|
China hacks. There's no doubt that it does--but nor is there doubt that many, many other people do. What should be doubted is that a Chinese military organization--a nefarious-sounding Unit 61398--is responsible for the specific trail of persistent industrial espionage in the United States by the group of hackers identified as Advanced Persistent Threat 1, or APT1.
Reading the NYT, WaPo, and WSJ, you'd be forgiven for not knowing that fact. After all, this is what they state:
A growing body of digital forensic evidence — confirmed by American intelligence officials who say they have tapped into the activity of the army unit for years — leaves little doubt that an overwhelming percentage of the attacks on American corporations, organizations and government agencies originate in and around the white tower.
An unusually detailed 60-page study, to be released Tuesday by Mandiant, an American computer security firm, tracks for the first time individual members of the most sophisticated of the Chinese hacking groups — known to many of its victims in the United States as “Comment Crew” or “Shanghai Group” — to the doorstep of the military unit’s headquarters. The firm was not able to place the hackers inside the 12-story building, but makes a case there is no other plausible explanation for why so many attacks come out of one comparatively small area.
This is mild compared to what the WaPo and WSJ have been harping on. Bloomberg, The Atlantic, Business Insider... all of them are repeating it. It must be true, right?
Wrong. Here's why--
The Mandiant report doesn't actually check off competing hypotheses for the behavior it observes. In other words, it doesn't consider what other things could be happening that create the evidence it's captured.
In order to tie APT1 to Unit 61398, Mandiant presented the following evidence from their recent report:
![[image loading]](http://i.imgur.com/MMbpEL9.png) ![[image loading]](http://i.imgur.com/rUvgiBY.png)
Unfortunately for Mandiant, the above, while substantive, isn't convincing. This is because plausible other causes exist for each of the above phenomena:
- Mission area: Russia, Israel, France, and other non-English countries steal IP from English-speaking organizations and their scientific priorities often are the same as those in China's 5-year plans--those priorities are often so broad as to encompass nearly every possible scientific activity
- Tools, Tactics, and Procedures: Just being organized and military-style is no indication of China. There are over 30 nations with active commands that run "mil-grade computer network operations"
- Scale of operations: Organized crime families known to be engaged in IP theft, as well as commercial hacker rings, are all known to have dozens to hundreds of members; and over a half-dozen nations worldwide have 1000+ people in their cyber warfare commands
- English language proficiency/recruiting from universities: Most military and intelligence agencies have people that know how to speak English, and most of these agencies partner with their nation's universities for top talent
- Shanghai phone number/Pudong New Area IP blocks/Simplified Chinese language settings: Pudong New Area has about 5.4 million people, with a GDP of above 50 billion dollars. Foreign investment in Pudong varies between 4 and 8 billion dollars a year, going into some 11,000 different companies registered there. And obviously, most of the computers in Pudong have Chinese language settings. Based on population and business density in Pudong, a Shanghai number or IP block is pretty meaningless. Pudong New Area is literally the Chinese equivalent of Manhattan Island. It would be like Russia saying that since the US has a cyber unit in Manhattan, and somebody in Manhattan is hacking Russia from an English-language OS, then it must be that specific US cyber unit.
- APT1 persona self-id'd location in Pudong: I'll leave it to you TL users to guess why using a somebody's forum-listed location as a clue to their real location is retarded.
(h/t: Jeff Carver, CEO of cybersec firm Taia Global)
There are other arguments against their hypothesis as well:
The Beijing Workday Argument. The hackers could have been from anywhere in the world. The timezone that Mandiant imagines as a Beijing workday could easily apply to a workday in Bangkok, Singapore, Taiwan, Tibet, Seoul, and even Tallinn – all of whom have active hacker populations.
The Lanxiang Vocational School Argument. The article mentioned that the hackers were traced back to the “same universities used by the Chinese military to attack U.S. military contractors in the past.” If memory serves, one of those was the Lanxiang Vocational School in Jinan, the capital of Shandong province and home to a PLA regional command center. Actually, Jinan is an industrial city of six million people and more than a dozen universities. IP Geolocation to one school means absolutely nothing.
Furthermore, even if the Chinese government was involved in cyber espionage against the New York Times, it wouldn’t use its military for that. It would use its Ministry of State Security (China’s equivalent of the CIA). And they wouldn’t be stupid enough to run the attack from their own offices, which if you’re interested in checking IP addresses, is in Beijing – 274 miles from Jinan.
The problem those points above create is precisely the key one Mandiant and our cherished free press refuse to acknowledge:
There are multiple states engaged in cyber-based industrial espionage and infrastructure snooping, not just China.
Israel, Russia, and numerous other countries all hack each other on a regular basis.
