[HN Gopher] U.S. and key allies accuse China of Microsoft Exchan...
___________________________________________________________________
U.S. and key allies accuse China of Microsoft Exchange cyberattacks
Author : jimmy2020
Score : 266 points
Date : 2021-07-19 11:08 UTC (11 hours ago)
(HTM) web link (www.axios.com)
(TXT) w3m dump (www.axios.com)
| protontorpedo wrote:
| It looks like cyber warfare, as well as espionage, is considered
| pretty much fair game in geopolitics nowadays. I wonder where the
| line is drawn that would make it an act of war. In any case, a
| direct attack from the Chinese government towards it's main trade
| partners (US, Germany and Japan among them) sounds crazy to me.
| sidlls wrote:
| Why? China wants to build an empire and views the US as an
| enemy. They will use their military and intelligence forces to
| achieve that, just like any other country does to achieve their
| respective goals.
| mjreacher wrote:
| Was there ever a time when espionage and cyber warfare weren't
| fair game? To me the only difference seems to have been where a
| nation state did have the capability and where they didn't.
| saddata wrote:
| China goes down, so does aapl and tsla and our entire economy.
| Until the American voter is more powerful that the collected
| business interests of those mega-corps, China will be our most
| favored trade partner, even as they commit war crimes against
| the American people (in theory :)
| deregulateMed wrote:
| I was pretty cool with modern China until the genocide.
|
| I wouldn't have even cared about Hong Kong.
| ok123456 wrote:
| All the reports about the "genocide" come from one person,
| Adrian Zenz (https://en.wikipedia.org/wiki/Adrian_Zenz).
| It's about as credible as reports of Saddam's soldiers
| ripping babies from incubators. Zenz works for the Victims
| of Communism Memorial Foundation and enjoys nothing more
| than inventing new "victims" to add to the list.
|
| It's pretty funny the lengths to which he and the western
| media that runs with whatever he says are willing to invent
| things out of whole cloth to support this. Uighurs openly
| celebrating Eid was used as evidence of attrocities since
| this couldn't possibly be their own free will, and it was
| done as propaganda by Beijing!
| omgwtfbbq wrote:
| >I wouldn't have even cared about Hong Kong.
|
| Then you are fool
| xwolfi wrote:
| I live in Hong Kong, and I don't care either lol. It's not
| that bad, so far.
|
| The genocide, I stay a bit careful, I tended to consider
| direct immediate murder as genocide to respect a bit the
| Holocaust, but I would say they'll pay for it a
| thousandfold. They're building the Xinjiang country like
| never before by giving them a shared oppressive history.
| Israel "started" (or at least really took off) like that
| so...
|
| I cannot fathom how they don't see it, and that's the
| weakness of the party: it's so top down, if a stupid idea
| comes from high enough, it'll get implemented to the most
| stupid detail.
| DaftDank wrote:
| I don't think it's crazy at all. We (i.e. the US) use our
| SIGINT abilities to spy on allies all the time, or at least
| according to numerous books and leaks. With that said, I'm not
| sure that the US government considers China an ally.
| pmcollins wrote:
| espionage != cyber warfare
|
| > attack crippled thousands of computers around the world
| dalbasal wrote:
| Technology has a tendency of merging realms. Whether you
| compromise a system to get information or to cripple it is
| pretty much a detail.
| tasogare wrote:
| Yes, and that includes stealing trade secrets from European
| companies, which are nominally US allies.
| jb775 wrote:
| Is anyone else sick of all this forced "connected cloud" crap?
|
| My wife just got a new Windows laptop and the amount of dark
| patterns they use to push people towards the Windows cloud is
| insane. I haven't used Windows in years, but it's glaringly clear
| that the entire modern Windows OS is designed around recurring
| monetization of users. Nowadays, Windows machines are essentially
| one big trojan horse waiting to either be hacked or tapped into
| by 3-letter agencies.
| whoknowswhat11 wrote:
| The amount of hot air on this topic is incredible.
|
| The US has denounced, accused, etc Russia on cyber attacks
|
| It is now calling out and accusing China of cyber attacks.
|
| My guess - ZERO concrete action.
|
| Meanwhile, China says relatively little and focuses on actual
| power - trade ties, threats etc.
| boringg wrote:
| Would this be the first full scale assault by Chinese hackers in
| the supply chain that we know of? If so, it is notable that they
| are aggressively acting in that way (and breached).
| aj3 wrote:
| To my knowledge this is the first attack of this sort (shadily)
| attributed to China, but they have been implicated in much more
| important attacks, such as OPM breach (
| https://en.wikipedia.org/wiki/Office_of_Personnel_Management...
| ).
| cs702 wrote:
| China has been accused of hacking and/or electronic spying by
| other states.
|
| Russia has been accused of hacking and/or electronic spying by
| other states.
|
| North Korea has been accused of hacking and/or electronic spying
| by other states.
|
| And yes, the US and quite a few European states -- and many other
| countries -- have also been accused of hacking and/or electronic
| spying by other states[a].
|
| All these governments are _playing with explosives_ : The right
| spark at the wrong place at the wrong time can start a fire.
|
| Seemingly "minor" incidents have triggered wars in the past.[b]
|
| --
|
| [a] Including via highly-targeted malware such as
| https://en.wikipedia.org/wiki/Stuxnet
|
| [b] For example, https://en.wikipedia.org/wiki/Pig_War_(1859) ,
| https://en.wikipedia.org/wiki/Marco_Polo_Bridge_Incident ,
| https://en.wikipedia.org/wiki/Football_War ,
| https://en.wikipedia.org/wiki/Assassination_of_Archduke_Fran...
| -- to name a few off the top of my head.
| JMTQp8lwXL wrote:
| If a seemingly insignificant issue is enough to start a war,
| perhaps the problems run deeper than the tipping point trigger
| issue.
| MinorTom wrote:
| I have to disagree, in todays internet-connected world cyber
| attacks are not insignificant. It is not inconceivable for an
| large-scale attack to e.g. turn off an entire countries'
| electricity distribution, and that's more than most
| traditional weapons ever could do.
| matheusmoreira wrote:
| Interesting to see _the USA_ complaining about the cyberwarfare
| activities of other countries. As if it didn 't have an entire
| government agency and even military branches dedicated to
| nothing but this.
| adventured wrote:
| Is there any evidence the US has directed the intentional
| sabotage of critical energy providers and food providers in
| Russia or China in recent years?
|
| Russia appears to be waging an all-out cyber war against the
| US at this point. Putin admitted as much in the hour-long
| interview with NBC a month ago. He declared as openly as he
| possibly could have that the US would be targeted until it
| came to the negotiating table (they want sanctions etc.
| removed in exchange for stopping the attacks). So far the US
| appears to have been exceptionally reserved in its response,
| given it's a clear declaration of war by Russia to be
| intentionally targeting critical US infrastructure with
| attacks.
| matheusmoreira wrote:
| The USA has sabotaged _everyone_. They have compromised
| _everyone_ 's security. They spy on _everyone_ , even their
| own citizens. Domestic law enforcement agencies actively
| exploit vulnerabilities in software. The USA has satellites
| violating the airspace of sovereign nations, imaging them
| and collecting all of their communications. They're so
| active on these fronts that it's comical to see them
| complaining about other countries trying to do anything.
| clydethefrog wrote:
| https://en.m.wikipedia.org/wiki/Operation_Olympic_Games
| eigenket wrote:
| Why when asked about "sabotage of critical energy
| providers and food providers in Russia or China" do you
| reply with sabotage of something in Iran which is neither
| an energy nor food provider?
| ruggeri wrote:
| Sibbling comment is correct that this is an attack on a
| military research project, not civilian infrastructure.
| Thus non-responsive to the original request.
|
| Perhaps a better (but also possibly fictional) example is
| sabotage of the Soviet trans-Siberian gas pipeline in
| 1983. Certainly there appears to have been a US
| suggestion to surreptitiously provide the Soviet Union
| with compromised technology it was seeking in the West.
| But it's not clear whether compromised technology was
| provided, or whether the US caused the pipeline
| explosion.
|
| Here is one (controversial) source:
| https://en.wikipedia.org/wiki/At_the_Abyss
|
| I wasn't going to comment at all, since the US does a lot
| of - ahem - "disruption" throughout the world. However,
| I'm not aware that the US does a lot of civilian
| infrastructure attacks outside of active military
| theatres. If true: it's a notable/interesting fact.
|
| But I'm also not sure that civilian infrastructure
| attacks are further beyond the pale than rendition,
| bombing, arms sales, embargoes, et cetera. I worry that
| we in the States are more sensitive to infrastructure
| attacks because (1) it's a weapon readily available to
| our national adversaries and (2) for the first time, we
| are the victims.
| cronix wrote:
| And I'd bet an awful lot of these attacks are using the very
| same tools that the NSA created and left on a wide open AWS
| server, which was discovered, and downloaded, and spread all
| over the planet by the "shadow brokers" group for anyone to
| use how they see fit. They even included handy dandy user
| manuals.
|
| Chickens coming home to roost....
|
| https://en.wikipedia.org/wiki/The_Shadow_Brokers
| 2OEH8eoCRo0 wrote:
| Entire free world: China is hacking us.
