilities, etc, not to mention defense contractors and others. Just because they might not be able to hack the CIA doesn't mean they haven't been hacking the Boeings, Lockheed-Martins, Rayethons, etc, for the past decade or so.

Really, who gives a year of the rat's ass??? (1)

sgt_doom (655561) | more than 2 years ago | (#37914572)

I mean, since they (Corporate America) have offshored the majority of the production assets there, and the capital assets there, and along with offshoring all those jobs, they've offshored that technology many of us were involved in creating, and both the Clinton and the Bush administrations gave them free military technology (pretty much), why would anyone really care now that those scumbags and their shills want to create fear about them. They shipped them all the weaponry, let them go fight them or stew about them, but leave us sane and poor people out of their moronic scripts.

Bullshit (0)

Anonymous Coward | more than 2 years ago | (#37914906)

However, if you are going to accuse China otherwise, you had better be ready for an all out global nuclear war with them and their puppet countries who already hate the US and their allies.

The threat still exists (1)

Staticharge (2497386) | more than 2 years ago | (#37914964)

Some people tend to worry more about fires, floods, hurricanes, tornadoes, etc, than they likely need to. But they still happen, and you don't want to be the unlucky individual hit by one and be unprepared for it.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?