But wait--there's a reason that, even given that fact, America should focus on China, right?
However, Adam Segal, the Maurice B. Greenberg Senior Fellow for China Studies for the Council on Foreign Relations, believes that the scale and scope of cyber conflict is greatest in China. "There's a sense of competitive metabolism there," he said, "and China has resources that the other countries lack."
(h/t: The Atlantic)
Leaving aside the classic appeal to authority (and the wrong type of authority as well--how is an IR scholar going to be an authoritative expert on technical resources available for computer hacking?) I have to say: competitive metabolism? What sort of weasel word bullshit is that? And also, what resources does China have that other countries lack?
Yeah.
So the question then becomes: why this sudden flurry of articles based on a report that claims false certainty?
One possible reason is that there's a five-letter bill out there floating in the dead space of Congress designed to regulate the internet and increase government contracts/encourage private contracts for companies like Mandiant (the author of the China hacking report). Of course, there could be other reasons at play as well, so I'm not going to state this as a definite answer. I only wish mainstream journalism--you know, the people that get paid for this stuff--could exercise the same sort of logic and restraint. But hey, you get what you pay for, right?
|
Zurich15313 Posts
I am sorry if I really cut this short, but am I right that: All you are saying is that instead of saying "it is certain China is behind it" we should say "it is highly likely China is behind it"?
Basically all this does is point out that the evidence is weaker than suggested by mainstream media, but provides absolutely no evidence which suggests it WASN'T China. So the news here is that mainstream media like to exaggerate things?
|
The fact that government sources confirmed the stories and that there seem to be real political repercussions coming from the US government to China makes me think that they are pretty damn certain.
I don't doubt that the arguments you make are valid, but as a layman, they do seem pretty unlikely. I think that it would be a pretty big coincidence that with this evidence it wouldn't be China. Also, as long as the attacks originate in China, which they do, it is their responsibility.
|
On February 22 2013 00:54 zatic wrote:
I am sorry if I really cut this short, but am I right that: All you are saying is that instead of saying "it is certain China is behind it" we should say "it is highly likely China is behind it"?
Basically all this does is point out that the evidence is weaker than suggested by mainstream media, but provides absolutely no evidence which suggests it WASN'T China. So the news here is that mainstream media like to exaggerate things?
No, the news is that the report is drawing a false positive. The onus of proof against the report's authors shouldn't be that "we have to show beyond a doubt that Country A is NOT behind said attacks"; it should be that the report's authors themselves need to show, beyond a reasonable doubt, that Country A is behind said attacks. It's a basic principle of epistemology.
|
Will the real slim shady please stand up...
|
Netherlands21351 Posts
The question is, Is Mandiant themselves saying its 100% the Chinese goverment or is the media blowing things up as they always tho so that your average simpleton gets it.
Because case 1 means that indeed they need solid proof but most often then not its simple case 2.
Happends with science stuff all the time aswell.
|
On February 22 2013 01:00 Derez wrote:
The fact that government sources confirmed the stories and that there seem to be real political repercussions coming from the US government to China makes me think that they are pretty damn certain.
But think about it--why would those government sources hold off on political repercussions against until some random private company publishes a report on it, especially if, as a confirmation implies, those government sources knew about the attacks before the story went public?
I don't doubt that the arguments you make are valid, but as a layman, they do seem pretty unlikely. I think that it would be a pretty big coincidence that with this evidence it wouldn't be China. Also, as long as the attacks originate in China, which they do, it is their responsibility.
These are a bunch of other hypotheses that are all equally valid in light of the evidence:
1) Unit 61398 is running a signals monitoring operation off the main
cable between China and the United States, and the hacking operations
are done by some other part of the Chinese government (i.e. Ministry
of State Security) which may or may not be in Pudong.
2) The Chinese government is responsible for 10%, 20%, 30%, 40%, 50%,
60%, 70%, 80%, 90%, or 100% of the hacking traffic going through Pudong.
3) The geolocation is wrong and it's not in Pudong.
4) Some agency of the Chinese government has successfully put together
a "cyber-militia". Said agency gives patriotic hackers information
about what data they are looking for, and then collects said data
without asking questions.
5) Unit 61398 is responsible for cyber-hacking, but they are obviously
incompetent.
6) This is all a clever (but possibly unintentional) disinformation
campaign by the Chinese government. It attacks sites incompetently
with amateurs, gets people to tighten up security, and once everyone
is safe, it pulls in the real professionals.
7) It's a clever (and perhaps intentional) disinformation campaign by
the Chinese government. The Chinese military and intelligence
services have planted deep moles into US industry, and if there is now
a massive data leak, then the hackers did it, and no one thinks about
normal theft.