|
| Entire comment section: b-b-but the US.
| dalbasal wrote:
| ...and both are relevant.
|
| China probably is "hacking us." US/NATO credibility _is_
| suspect.
| godelski wrote:
| That's not the problem. We shit on the US all day every day.
| There's also not a problem with this. The problem is that
| when we're talking about someone else it's being used as a
| defense. Honestly it doesn't even matter if the US is doing
| the same thing. If something is wrong it is wrong, no matter
| who does it. Responding to "China is hacking the US" with
| "But the US hacks China" doesn't accomplish anything except
| create arguments nor is it logically consistent because both
| can be bad. The "but they did it" implies the action is not
| bad in the first place and that a double standard is an
| excuse. The problem is that there is not a double standard.
| People are also critical of the US's use of hacking both
| nationally and globally. So if you're concerned with the US
| hacking people it is logically obvious that you'd also be
| concerned with China (or anyone else!) hacking people.
|
| I'm tired of this argument because it just serves the
| propagandists. It eliminates a real conversation happening
| because we can't even start one because we don't even agree
| on a basic premise of that things can be judged
| independently. Comparisons can be great, but independent
| judgement/criticism is also necessary.
| dalbasal wrote:
| What would you like to have discussed and/or judged
| independently?
|
| I agree that a lot of the comments here are shitposting or
| making reactionary equivocations. Others though, are making
| valid points... which you may agree with, or not.
|
| IMO, for example, the most important part of this to pay
| attention to is NATO. Cybersecurity & China seem to be the
| new focus of the alliance. To me, this seems like the most
| potentially impactful aspect.. and probably a key reason
| why this announcement was made in the way that it was made.
| IE, I think that what NATO do in the coming few years will
| make the history books, rather than Chinese cyberattacks. I
| may be wrong, but this isn't a disingenuous equivocation.
| It's just my judgement on this, at this point.
| godelski wrote:
| Well look at the conversations in threads about the US
| hacking. They typically discuss the international
| implications of this, how to protect yourself, and what
| we can do about it. Yeah, there's people that bring up
| China and Russia, but they typically aren't the top
| comment or a majority of the comments. The top comment in
| this thread[0] is the beginning of a conversation I'd
| like to see but one that is already being pulled away
| from. It recognizes the danger of these actions
| (independent of the country issuing them). It is not
| excusing the hacking by stating that another country has
| done it, but rather condemning it all around.
|
| [0] https://news.ycombinator.com/item?id=27883812
| dalbasal wrote:
| Those aren't really equivalents.
|
| This isn't just a thread about chinese hacking, it's a
| thread about a US-NATO statement in response to hacking.
|
| Anyway, who cares about convicting one or the other. This
| is about consequences. The consequences of whatever
| direction NATO is taking now are meaningful.. much more
| meaningful than the hack.
| [deleted]
| vor77 wrote:
| don't forget the other stuff:
|
| covid
|
| chemicals in food/toys/products
|
| ICBM tech to DPRK
|
| all pretty recent.
| agul29 wrote:
| "Entire free world" is such a loaded and propagandistic
| statement, it's very hard to take this comment seriously.
| [deleted]
| chmod775 wrote:
| I can't help but think "accuse" is a peculiar choice of words,
| because it implies that the accuser has any basis to feel
| wronged.
|
| If they had any integrity they'd say: "I guess you got us back,
| huh!".
|
| Entertaining to watch nonetheless.
| john579 wrote:
| Microsoft Exchange crashes when encountering Unicode Chinese
| fonts. Trust Bill Gates with your data security, he's a jew.
| ppeetteerr wrote:
| There is so much doubt in this comment section around the
| validity of the accusations.
|
| We have a number of countries putting forward the knowledge they
| have mutually agreed upon. What is shared is known to a high
| degree of certainty. Any details that are questionable would not
| have been shared prematurely.
| baby wrote:
| Not to say I don't believe that China is actively attacking
| networks and services (if they don't then they're lagging
| behind and it's embarassing), but I can understand the
| skepticism of grand claims when the latest was that tiktok was
| impacting national security.
| vxNsr wrote:
| If you don't believe Tiktok is a national security threat you
| are hopelessly naive.
|
| MyFitnessPal, Strava, etc are threats to national security
| and they're US based, but you think that Tiktok isn't because
| someone you don't like said it is? That's playground logic.
| chalst wrote:
| Given the goals of the US, anything that weakens US
| hegemony can be regarded as a national security threat.
| Naturally, any internationally successful social media
| technology not under the control of US corporations counts.
|
| If you are not American, though, the TikTok drama has been
| one of the more darkly amusing spectacles.
| vxNsr wrote:
| India disagrees with you but ok.
| partiallypro wrote:
| The US isn't the only country that has claimed TikTok is
| a national security threat though.
| tablespoon wrote:
| > If you don't believe Tiktok is a national security threat
| you are hopelessly naive.
|
| Yeah, it's pretty much a bomb waiting to be used. It might
| not have been used yet, but that's no reason to claim it's
| harmless and sleep next to it.
|
| Though, Facebook and Twitter are not much better, and only
| somewhat less exploitable by the same adversary (there's
| capitalism for you).
| godelski wrote:
| > when the latest was that tiktok was impacting national
| security.
|
| Wait, it wasn't? I'm not sure why this is a controversial
| opinion. Social media has often been linked to information
| leakage. Geo tagging of photos was part of the proof that was
| used to show that Russia invaded Crimea. Similarly US
| soldiers have had their locations revealed when posting on
| Facebook/Twitter/Instagram. In fact if you're over seas and
| talking to your partner back home they generally have another
| soldier listening to the conversation. Given all this why is
| it surprising that a large social media platform that focuses
| on videos (which reveal more info), grabs a lot of data, and
| is connected to the US's largest geopolitical adversary is
| considered a threat?
| wyuenho wrote:
| Refer them to the DOJ indictment and CISA advisory
|
| https://www.justice.gov/opa/pr/four-chinese-nationals-workin...
|
| https://us-cert.cisa.gov/ncas/alerts/aa21-200a
| omgwtfbbq wrote:
| Chinese astroturfing is rampant on HN. Inb4 toothless spineless
| mods warning me about this comment. Bought and paid for.
| finiteseries wrote:
| The nature of comment sections like this don't matter in the
| slightest if anyone is actually worried about it affecting
| anything, this isn't copyright reform.
|
| Exchange being hacked has 0 relevance to HN commenters, their
| knowledge, or their influence. Absolutely nobody cares about
| the technical specifics, or technical effects of this. This is
| an exec level political issue, and is more related to the
| recent trade wars than infosec.
|
| There is a frankly stupid amount of bipartisan US consensus on
| confronting China. MENA is being put to simmer. A form of
| "rapprochement" with Russia is underway, and the EU & NATO are
| barking when told.
|
| The comparisons to the Iraq war are apt in the sense there's
| essentially nothing anyone outside those circles can do about
| this.
|
| Bonus points for the fact there's 0 chance of this going
| kinetic anytime soon, so no blood, guts, and (non climate)
| refugees to affect PR going forward.
| Leparamour wrote:
| China is just the bogeyman of the hour. If it were more
| politically convenient to blame Russia or Iran you'd suddenly
| find the same evidence pointing a different way.
| partiallypro wrote:
| The CCP runs concentration camps and is actively perpetuating
| ethnic cleansing. That doesn't seem "of the hour." That
| ignores CCP doings for the past 30+ years that have cost
| millions of lives.
| adflux wrote:
| The bogeyman of the hour which is putting people into
| concentration camps. Would you say Nazi Germany was the
| bogeyman of the (then) hour aswell?
|
| IMO these are some very valid concerns...
| curiousgal wrote:
| Oh please. If the U.S. was so concerned about human rights
| violations they would stop funding Israel.
|
| Sorry dang.
| hirako2000 wrote:
| They would also stop big bunch of other things.
| pokot0 wrote:
| The US has too many internal problem to be the world
| savior. Every time the US looks outside its border, it's
| for its sole selfish interests. Human rights enforcement
| around the world is (unfortunately) not something we can
| reasonaly expect from US. Also the U in US is extremely
| optimistic. Different states would act completely
| differently if allowed to.
|
| The world need to look for a different hero: any
| proposal?
|
| (For a good laugh, I reccomend watching the excellent
| "When the Yogurt took over" on Netflix)
| Robotbeat wrote:
| Democracy, human rights, and self-determination as a
| concept should be the hero.
| kube-system wrote:
| It's more complicated than that. Few decisions,
| particularly ones regarding foreign policy, are made on
| single factors.
| ycombigator wrote:
| It's also instituted a very oppressive social credit
| system and runs an enormous censorship apparatus that it
| will be increasingly able to turn outwards in the future.
|
| Its really about their ability to destroy Western
| democracy - which is already happening.
| enkid wrote:
| Russia and Iran do cyberattacks all the time. We have good
| evidence of these attacks from many sources. Same with China.
| The idea that these attacks are just being made up or we
| don't have evidence who executed them is either willfully
| ignorant (a google search will provide plenty of evidence) or
| actively malicious.