8) Some fraction (0-100%) of the packets going through China are
actually from Russia, Iran, or North Korea, because China has much
better internet access to the United States, and it's impossible to
set up a botnet in North Korea.
9) The Chinese military is undertaking cyber-hacking without the
knowledge of the Party leadership, and the amount of civilian control
over the military or the role of military in domestic spying and been
greatly misinterpreted.
Again, the point isn't that the evidence doesn't imply China hacks the United States--it's that the report paints a false picture of certainty about one very specific scenario when in reality the evidence suggests a myriad of things could be happening. That's galling.
|
There could indeed be significant skullduggery to make the attack look Chinese, but you can't fault the media for taking things at face value.
If it turns out to be some big frame-job against the Chinese by another country/entity later I'm sure the first media outlet to find that out conclusively will fly it like a banner in other media outlets' faces saying "ho ho, we're so smart".
|
On February 22 2013 01:01 Shady Sands wrote:The onus of proof against the report's authors shouldn't be that "we have to show beyond a doubt that Country A is NOT behind said attacks"; it should be that the report's authors themselves need to show, beyond a reasonable doubt, that Country A is behind said attacks. It's a basic principle of epistemology.
No, it's a basic principle of criminal jurisprudence in the United States and countries with similar standards of guilt. It's a controversial standard of knowledge or justification in epistemology. :p
|
Shanghai phone number/Pudong New Area IP blocks/Simplified Chinese language settings: Pudong New Area has about 5.4 million people, with a GDP of above 50 billion dollars. Foreign investment in Pudong varies between 4 and 8 billion dollars a year, going into some 11,000 different companies registered there. And obviously, most of the computers in Pudong have Chinese language settings. Based on population and business density in Pudong, a Shanghai number or IP block is pretty meaningless. Pudong New Area is literally the Chinese equivalent of Manhattan Island. It would be like Russia saying that since the US has a cyber unit in Manhattan, and somebody in Manhattan is hacking Russia from an English-language OS, then it must be that specific US cyber unit.
Sorry I don't buy it. While a lot of people speak some rudimentary English, I'm quite skeptical about Chinese. And I'm not sure some foreign force would force their "agents" to learn Mandarin just to trick prosecutors.
And since we all do know that there is internet censorship in China I highly doubt this amount of hacking could have been done with at least the goodwill of the Chinese government.
|
On February 22 2013 02:16 Hryul wrote:Show nested quote +Shanghai phone number/Pudong New Area IP blocks/Simplified Chinese language settings: Pudong New Area has about 5.4 million people, with a GDP of above 50 billion dollars. Foreign investment in Pudong varies between 4 and 8 billion dollars a year, going into some 11,000 different companies registered there. And obviously, most of the computers in Pudong have Chinese language settings. Based on population and business density in Pudong, a Shanghai number or IP block is pretty meaningless. Pudong New Area is literally the Chinese equivalent of Manhattan Island. It would be like Russia saying that since the US has a cyber unit in Manhattan, and somebody in Manhattan is hacking Russia from an English-language OS, then it must be that specific US cyber unit. Sorry I don't buy it. While a lot of people speak some rudimentary English, I'm quite skeptical about Chinese. And I'm not sure some foreign force would force their "agents" to learn Mandarin just to trick prosecutors.
Wait, why wouldn't a foreign force do that?
And since we all do know that there is internet censorship in China I highly doubt this amount of hacking could have been done with at least the goodwill of the Chinese government.
Internet censorship affects content, not hacking. It affects things like forum posts and the content of foreign websites--not whether there's a botnet being set up in Shanghai (or anywhere in East China for that matter, since a botnet anywhere in that region would show up as originating traffic from Pudong) or virus crawling around the tubes.
|
On February 22 2013 02:07 zf wrote:Show nested quote +On February 22 2013 01:01 Shady Sands wrote:The onus of proof against the report's authors shouldn't be that "we have to show beyond a doubt that Country A is NOT behind said attacks"; it should be that the report's authors themselves need to show, beyond a reasonable doubt, that Country A is behind said attacks. It's a basic principle of epistemology. No, it's a basic principle of criminal jurisprudence in the United States and countries with similar standards of guilt. It's a controversial standard of knowledge or justification in epistemology. :p
Fair enough. I'll argue then that the evidence presented is insufficient to trace the attack to a specific state actor with any degree of certainty.
|
OP, why would you know all this shit better then governments or media outlets?
It just seems you're just stating they're all drawing false positives while clearly far more reputable sources take this information as legit.