| Leparamour wrote:
| > The idea that these attacks are just being made up or we
| don't have evidence who executed them is either willfully
| ignorant (a google search will provide plenty of evidence)
| or actively malicious.
|
| Tools to fake such attribution and evidence were literally
| part of the leaked NSA/Equation Group toolkit.
| SpicyLemonZest wrote:
| Sure, and we should be willing to entertain skepticism of
| specific incidents when justified. The idea that there's
| _no such thing_ as real attribution, that it 's always
| fabricated based on political convenience, is just
| unproductive nihilism.
| [deleted]
| sudosysgen wrote:
| There is such a thing as real attribution. Just not from
| IPs and tools that are easily faked. You need more than
| that, and indeed there were many cases were we got more
| than that.
| SpicyLemonZest wrote:
| Agreed, but this seems to be one of the cases where we
| got more than that. I don't have time to read the
| indictment in a ton of depth, but it tells a very
| detailed story about some of the hackers and how they
| organized the hacking; it's not just "the IP matched so
| it's gotta be them".
| tablespoon wrote:
| > There is such a thing as real attribution. Just not
| from IPs and tools that are easily faked. You need more
| than that, and indeed there were many cases were we got
| more than that.
|
| And there are most likely a lot of cases where:
|
| 1) "...we got more than that," and...
|
| 2) ...data from "IPs and tools that are easily faked" is
| the only information that could be released _publicly_
| without compromising sources and methods.
|
| It's a hopeless wish to want to be able to independently
| assess (as an amateur!) intelligence findings in all
| cases. If trusting the official assessments isn't
| acceptable (cross-checked with general knowledge of the
| situation), about the only reasonable alternative
| position is to remain agnostic.
| boston_clone wrote:
| and yet, we were able to accurately attribute the code
| released in that leak as being developed by NSA.
| sudosysgen wrote:
| We know it was the NSA because of leaked NSA documents
| that admitted to the affiliation. Not from the tools
| themselves.
| boston_clone wrote:
| Interesting; could you share your source on that?
|
| I had only previously heard [0] that similarities in the
| tools were discovered by Kaspersky, not that there were
| any leaked docs that pointed the finger back at NSA
| themselves. Are you maybe thinking of PRISM/Wikileaks?
|
| [0] - https://arstechnica.com/information-
| technology/2015/02/how-o...
| anthony_romeo wrote:
| Comment sections are not a reliable source of information.
| throwaway6734 wrote:
| It's a combination of native, anti authoritarian populists and
| Chinese astro turfing
| sebiw wrote:
| "Simply stated, there is no doubt that Saddam Hussein now has
| weapons of mass destruction." -- Dick Cheney, before the US and
| coalition of the willing invaded Iraq.
| partiallypro wrote:
| Logical fallacy to say that China/Russia being behind hacking
| is false simply because of the Iraqi war. Of course I'm sure
| China/Russia absolutely love and actively push this fallacy.
| Just as China uses US's failures on certain civil rights to
| deflect from their concentration camps and slave labor.
| 2OEH8eoCRo0 wrote:
| This is meaningless. You're saying that since we have gotten
| it wrong in the past it must be wrong this time? That's not
| how it works. Show me your superior intelligence that
| contradicts this.
| stelonix wrote:
| No, he's saying since the USG used a _lie_ in order to
| further its ' interests and which caused more than 500k
| deaths, it should not be trusted when it says anything
| about any other adversary.
| 2OEH8eoCRo0 wrote:
| >The U.S., NATO and other allies
|
| Okay. What about NATO and "other allies" then?
| godelski wrote:
| There's a few things wrong with this callback.
|
| 1) When that was stated there was serious pushback not just
| from US reporters but also other countries/allies.
|
| 2) It's pretty reasonable to believe that it is far easier to
| obtain hacking tools and knowledge as compared to weapons of
| mass destruction. You can't just download the knowledge and
| tools for nuclear weapons through the internet.
|
| I get the cynicism and I agree that we should be doubtful and
| not trust our leaders at face value. But that doesn't mean
| that we should throw all evidence to the wind. It just
| demonstrates that we need to be more thoughtful in our
| analysis.
| bradford wrote:
| I'd ask that we be more thoughtful on this and evaluate
| separate allegations on their own merits. Why do you think
| invoking Cheney's statement is relevant to this discussion?
|
| As an aside, I'm not sure what's more frustrating:
|
| Witnessing the Bush administration circa 2001-2004 be called
| out on these lies, by numerous entities, and still march
| inexorably toward armed conflict, or...
|
| having to witness these lies being used to disingenuously
| discredit any future allegations made by the US.
| dylan604 wrote:
| To me, it just goes to show that you cannot take on faith
| or even the evidence provided by the currently speaking
| government official (whoever that might be at whatever
| time).
|
| It's a sad position to take, but we have definitely been
| misled/lied to by gov't officials.
|
| Why is this particular incident any more legit/not-fake
| than the totally legit/not-fake WMD evidence?
| dalbasal wrote:
| I sympathize with your sentiment, but dishonesty in that
| case _is_ relevant to credibility in this one.
|
| What, besides credibility of the institutions making the
| allegations, are these allegations' "own merits"?
|
| Agreed that a reflexive "they lie!" position isn't useful,
| but... trust doesn't seem like a reasonable default either.
| In the same vein, it would be naive to trust the Chinese
| NBS to report unflattering economic statistics honestly.
| Why? Because of past/recent dishonesty.
|
| Whether it's true or not, I don't think the purpose of this
| announcement is to inform us. It's part of power games with
| China, laying public groundwork for updating the NATO
| mission, new departments/funding/laws/etc... That's not a
| general paranoia. I get this impression from the NATO
| statement itself.
|
| from P4:
|
| _China's growing influence and international policies can
| present challenges that we need to address together as an
| Alliance. We will engage China with a view to defending the
| security interests of the Alliance. We are increasingly
| confronted by cyber, hybrid, and other asymmetric threats,
| including disinformation campaigns, and by the malicious
| use of ever-more sophisticated emerging and disruptive
| technologies. Rapid advances in the space domain are
| affecting our security. The proliferation of weapons of
| mass destruction and the erosion of the arms control
| architecture also undermine our collective security._
|
| Promising to engage China, followed by nonspecific cyber,
| WMD & space threats.
|
| Here is where I _might_ be paranoid, cynical or whatnot. Is
| defense against cyberattacks the actual goal, or is
| cyberwarfare just another long term raison d 'etre?
| refenestrator wrote:
| It's not about the specific allegations, it's about the
| posture and priorities of the security state.
|
| A few years ago, we ran out of fear and urgency on the
| Islamic terror thing and now we need a new top dog bad guy.
| elefanten wrote:
| So, in your view, is security simply not a problem? Is it
| all a giant lie to fund the security state?
|
| If not, where do you draw the line between
| real/legitimate security concerns vs. the fake ones?
| mcdonje wrote:
| That's clearly not their view. Blindly following liars
| into two wars has led to many avoidable casualties and
| has arguably made us less safe. The line between real &
| fake is the line between real & fake. We need to be on
| guard and insist on checking the intel before being led
| into another war.
| refenestrator wrote:
| Constant attempts to hack each other between rivals and
| even allies are not a big deal.
|
| I'm not saying this is fake, our people should be doing
| their job mitigating this stuff and hacking them in turn,
| but it being blown up into a Big Deal is part of the
| propaganda.
| dathos wrote:
| I think the Iraqi war was more frustrating than those two
| put together.
|
| You realize that this wasn't the first time the US did
| this, so I feel we should question these claims as much as
| possible.
| tablespoon wrote:
| >>> There is so much doubt in this comment section around
| the validity of the accusations.
|
| >>> We have a number of countries putting forward the
| knowledge they have mutually agreed upon. What is shared is
| known to a high degree of certainty. Any details that are
| questionable would not have been shared prematurely.
|
| >> "Simply stated, there is no doubt that Saddam Hussein
| now has weapons of mass destruction." -- Dick Cheney,
| before the US and coalition of the willing invaded Iraq.
|
| > I'd ask that we be more thoughtful on this and evaluate
| separate allegations on their own merits. Why do you think
| invoking Cheney's statement is relevant to this discussion?
|
| I think the logic is once an organization or its leaders
| get something wrong, you should never, _ever_ believe
| anything that organization ever says ever again. Even 20
| years later after the leadership and staff has turned over
| a couple times.
|
| Of course, that's totally unworkable idea when applied
| consistently, so it's only used, knowingly or unknowingly,
| to reenforce existing biases.
| DiogenesKynikos wrote:
| It's not a question of getting something wrong. The Bush
| administration carried out a massive disinformation
| campaign to convince the public that Saddam had WMD -
| something they knew they had no good evidence for. Large
| parts of the media and most senior politicians in both
| major parties (including the current President of the US)
| went along with this disinformation campaign.
|
| After that experience, I'll believe the US government
| only when they make all their evidence public, and even
| then, I'll be exceedingly skeptical.
| tablespoon wrote:
| > After that experience, I'll believe the US government
| only when they make all their evidence public, and even
| then, I'll be exceedingly skeptical.
|
| So who do you think carried out these attacks? Do you
| think that China does not carry out any offensive
| hacking? Do you think they do, but avoid the US for some
| reason?
|
| IMHO, these allegations are plausible enough to believe
| without strong evidence to the contrary. Taking the
| experience with the Iraqi WMD allegations as your North
| Star (to the exclusion of all other factors) seems like a
| heuristic that will be wrong far more often than it's
| right, and more often wrong than alternative heuristics.
| DiogenesKynikos wrote:
| Simply stated, the say-so of the US government does not
| change my belief either way.
|
| If they claim to have evidence but don't provide it, I
| assume they don't have evidence, or that the evidence is
| weaker than they are claiming. If they do provide
| evidence, I consider the possibility that it has been
| tampered with, that its provenance is dubious, or that
| contrary evidence has been concealed.
|
| We're talking about professional liars here. Not
| everything they say is wrong, but everything they say is
| suspect.
| throwawaycuriou wrote:
| There is more than the most recent Iraq war. There is
| Vietnam (Gulf of Tonkin) and the Spanish-American War (USS
| Maine sabotage). Several others.
|
| It's not disingenous and it's not discrediting _any_ future
| allegation, but to appropriately raise the threshold before
| belief.
| bradford wrote:
| Everything you said would be true if today's accusations
| were a pretext for armed conflict, but I don't believe
| we've reached that level of escalation. Do you?
|
| Accordingly, I don't find comparison to prior wars
| helpful for discussion. Obviously opinions here may
| differ...
| throwawaycuriou wrote:
| I do not expect that even if there was truth to the
| matter that war would be a direct consequence. I agree
| that citing historical false pretexts for war reduces the
| surface for debate of the validity of allegations of
| state-sponsored cybercrime. I should not have contributed
| in this manner. My apologies.
| mjreacher wrote:
| I always see this is trotted out as to say that Iraq did not
| possess WMDs, however technically it is wrong, as WMDs
| (chemical weapons in this case) were found after the
| invasion, (see https://en.wikipedia.org/wiki/Iraq_and_weapons
| _of_mass_destr...). While there was no evidence of nuclear
| weapons or an active program I believe that a better quote
| should be used since the pretences that it is quoted for are
| technically wrong.
| throwawaycuriou wrote:
| Of course, because WMD is a manufacturered phrase with
| tautological utility. A kitchen knife wielded in a sinister
| way is capable of mass destruction.
| elefanten wrote:
| No, there's a pretty stable presumptive meaning of
| "weapons of mass destruction". It means radiological,
| biological and chemical.
|
| There are always people trying to expand the definition,
| but it's usually from more left-leaning critical schools
| of thought that want to classify landmines, sanctions or
| guns as WMD.
|
| But in official usage, it's been pretty stable at those
| three.
| throwawaycuriou wrote:
| The utility is in the muddying. To use the broader term
| (WMD) instead of the specific (chemical weapons) is to
| imply the broader abuse. While the specific abuse is
| something the US turned a blind eye to a generation
| previously (chemcial weapons by Iraq against Iran)
| Apofis wrote:
| Yeah, it turned out to be ISIS.
| deregulateMed wrote:
| Not commenting on OP, but you are talking about a single US
| regime.
|
| And Many countries did independently investigate, and refuse
| help.
| AndrewUnmuted wrote:
| Many countries did also provide help, even though they knew
| the "single US regime" was likely to be lying &
| fabricating.
|
| This regime has remained in power ever since Bush's 8 year
| reign of terror. In fact, they were in power even before
| George W. Bush's administration. The name of the president
| may change, but the people running the US war machine
| remain the same.
| SpicyLemonZest wrote:
| From late 2002 to 2003, it was very much the international
| consensus that Iraq might have active WMD programs. The
| Security Council never authorized a war, but they did issue
| a unanimous resolution declaring that Iraq was in violation
| of its disarmament obligations and offering "a final
| opportunity to comply".
| GordonS wrote:
| Actually, the US worked to fabricate evidence in
| collaboration with the UK too. The UK had an expert produce
| the so called "dodgy dossier", that was used as Blair's
| justification to follow the US into their illegal war. The
| media called it out as obvious bullshit, then the guy that
| produced the report _allegedly_ committed a timely suicide.
| 2OEH8eoCRo0 wrote:
| Source please.
| GordonS wrote:
| I doubt you'll find a credible source - the security
| services are afterall very good at what they do. It's all
| circumstantial, but at the time you'd have been hard-
| pressed to find a single citizen who believed Kelly very
| conveniently killed himself at just the right time to
| prevent further damage to the government and their web of
| lies with the US.
| SpicyLemonZest wrote:
| I'm not sure I see what the theory is here. I could
| understand an argument that Kelly was killed to send a
| message, but it's hard to see what damage it could have
| prevented. If anything, his death confirmed the web of
| lies; the whole thing wouldn't have been a big deal if it
| were just a question of minor messaging details as the
| government was claiming.
| GordonS wrote:
| It wasn't about sending message. The theory is that Kelly
| could have revealed he was told to fake evidence, and
| could have provided confirmation of who knew what, and
| importantly, when.
|
| It was about timing too - it was a critical point for
| Blair and Bush getting the war they so desired. Keeping
| in mind there was already huge opposition to the war,
| proper 1st hand evidence being revealed at that point
| could well have resulted in Blair having to stand down,
| and potentially even the British not joining the war.
| Which of course the US services would not have liked.
| SpicyLemonZest wrote:
| The timeline's definitely not right for that. The British
| had already joined the war; Kelly died 4 months after the
| invasion.
| 2OEH8eoCRo0 wrote:
| That's shit though. That can be said of anything. Moon
| landings were faked but the CIA is very good at what they
| do.
| GordonS wrote:
| There is a bit of a difference - we have an _abundance_
| of evidence disproving the fake moon landing stories.
| OTOH, there were no witnesses of Kelly 's death, and the
| timing was so _very_ convenient - frankly, it 's naive to
| think our security services wouldn't do this, especially
| with what was at stake. Keep in mind the the US and UK
| were _fabricating evidence_ as justification for an
| _illegal war_. One that they knew would claim many, many
| casualties, and for which they must have known would end
| up destabilising the whole region and growing
| fundamentalists and terrorists (this was certainly
| obvious to many at the time).
|
| I do see your point, mind, but I don't think such damning
| circumstantial evidence is "shit"; by that logic, MI6
| could never be responsible for anything, unless of course
| they signed a confession.
| irthomasthomas wrote:
| The first hit for "dodgy dossier suicide" is https://en.w
| ikipedia.org/wiki/David_Kelly_(weapons_expert)
|
| Edit: I can't reply to the child but here are some
| salient quotes from the wiki...
|
| "I will wait until the end of the week before judging -
| many dark actors playing games. Thanks for your support."
| - Dr Kelly
|
| "it was subsequently established that neither the knife
| nor the blister packs showed Kelly's fingerprints on
| their surfaces"
|
| "The former leader of the Conservative Party, Michael
| Howard, and the former Liberal Democrat MP, Norman Baker,
| both think Kelly was murdered.[173] In 2007 Baker
| published The Strange Death of David Kelly in which he
| argued that Kelly did not commit suicide."
| 2OEH8eoCRo0 wrote:
| That's a source that a man killed himself. It was
| suggested he was actually murdered by the Brit govt.
| Source for that claim?
| wyuenho wrote:
| But the EU didn't join the war.
| DiogenesKynikos wrote:
| The EU doesn't ever go to war. Individual EU countries
| do.
|
| The UK, Spain, Italy and a few other EU countries took
| part in the illegal invasion of Iraq.
| baby wrote:
| Thanks to France.
| fuggggff wrote:
| There's NEVER any evidence posted, just "experts agree". In the
| past they at least trotted out that a "russian IP" or a
| "Chinese tool" was used ( e.g. the strings command showed
| Chinese strings in the binary). Evidence so flimsy a computer
| literate teenager would not be convinced. Now they can't even
| do that?
|
| Sorry but a bunch of politicians agreeing isn't evidence. I
| have a higher standard.
| throwaway210222 wrote:
| > What is shared is known to a high degree of certainty.
|
| Not to me, not to you. You're just believing them. My kid
| believes in Father Xmas "to a high degree of certainty."
|
| See also Dick Cheney
|
| They could just give us the evidence.
| xwolfi wrote:
| I was in France when the US started the Iraq war, now I live in
| China. Sorry if I doubt lol, it's just impossible to trust them
| now. And the attacks and humiliations I faced as a French (soft
| ones, ofc, in the US medias) really didn't help.
|
| So no, having a lot of countries saying China bad poopoo
| together is not enough anymore for me.
| Leary wrote:
| I would be happy to believe them if they released more
| technical details. Otherwise, just sounds like a typical "best-
| guess" based on geopolitical considerations.
|
| For example, the NYTimes just published a piece about a "Rogue"
| section of the Commerce Department that used racial profiling
| targeting Chinese Americans:
|
| https://www.nytimes.com/2021/07/16/us/politics/commerce-depa...
| stevenicr wrote:
| I don't think they should share more tech details.
|
| I recall an incident long ago where it was back and forth -
| you don't know, we know, you don't have proof, we have proof,
| share proof - it's all bs.. then the frustrated investigators
| released a trail of this addy, this pic, which was also used
| for this and that..