This is not some anti virus program giving you a malware-gen report you know, governments tend to know what they're doing, and China has been hacking all the information they can get for decades now, and suddenly, the great Shady Sands is going to tell us that this report of this government known for hacking might not be hacking because it's not based on falsification?
Just makes me wonder what your motivation is here really, is this an attempt at defending China or what?
|
On February 22 2013 02:21 Shady Sands wrote:Fair enough. I'll argue then that the evidence presented is insufficient to trace the attack to a specific state actor with any degree of certainty.
Cheers! Thanks for putting up with my pedantry.
|
We all know countries all over the world hack. And it wouldn't surprise me that China does too.
However, this news of China hacking the US comes at a funny time does it not? CISPA (cyber intelligence sharing & protecting act) was already defeated, but a newer version of the bill is being pushed hard in the US house as we speak.
If you are unaware of what CISPA is.. think of it as the Patriot Act for the internet. People need to be scared for their safety and security before they give up liberties. This is not a new tactic.
Here is a link to oppose CISPA 2.0 if you are interested:
http://act.demandprogress.org/act/cispa_is_back/?referring_akid=a7983999.506224.KT-M7r&source=auto-e
|
On February 22 2013 02:37 Scootaloo wrote:
OP, why would you know all this shit better then governments or media outlets?
It just seems you're just stating they're all drawing false positives while clearly far more reputable sources take this information as legit.
I'll just leave this here.
![[image loading]](http://i.imgur.com/MEBcEVS.png)
|
What do you think about this, quoted from the NYTimes:
"Mandiant discovered several cases in which attackers logged into their Facebook and Twitter accounts to get around China’s firewall that blocks ordinary citizen’s access, making it easier to track down their real identities."
Do you think someone else is actually doing the hacking and logging into Chinese ppl's facebooks for redirection? It's not just "somebody's forum-listed location", did you read the Times article?
By the way, people know that every somewhat developed country has it's own hacking group, this fact has NOTHING to do with whether PLA Unit 61398 is behind APT1. They narrowed it down to beyond just the New Pudong Area, again if you read the actual article you'll see it's just 1 neighborhood:
“Either they are coming from inside Unit 61398,” said Kevin Mandia, the founder and chief executive of Mandiant, in an interview last week, “or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.”
|
On February 22 2013 02:54 lolmlg wrote:Show nested quote +On February 22 2013 02:37 Scootaloo wrote:
OP, why would you know all this shit better then governments or media outlets?
It just seems you're just stating they're all drawing false positives while clearly far more reputable sources take this information as legit.
I'll just leave this here.
Emmm yeah, I don't believe we need to establish CNN is full of crap, might as well be quoting Fox News.
I'd be surprised however if it's just the republican puppet media reporting on this, this seems like the kind of thing not just them would be interested in, my local dutch media seems to not really give a damn right now, after a little bit of digging, there's some short reports on it, but they're quite factual, claiming nothing but that Mandiant's reports the Chinese are behind it, and later an article about how the chinese government denies the claims, which is what they've always done at any allegations of hacking. To be precise, they stated it was wrong for much the same reasons OP lists, and seeing how it's dated the 20th of februari I'm really hoping that's not OP's source.
Even if Mandiants report is a load of crap, the Chinese government has been using the internet to steal information for a very long time now, it's practically common knowledge, and some steps should be undertaken against it.
Obviously, them trying to use it as a SOPA camouflage is just horrible, and kind of speaks for the sad decrepid state american politics is in, but does not invalidate the dangers of the Chinese government's technology becoming on par with that of the US.
Especially now that China's pet facist dictatorship, North Korea, is barking again, when we havn't been able to establish how insane and warhungry their current heavenly leader is.
|
I do find it amusing China would use army to hack rather than their intelligence agency, one of the most secretive and opqaue in the world.
|
On February 22 2013 03:14 heartlxp wrote:
What do you think about this, quoted from the NYTimes:
"Mandiant discovered several cases in which attackers logged into their Facebook and Twitter accounts to get around China’s firewall that blocks ordinary citizen’s access, making it easier to track down their real identities."
Do you think someone else is actually doing the hacking and logging into Chinese ppl's facebooks for redirection? It's not just "somebody's forum-listed location", did you read the Times article?
By the way, people know that every somewhat developed country has it's own hacking group, this fact has NOTHING to do with whether PLA Unit 61398 is behind APT1. They narrowed it down to beyond just the New Pudong Area, again if you read the actual article you'll see it's just 1 neighborhood:
“Either they are coming from inside Unit 61398,” said Kevin Mandia, the founder and chief executive of Mandiant, in an interview last week, “or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.”
Hackers working for the government do not have free outgoing access to the firewall? I am finding that hard to believe.
|
|
|
|
|
|
EPT