|
| what came of it?
|
| not a damn thing changed other than teaching the other side
| what they needed to not do to not get caught in the same way.
|
| If we are not going to put a missile into a building to stop
| office building 123456 - because of their theft, then keep
| the proof under wraps.
|
| a public statement like this does nothing but make it
| reasonable for us to continue similar theft - meh. no proof
| needed for that.
| tjpnz wrote:
| I'm surprised given how much of it is already in plain sight.
| Sit down with any security engineer and you're going to hear a
| bunch of stories about strange network activity they've
| observed over the years. And this is just the stuff that's been
| detected.
| GaltMidas wrote:
| I don't think Chinese cyber spying is really news to anyone.
| What's different about this now is that the U.S., a few others
| and notably, NATO are specifically calling out China for it.
|
| That's a pretty heavy diplomatic change. Especially the inclusion
| of NATO.
| roenxi wrote:
| The US intelligence services have specific tools to fake the
| source of a cyberattack. I really don't know what anyone thinks
| "...accuse China..." means in such headlines.
|
| It could be anyone.
| Leparamour wrote:
| Is this damage control to distract from Israeli companies NSO and
| Candiru being caught running malware for despots to target
| journalists and activists?
|
| The timing surely is peculiar.
| irobeth wrote:
| This is maybe the fifth time this year I've seen Israel used as
| an immediate deflection subject in China-related cybersecurity
| news posts; is that a trend anyone else has picked up on? just
| me?
| adflux wrote:
| Classic whataboutism, happens when news articles criticise
| Russia, China or the US very frequently.
| Leparamour wrote:
| No, it's just you. Yesterday we had worldwide coordinated
| reports of shady Israeli companies getting innocent people
| killed and suddenly there's haphazard "breaking news" report
| on big bad CHHHIIIINNNAAA.
| bmsd_0923 wrote:
| I completely fail to see why this post was flagged. This is a
| legitimate question that every thinking person needs to be
| asking themselves right now.
| ivanstame wrote:
| Go to hell with the US, this statement is just way to
| hypocritical.
| _rmrf wrote:
| Why does the article use the flag of vietnam?
| codetrotter wrote:
| My guess would be that the illustrator decided to zoom in on
| the biggest star in the Chinese flag and was unaware that this
| made it look like the flag of Vietnam.
| nabla9 wrote:
| This is messy article. There are multiple things happening at
| once.
|
| Attack vs. espionage are treated differently.
|
| Espionage is done with the intention is to steal information.
| Espionage is relatively normal between states. Condemn, file
| charges, then do the same back a them.
|
| Attack is when the intention is to cause harm or coerce.
| Ransomware, intentionally disrupting or destroying systems.
| Attacks from foreign government or entities acting behalf of an
| government are essentially acts of war.
|
| The West is condemning together "mixing" where Chinese government
| sanctioned groups are doing attacks for financial gain on the
| side. China should spy responsibly and stop attacks.
| samuelizdat wrote:
| And? U.S. and key allies install backdoors in device firmware and
| imbedded chips from manufacturers to spy on their own citizens.
| Why should we care at this point? We've had over 20 years to have
| this conversation, too late now. lol
| HaloZero wrote:
| I recommend reading "The Perfect Weapon: How the Cyber Arms Race
| Set the World Afire" if you're interested in learning more about
| cyberattacks over the past decade and the geopolitics of it
| cyberattacks.
| [deleted]
| endisneigh wrote:
| why impose sanctions on Russia and not China? The article implies
| that allies would not agree to sanctions which is fair enough,
| but the USA can still do something alone, no?
| pletsch wrote:
| China will probably deny it regardless of what other countries
| say. Beyond that, attribution isn't made by IP addresses.
| dangerface wrote:
| Useually they get some of the hackers tools / code and analyse
| that to discover the origin. They look for strings in a foreign
| language but mostly the grammer of the language is used as
| hackers will often write comments in a foreign language to try
| and make it difficult to originate.
| dragonelite wrote:
| Didn't vault 7 revealed the NSA had tooling to make hacks look
| like Russian and Chinese hacks Umbrage and the marble
| framework. Wouldn't be surprised they will use these hacking
| threats to create a western great fire wall. Pompeo already
| talked about it with the Clean network Initiative.
| aww_dang wrote:
| Will someone accuse Microsoft of publishing vulnerable software?
| blackbear_ wrote:
| Microsoft will be accused of inserting backdoors that are
| accessible to non US-affiliated actors /s
| ChemSpider wrote:
| The issue is not that a random guy on the internet hacks the
| software, but a _state_ actor.
| aj3 wrote:
| Eh, the issue was found by a random (Chinese) guy on the
| internet. And it was reported to Microsoft in the beginning
| of January. It got leaked and once you have the exploit chain
| - yeah, pretty much any random guy on the internet could use
| it for hacking. A few days after MS disclosure there were in
| fact independently produced exploits by other random guys.
| aww_dang wrote:
| The solution is the same in both cases. Don't use vulnerable
| software. The problem starts with the same actor in both
| cases, Microsoft.
|
| I feel bad for the admins who are stuck with these systems.
| ChemSpider wrote:
| So you think that a Linux mail server is unhackable for a
| state actor?
| apercu wrote:
| Lol. Love it. Don't use Microsoft, instead become an
| expert in cisco OS and Linux and don't spend ay time
| generating anything of economic value but instead spend
| all your time securing your infrastructure and doing pen
| tests.
|
| (yes, if you are expert open source is easier top secure
| maybe, at least that was my experience 20+ years ago. Now
| I mostly pay companies like microsoft to host my stuff so
| I can do billable shit).
| aww_dang wrote:
| Nothing is perfect. I'm sure nobody here is proposing
| that. However the lack of perfect alternatives doesn't
| excuse Microsoft's or specifically MS Exchange's
| reputation.
|
| https://en.wikipedia.org/wiki/Nirvana_fallacy
|
| https://www.cvedetails.com/product/194/Microsoft-
| Exchange-Se...
| ahiknsr wrote:
| > Don't use vulnerable software
|
| Is there any widely used software that doesn't have any
| vulnerabilities?
| AnIdiotOnTheNet wrote:
| > The solution is the same in both cases. Don't use
| vulnerable software.
|
| So, basically, don't use software. Actually, given the
| horrific state of modern software, I can get behind that.
| aww_dang wrote:
| You digress, but you're onto something here. I suspect
| I'm not the only one who cringes at bloated packages and
| sometimes rolls my own alternative.
| therealEleix wrote:
| This is sadly true. We need to return back to the Unix
| Philosophy of do one thing and do it well. None of these
| multi-purpose tools that have terrible feature creep and
| try to take over everything _cough_ systemd _cough_. In
| all seriousness though, a lot of software that should be
| simple and easy to audit ends up having all these
| dependencies that are ether no longer maintained or doesn
| 't get the necessary code reviews and it isn't until
| stuff like this happens that it actually comes to light.
|
| I'm all for re-using code when rebuilding the wheel would
| be a hassle but it has to be balanced with proper code
| review before it should be included. Developers are much
| too quick to include outside code with the assumption
| that other people have already done the necessary reviews
| and this is where a lot of devs are getting bit.
| maximus-decimus wrote:
| They're not digressing. There is no such thing as not
| vulnerable software. Especially if the attacker is the
| government of one of the most powerful nations on Earth.
| jimmy2020 wrote:
| If someone robbed your apartment would it be convenient to
| accuse you of low-security procedures instead of condemning the
| bad actors
| apercu wrote:
| I get your metaphor but I don't think it meets the situation.
| If you were paying a security guard to watch your apartment
| and they instead went to guard some other place for
| additional money for 2 hours and then your apartment got
| robbed, well, that security guard is Microsoft in this
| example.
| marcosdumay wrote:
| If you brought a security door, and the thieves just had to
| knock on it on the right frequency to open, yes, you would
| accuse the door seller of fraud.
| dahfizz wrote:
| Locks get picked literally all the time, and nobody sues
| lock makers. Perfect security does not exist.
| aww_dang wrote:
| Security can never be perfect. However negligence, bloat
| and poor design decisions are still a thing. The ideas
| are not mutually exclusive.
| dahfizz wrote:
| And you can confidently claim that Microsoft was
| negligent here? You have in depth knowledge of their
| architecture decisions?
|
| How confident are you that you could write an email
| server that could withstand extended attacks from nation
| states?
| aww_dang wrote:
| So if I personally haven't written an email server, then
| I shouldn't criticize MS Exchange?
|
| How would that work for something like a Boeing 737 max?
|
| Yes, I am confident I could process text over the network
| without (42) remote code execution vulns.
|
| https://www.cvedetails.com/vulnerability-
| list/vendor_id-26/p...
|
| >Microsoft revealed that these vulnerabilities had
| existed for around 10 years
|
| https://en.wikipedia.org/wiki/Microsoft_Exchange_Server#V
| uln...
| aww_dang wrote:
| If the property management company demanded that I use
| Insecure Brand locks on my front door, I'd have an issue with
| that. Of course that wouldn't excuse the robbers, but
| continuing to use Insecure Brand locks wouldn't be advisable.
| I'd also take exception if IB Locks or the property
| management company marketed themselves as a security oriented
| company.
| jimmy2020 wrote:
| > continuing to use Insecure Brand locks wouldn't be
| advisable.
|
| Agreed. Microsoft should clarify how this happened and what
| measurements will take to prevent this incident from
| happening again. Still, the problem is with robbery and it
| should be condemned. Why changing the subject to Microsoft?
| I don't think whataboutism is the valid argument here.
| A4ET8a8uTh0 wrote:
| It is not whataboutism. It is about 3 decades of
| seemingly intentional inability to deliver secure product
| on the mildly evil calculation that the subscriber will
| need 'security updates' and 'support'.
|
| There is a good argument to be made that Windows is a big
| target, but they should at least try not making it so
| easy.
| jimmy2020 wrote:
| > It is about 3 decades of seemingly intentional
| inability to deliver secure product.
|
| This is a consumer choice. You don't trust Microsoft, you
| don't use its services. On the government level, you ask
| for regulations if the situation is escalated (if
| necessary). But dealing with global cyberattacks is not
| Microsoft problem and it's not connected to one company
| or one service. It's an international responsibility to
| act and establish a framework that prevents such attacks.
| Woodi wrote:
| Look, you could be right in... usual case.
|
| But we speaking freaking NATO here !!!!! Do you attach
| string to hand granade and hand other side to your
| adversary ? And then argue that someone pulled it ??
|
| Microsoft Windows and Microsoft Exchange is SYNONYM to
| "security HOLE" ! So tell me - why customer NATO _choose_
| to use this ?
| jimmy2020 wrote:
| I don't think NATO has any value here. It's a signal of
| unity not just to China but to Russia. This is how Biden
| admin defines "America is back". So it might be
| aggressive but actually, it's a unity message. Us, the
| allies, against them the adversaries.
| A4ET8a8uTh0 wrote:
| Just the other day I was listening to a radio show (
| further right than shown in mainstream ), where a user
| was clamoring for a proper locked down version of Windows
| where nothing can go wrong.
|
| The current situation ( and the resulting clamoring ) is
| absolutely a direct result of people who create this
| software. Trying to shift the blame onto nonexistent
| framework is at best laughable and at worst very
| deceptive. It absolves MS and its engineers from guilt
| associated with it.
|
| To put it another way, if those engineers were bridge
| engineers, we would now be witnessing multiple collapses
| with swathes of engineers arguing that it is not their
| fault as 'there is an international responsibility to act
| and establish a framework' that prevents bridges from
| falling apart.
|
| I am sorry. I do not buy this defense. As an architect,
| you should know better.
| jimmy2020 wrote:
| You have a valid point. I am not arguing against it. I
| was trying to say discussing how MS deals with the
| subject is not the point. But after reading your recent
| comment, well, I guess we should talk more about MS
| failure.
| TeMPOraL wrote:
| A better analogy would be, if you were a company selling
| doors - after a string of break-ins involving some group
| casually walking through your products like they weren't
| there, somebody would eventually start asking about your
| responsibility.
|
| (Maybe "cyber insurance" needs to be a thing in the SMB
| world? As much as I feel it's currently mostly nonsense,
| maybe it's serviceable. In the physical world, it seems the
| driving force behind buying security measures is not the
| (unlikely) possibility of being a victim of a break-in, but
| the (more likely) possibility of not getting insurance to
| cover it.)
| apercu wrote:
| Cyber Insurance is a huge growing sector in Toronto at
| least, and I worked on strategy for a "startup" in the
| space last summer.
| jimmy2020 wrote:
| You can't sell doors unless there's clear low enforcement
| that prohibited criminal activities. You need an
| environment to operate.
| aww_dang wrote:
| https://en.wikipedia.org/wiki/Portcullis
| jimmy2020 wrote:
| > Portcullises fortified the entrances to many medieval
| castles, securely closing off the castle during time of
| attack or siege.
|
| Is the US in a state of war with China? Do we need
| medieval tactics to deal with cyber security? Why
| insisting on blaming the victim.
| [deleted]
| the-dude wrote:
| _Windows_ instead of doors would have worked just as well.
| gruez wrote:
| >A better analogy would be, if you were a company selling
| doors - after a string of break-ins involving some group
| casually walking through your products like they weren't
| there, somebody would eventually start asking about your
| responsibility.
|
| Actually most locks are susceptible to being picked (ie. a
| known exploit), so what you're describing is already the
| case, minus the lawsuits.
| ratww wrote:
| Locks being susceptible to lock picking actually turns
| into a feature when, for example, you're locked out or
| lose your keys: you just call a locksmith and they pick
| it for you.
|
| There's no perfect security in the real world.
| whoaisme wrote:
| Your analogy sucks - MS would would be more akin to a
| company that sells houses. When are developers responsible
| for housing secuity? if you're going to criticize an
| analogy and propose another it ought to be better rather a
| garbage one.
| dmix wrote:
| > Following Microsoft's original disclosure in early March 2021,
| the United States Government also identified other
| vulnerabilities in the Exchange Server software.
|
| > Rather than withholding them, the United States Government
| recognized that these vulnerabilities could pose systemic risk
| and the National Security Agency notified Microsoft to ensure
| patches were developed and released to the private sector.
|
| Finally they seem to be starting to take the defence of citizens
| and private industry seriously - in a far more public forum.
| Instead of just hearing the odd story of this happening through
| back channels.
|
| From the linked press release:
|
| https://www.whitehouse.gov/briefing-room/statements-releases...
| deepstack wrote:
| >> Rather than withholding them, the United States Government
| recognized that these vulnerabilities could pose systemic risk
| and the National Security Agency notified Microsoft to ensure
| patches were developed and released to the private sector.
|
| It is amazing that NSA had to notify Microsoft. You would thing
| a company with that much money like MS, they would have drop
| several millions on a few pen test, and independent security
| audit companies.
|
| Digital security will never be trust unless these things are
| addressed in an open transparent way.
| marcellus23 wrote:
| How do you know they're not doing exactly that? For every 1
| vulnerability that gets disclosed, we have no clue how many
| potential vulnerabilities were caught by security testing or
| practices. The entire nature of security is that it's
| impossible to have literally 0 vulnerabilities.
| fulafel wrote:
| You are hugely overestimating the level of security of
| software like this. There's a constant stream of
| vulnerability discoveries, disclosures and fixes. Those
| vulnerabilities don't pop into existence the week someone
| publicly discloses them and informs the vendor, they've been
| waiting there for anyone to find them for years.
|
| If MS wanted to replace a product like this with one that has
| a low probability of containing any remotely exploitable
| vulnerabilities, they'd have to go back to the drawing board,
| do a full rewrite witha completely different sw development
| process, take a lot of time or make some major functionality
| compromises (or probably both).
| _wldu wrote:
| It's not possible to find all the bugs and they only get
| noticed when they fail to find one. No one recognizes all the
| bugs that they continually find and fix.
| dahfizz wrote:
| I don't understand why HN has such a flippant attitude
| towards cybersecurity. You would think a forum full of
| developers would understand the complexity of software.
|
| But the "just hire a pentester and you'll never have any
| bugs" and "just follow some (ill-defined) 'best practices'
| and you'll never be hacked" attitudes are so prevalent.
| runawaybottle wrote:
| If you are not outsourcing security, then you are not
| taking it seriously. It is the one thing where you need to
| give the job to the best person.
|
| But, we're more likely to outsource the one thing you don't
| need to outsource, like app developers.
| tablespoon wrote:
| > I don't understand why HN has such a flippant attitude
| towards cybersecurity. You would think a forum full of
| developers would understand the complexity of software.
|
| HN is also full of contrarians and people who like to feel
| superior than everyone else (and often express that through
| flippant dismissals).
| pletsch wrote:
| > You would thing a company with that much money like MS,
| they would have drop several millions on a few pen test, and
| independent security audit companies.
|
| Are you under the impression that MS doesn't spend millions
| on security? They're currently spending roughly $1b/year.
| This isn't going to be fixed by "a few pen test"
| sandworm101 wrote:
| If they are spending a billion, these flaws show that
| obviously isn't enough.
| billyhoffman wrote:
| The challenge the NSA has is it possesses 2 separate missions
| that are often in direct conflict: secure the communications of
| the United States, and to collect, eavesdrop, and compromise
| the communications of other countries.
|
| The United States Atomic Energy Commission of the 1950s and 60s
| had the same problem. Their mission was to both regulate
| nuclear power as well as research and promote the widespread
| adoption of nuclear power. Making things safe and keeping them
| safe while also making things easy and cheap are often in
| conflict. Ultimately it was split into two different agencies:
| One tasked with regulation and one Tasked with research and
| promotion.
|
| I believe both missions of the NSA are important. However I
| believe it should be split into two agencies each
| Enthusiastically pursuing a single mission to the best of their
| abilities.
|
| Imagine a cyber defense agency that does nothing but find and
| fix holes in computing infrastructure and major software
| projects. It pays for exploits and then works to patch them,
| promotes bug bounties, develops secure coding standards, audits
| open source projects, etc. Imagine something like The National
| Endowment for the Arts (NEA) that instead funds critical pieces
| of software like openSSL, etc.
|
| Is that necessarily the best form? Probably not but it's way
| better than what we have now: every time the NSA suggests
| changes to "make something more secure " there is a looming
| specter that they are lying and are actually trying to
| compromise things.
| AlexSW wrote:
| For what it's worth, I think this is the NCSC in the UK.
| CivBase wrote:
| > The challenge the NSA has is it possesses 2 separate
| missions that are often in direct conflict: secure the
| communications of the United States, and to collect,
| eavesdrop, and compromise the communications of other
| countries.
|
| I don't know... isn't that like saying a military general has
| 2 conflicting missions: offense and defense? We trust
| military leaders with both duties, even though they could
| theoretically sacrifice everything to achieve victory.
|
| > I believe both missions of the NSA are important. However I
| believe it should be split into two agencies each
| Enthusiastically pursuing a single mission to the best of
| their abilities.
|
| If you split the NSA in two, wouldn't you just have two
| agencies working against each other? And it would essentially
| give the offensive agency full permission to hoard security
| flaws to the detriment of the nation it serves.
|
| I think a better solution is to clearly establish the
| relative priorities of each mission. IMO, the NSA should
| always prioritize the security of the USA's (and it's
| allies') technological infrastructure over attacking its
| enemies'.
| cloverich wrote:
| Genuinely curious about the downvotes on this. I know
| political stances often trump generally reasoned arguments
| on HN -- is it that this thread isn't _outright_ anti NSA?
| SpicyLemonZest wrote:
| Probably. I know people in my circles who believe without
| caveats or qualifications that the NSA is evil, that we
| just shouldn't have spy agencies at all, and wouldn't
| entertain any sort of abstract discussion of how the work
| should be organized.
| pjmorris wrote:
| > Imagine a cyber defense agency that does nothing but find
| and fix holes in computing infrastructure and major software
| projects. It pays for exploits and then works to patch them,
| promotes bug bounties, develops secure coding standards,
| audits open source projects, etc. Imagine something like The
| National Endowment for the Arts (NEA) that instead funds
| critical pieces of software like openSSL, etc.
|
| I like this idea. At the same time, I think the agency - or
| organization, if you prefer - should look something like the
| National Transportation Safety Board, where incidents are
| investigated, reported on, and recommendations are made in a
| way that improves user safety. Maybe the 'National Digital
| Safety Board'?
| hirako2000 wrote:
| Or they should stop stealing tax payers money and dissolve
| these agencies. The one thing they are good at is digging
| deeper and deeper the debt account, for virtually no
| benefit, and surely nuisance and worries.
| pjmorris wrote:
| Are you saying that the market, such as it is, is doing a
| good enough job of managing software vulnerabilities and
| their consequent breaches?
| tablespoon wrote:
| > I like this idea. At the same time, I think the agency -
| or organization, if you prefer - should look something like
| the National Transportation Safety Board, where incidents
| are investigated, reported on, and recommendations are made
| in a way that improves user safety. Maybe the 'National
| Digital Safety Board'?
|
| I like it too, but I also think it would be needed to be
| backed by some kind of regulatory agency that could issue
| the cybersecurity equivalent of an "Airworthiness
| Directive". Otherwise we'd be in a similar situation we
| have know: lots of information about vulnerabilities that
| are often not acted upon.
| tablespoon wrote:
| > I believe both missions of the NSA are important. However I
| believe it should be split into two agencies each
| Enthusiastically pursuing a single mission to the best of
| their abilities.
|
| At least with cryptography, I'm not sure how practical that
| is. I'm not cryptographer, but my impression is that offense
| and defense both deeply inform each other in that space.
| throwaway4good wrote:
| The EU does not accuse the Chinese government of being behind the
| attacks.
|
| This is the EU press statement:
|
| https://www.consilium.europa.eu/en/press/press-releases/2021...
|
| China: Declaration by the High Representative on behalf of the
| European Union urging Chinese authorities to take action against
| malicious cyber activities undertaken from its territory
| throwaway4good wrote:
| An indication that the EU does not believe the probably
| American intelligence assessment that these hackers operate on
| behalf of the Chinese government.
| krageon wrote:
| When the US was angry with Russia everything was suddenly
| Russians. Now they're being difficult at China, and suddenly
| China is the country doing everything wrong. That anyone
| still takes them seriously is to my mind an incredible
| miracle.
| aj3 wrote:
| Not the same thing. Solarwinds saga (the one Russians are
| blamed for) was 1) extremely targeted and 2) extremely
| sophisticated. Exchange attacks on the other hand were
| indiscriminate (not targeting any single country or
| infrastructure, just unpatched Exchange servers) and very
| simple (they used 0day chain, but it was three months old
| and likely somehow leaked as multiple groups got access to
| it at the same time).
| apercu wrote:
| Not suggesting at all that the USA is some benign
| superpower, but Russia is run by a criminal gang and China
| by a despot and a corrupt communist party.
|
| Note that I am a US citizen than expatriated after the
| second gulf war.
|
| So I am not a fan if the US gvmt, but if you think for a
| second that the Chinese and Russian governments AREN'T
| doing the things they are accused you are naive.
| hungryhobo wrote:
| just curious, have you visited china before? or seen
| first hand what's it actually like? you seem to have a
| very strong opinion, yet i'm not sure if they are based
| on reality or not.
| elefanten wrote:
| This is a weird comment. Gp wasn't talking about day to
| day life or what cities look like or anything like that.
|
| Going to China wouldn't teach you much about its
| government structure and governance. It's not like you
| can just walk in and observe party cells interacting with
| company leadership.
|
| You don't need to go to China to know what the government
| structure is, what foreign policy it conducts and what
| kind of economic behavior is clearly not just condoned
| (small scale hacking, data harvesting) but encouraged
| (fishing other nations' territorial waters) or even
| demanded (foreign business ownership requirements, IP
| transfer requirements) by the party.
|
| You don't need to go to China to hear reports from
| dissidents experiencing internment, forced labor and
| cultural genocide. Or to see all the broken international
| agreements and sovereign promises, eg the early
| destruction of a free Hong Kong. Or to see the
| territorial expansionism in salami slicing illegal
| maritime boundaries.
|
| Or... most importantly, to understand that a despotic
| cartel that doesn't believe in individual human rights is
| a terrible form of human organization that has terrible
| externalities for the whole species and planet.
| mytailorisrich wrote:
| Not necessarily.
|
| What governments know based on intelligence and what they say
| publicly are not the same thing. If the EU thinks that making
| a direct public accusation would be antagonistic and would
| not serve their interests then they won't make one. That does
| not mean that they don't know what's going on, don't protect
| themselves, or even don't retaliate.
|
| This is effectively a PR campaign. What is its purpose? Is it
| a coincidence that it comes at the same time as this
| Pegasus/NSO story blows up?
| partiallypro wrote:
| Or it is simply that the EU has turned into such a massive
| trading partner with China that it can't publicly deal with
| repercussions and just puts its head down as the US points it
| out. Germany does this with Russia too. Ignoring a lot of
| what it is doing in Ukraine to remain in the good graces to
| secure gas pipelines. Just because the EU doesn't publicly
| say it doesn't mean it isn't privately agreed upon.
| wyuenho wrote:
| Apparently you haven't read it at all These
| activities can be linked to the hacker groups known as Advanced
| Persistent Threat 40 and Advanced Persistent Threat 31 and have
| been conducted from the territory of China for the purpose of
| intellectual property theft and espionage.
| throwaway4good wrote:
| Which is quite different from saying it is being done by the
| Chinese government.
|
| Read the uk ditto for comparison.
| godelski wrote:
| > Which is quite different from saying it is being done by
| the Chinese government.
|
| Is it meaningfully different? Let's suppose that they
| aren't nationally funded. If there's a large group of elite
| hackers in your country generating international ill will
| is it not also your responsibility to shut them down? To
| work with the government of the country that these rogue
| hackers are attacking to find them? Not doing so is akin
| endorsing the behavior.
|
| And it can't be anything else honestly. They are spy
| organizations, which are intentionally created to be
| difficult to track back to the funding government. We've
| seen the US do this for decades and have plenty of
| declassified documents to support this. It would be
| surprising if Russia, China, Germany, Australia, Israel, or
| anyone else didn't also operate in a similar fashion. If
| the method is effective then it is effective. The fact that
| a group resides in another country does not have any
| bearing on the effectiveness of the method.
| compsciphd wrote:
| Due to the level of control the Chinese government imposes
| on all the corporations within it, is it fair to say that
| such acts can't be done without the cooperation on some
| level of the govt?
|
| As opposed to many western countries where the companies
| might be patriotic, but they have minimal fear of taking on
| the government in general in the courts if they feel they
| are in the right. Perhaps Chinese companies have the same
| feeling of freedom, do they?
| throwaway4good wrote:
| No. It is not.
|
| China is a big country and the Chinese government does
| not control everything that is going on.
|
| Most hacking is done by kids with computers and uses
| trivial exploits: easy to guess passwords or security
| holes that are left unpatched for years after they are
| documented.
|
| Fairly regularly I get a phone call from a guy with a
| strong accent claiming to be from Microsoft support. No
| one blames the Indian or Bangladeshi government for that.
|
| Yet it is different for Russia and China.
| Proven wrote:
| > China is a big country and the Chinese government does
| not control everything that is going on.
|
| Yeah - just look at the sheer number of cyberattacks
| originating from mainland China targeting CCP and state
| owned enterprises!
|
| > Yet it is different for Russia and China.
|
| It's not, it's different only for mainland China.
|
| There are no indications Russia monitors _outgoing_
| Internet traffic nearly as closely as CCP.
| sidlls wrote:
| You're being deliberately obtuse about this. The simplest
| explanation for cyberattacks against high-profile targets
| coming out of countries like China (or the US, for that
| matter) isn't "rando script-kiddies having a laugh ha
| ha!". It's that their government intelligence forces did
| it.
|
| This kind of attempted misdirection is really common from
| people defending/spreading propaganda for the Chinese
| government. It's also similar to the excuses made when
| business partners with heavy government influence conduct
| scans and do other questionable things against US
| infrastructure. Apparently they think westerners are all
| too stupid or blind to understand what's happening. It's
| ridiculous.
| aj3 wrote:
| What you're missing is that these attacks weren't
| targeted. They scanned internet and processed pretty much
| all accessible Exchange servers in the same manner. There
| were a few crews operating in parallel by the way which
| had access to same exploit chain but different exploits.
|
| Some had certain variables hardcoded, e.g. Administrator
| user's name and their exploits worked with higher success
| rate in anglosphere, but failed in localized
| environments. Others had more advanced exploits which
| queried parameters instead of assuming them - those where
| more successful around the globe.
|
| Another nuance missing from popular press is that most
| groups in China (and Russia) are operating independently,
| but share tradecraft among them and occasionally engage
| with politicized missions (either working on explicit
| orders from government handlers or simply defending their
| beliefs hacktivist-style). This is what FireEye means by
| "affiliation with Chinese government", NOT "operates
| strictly on government orders".
| boomboomsubban wrote:
| Why is it deliberately obtuse to think that some of
| China's billion people could be independent black hat
| hackers? Are they incapable of being evil or greedy?
| sidlls wrote:
| They're not incapable of either. Are they as motivated as
| the government? In general, _no_. Genocidal dictatorships
| are more motivated than random script kiddies and "evil"
| black hat hackers to go after high profile government and
| government-adjacent (infrastructure) targets.
| boomboomsubban wrote:
| As the other commenter pointed out, these weren't really
| high profile targets. Hell, security groups found
| evidence they were planning to mine crypto on some of the
| servers. You don't need to be purposefully ignorant to
| question if private hackers were involved.
| wyuenho wrote:
| Whether the Chinese government has control over these
| APTs, the crime originated on Chinese soil, and it's
| their responsibility to deal with these threats. What's
| so hard for you to understand?
| sudosysgen wrote:
| I don't think this makes much sense. We don't even know
| if the APTs actually do operate on Chinese soil, much
| less that the Chinese government condones them.
|
| All we know is that they used Chinese IPs at some point
| and Chinese configured computers, and that they went
| after military targets.
|
| And we don't even know that these are the same APTs.
| wyuenho wrote:
| Yes we do.
|
| https://www.justice.gov/opa/pr/four-chinese-nationals-
| workin...
| dmhmr wrote:
| APT 40 and 31 are well documented [1] [2].
|
| [1] https://www.fireeye.com/blog/threat-
| research/2019/03/apt40-e...
|
| [2] https://research.checkpoint.com/2021/the-story-of-
| jian/
| woah wrote:
| Chinese citizens cannot even mention recent historical
| events on in private messages on the internet without
| approval from the government, and you're trying to tell
| us that some "kids with computers" were able to carry out
| a sophisticated years-long cyberattack? "Kids with
| computers" might be plausible in a free country, but not
| in China.
| aj3 wrote:
| You obviously haven't met Chinese infosec researchers,
| have no knowledge about Chinese underground and are
| simply speaking from your biases.
| godelski wrote:
| > Due to the level of control the Chinese government
| imposes on all the corporations within it, is it fair to
| say that such acts can't be done without the cooperation
| on some level of the govt?
|
| Honestly even without the government imposing so much
| control on corporations I believe it is fair to say that
| the acts can't be done without cooperation on some level
| of the government. If there's an elite group of hackers
| in your country attacking a country and generating ill
| will then a hands off approach is condoning the action.
| The only way to condemn the action is to work with said
| country to apprehend said hackers. But headlines aren't
| "US and China work together to apprehend rogue elite
| hacking group."
| throwaway4good wrote:
| Here is the uk version:
|
| https://www.gov.uk/government/news/uk-and-allies-hold-
| chines...
|
| UK and allies hold Chinese state responsible for a
| pervasive pattern of hacking
|
| UK joins likeminded partners to confirm Chinese state-
| backed actors were responsible for gaining access to
| computer networks via Microsoft Exchange servers.
| wyuenho wrote:
| Here's the DOJ indictment
|
| https://www.justice.gov/opa/pr/four-chinese-nationals-
| workin...
| throwaway4good wrote:
| Thank you.
|
| These are worth reading. Even though I am not sure how
| much of it would be able carry the burden of proof in a
| court.
|
| Similarly to the Russian hacking cases, these will never
| see an independent court meaning the prosecutor can
| politicize and speculate without limits.
| wyuenho wrote:
| They are not getting sent to the FISA court, that court
| only issues warrants. They are charged with conspiracy to
| commit economic espionage and conspiracy to commit
| computer fraud and are likely going to a federal district
| court.
| throwaway4good wrote:
| This case will never go to court.
| tablespoon wrote:
| >> These activities can be linked to the hacker groups
| known as Advanced Persistent Threat 40 and Advanced
| Persistent Threat 31 and have been conducted from the
| territory of China for the purpose of intellectual property
| theft and espionage.
|
| > Which is quite different from saying it is being done by
| the Chinese government.
|
| Who in China would be more likely to organize an espionage
| campaign? Espionage is a game played by governments.
|
| Your objection is like, after detecting a nuclear missile
| launch from the continental US, doubting that the US
| government was responsible.
| deregulateMed wrote:
| Doesn't China own 51% of all companies?
| wyuenho wrote:
| Not necessarily, there are different ways to control
| companies in China. The big and important ones tend to be
| JVs and the Chinese have various ways to control the board,
| whether it's 51% directly or via proxy. For smaller ones,
| they mostly just have a small CCP cell that reads CCP
| literature. It's like bible study groups, but on XJP,
| apparently.
| sudosysgen wrote:
| So which key allies follow the US accusation? Is the title just
| wrong?
| smrk007 wrote:
| > The U.S., NATO, European Union, U.K., Australia, Canada,
| New Zealand and Japan
| sudosysgen wrote:
| The parent says the EU doesnt actually support the
| accusations, so I dont know if the others are also true.
| fqye wrote:
| The USA hasn't yet provided evidence of Huwei spying for Chinese
| government.
| programmer_dude wrote:
| They don't need to it is a reasonable assumption that all
| Chinese companies are hand in glove with the Chinese military.
| justicezyx wrote:
| If there was never evidence to anything, then it's reasonable
| to assume?
| programmer_dude wrote:
| The CCP/PLA can force any company operating within China to
| do its bidding. This is Chinese law. And this is common
| knowledge.
|
| Watch this: https://www.youtube.com/watch?v=ZrsOM8ww8ug
| tablespoon wrote:
| > If there was never evidence to anything, then it's
| reasonable to assume?
|
| In some cases, yes.
|
| For instance, I'm sure China wouldn't build its nuclear
| deterrent around some hypothetical US-made COTS "Nuclear
| Weapon Control System," even if there was _zero evidence_
| that system was compromised. Absence of evidence is not
| evidence of absence. Ditto with Huawei.
|
| IMHO, if its decision-making wasn't so addled by wishful
| thinking and capitalism, the US would use far less Chinese
| technology for this reason.
| president wrote:
| You realize that all "private" companies and citizens in China
| are extensions of the Chinese government right? By law, all
| companies require party affiliation. So naturally, there is no
| separation between Huawei and the Chinese government.
| mthoms wrote:
| They've been caught spying to further their own business
| interests.
| 1cvmask wrote:
| They are making accusations on China based on "educated"
| guesswork. The smoking gun is missing to "prove" provenance and
| attribution. In fact that is incredibly hard to prove.
|
| In Stuxnet for example, the alleged perpetrators hinted that they
| were behind it.
|
| Will the same countries and allies now condemn known, disclosed
| and proven cyberattacks sourced from other countries (with known
| state involvement and complicity) on activists and journalists
| that lead to imprisonment and death?
|
| And Microsoft has a very long history of vulnerabilities and
| hiding it. And then they will refuse to patch known
| vulnerabilities in lower versioned software trying to force large
| customers to do unwanted version upgrades and to adopt the more
| expensive SaaS offerings.
|
| They are now trying to force all customers off of the already
| paid for and cheaper on-prem Microsoft Exchange which is still
| the dominant software in the directory services market and trying
| to get all corporates onto Azure AD.
___________________________________________________________________
(page generated 2021-07-19 23:02 UTC)