For some time now, security researchers have been warning that our lackadaisical approach to Internet of Things security would soon be coming home to roost. Initially it was kind of funny to read how "smart" fridges, tea kettles and Barbie dolls did an arguably worse job than their dumb counterparts with a greater risk to privacy and security. But as we collectively realized that these devices not only created millions of new home and business attack vectors, but could also be used to wage historically-unprecedented DDoS attacks, things quickly became less amusing.
Last week, the theoretical became very real with the massive attack on DNS provider DYN, which knocked a swath of companies and services off the internet for a large portion of Friday. In a piece discussing the attack over at Flashpoint, the security firm (which worked with Akamai to help DYN) notes that the DDoS was indeed thanks to compromised IoT devices, and the Mirai botnet malware recently released to make compromising and harnessing such devices easier than ever. But the group also notes that targeted devices included everything from cameras to... your cable DVR:
"Mirai malware targets Internet of Things (IoT) devices like routers, digital video records (DVRs), and webcams/security cameras, enslaving vast numbers of these devices into a botnet, which is then used to conduct DDoS attacks. Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures (TTPs) associated with previous known Mirai botnet attacks."
"It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” Nixon said, noting that Flashpoint hasn’t ruled out the possibility of multiple botnets being involved in the attack on Dyn. At least one Mirai [control server] issued an attack command to hit Dyn,” Nixon said. “Some people are theorizing that there were multiple botnets involved here. What we can say is that we’ve seen a Mirai botnet participating in the attack."
For what it's worth, XiongMai was quick to issue a statement announcing that it would be recalling some of its products (mostly webcams), while strengthening password functions (Mirai often depends on default usernames and passwords) and sending users a patch for products made before April of last year. It also issued a poorly translated statement on its role in bringing the U.S. Internet to a crawl for much of Friday:
"Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too," the company statement said.
And while that's all well and good, that's just one company. There are dozens upon dozens of companies and "IoT evangelists" that refuse to acknowledge that they put hype and personal profit ahead of security, by proxy putting the entire internet at risk. Not only do most of these devices lack even the most fundamental security, they usually provide no functionality to help users determine if they're generating traffic or participating in attacks. And these devices are often sitting behind consumer-grade routers on the network that have equally flimsy security while using default username and password combinations.
So while it's nice to see at least one company almost admit culpability, this really is little more than a small drop in a very deep ocean of dysfunction. It's going to take a lot more naming and shaming of the companies that pushed "smart" but idiotic and poorly-secured technologies on consumers if we're to avoid significantly worse (and potentially fatal) attacks.
As you know, last week, large chunks of the internet spent hours writhing on the ground and totally inaccessible thanks to a giant DDoS attack that appears to have been launched via a botnet involving insecure DVR hardware (which can't be patched -- but that's another post for later). Of course, whenever this kind of thing happens, you know that some people on the politics side of things are going to come up with dumb responses, but there were some real whoppers on Friday. I'm going to focus on just two, because I honestly can't decide which one of these is dumber. I'll discuss each of them, and then you guys can vote and let us know: which of these is dumber.
On Friday she went on CNN to discuss a variety of things, and the first question from Wolf Blitzer was about the DDoS attacks, and her answer is the sort of nonsense word salad that is becoming all too common in politics these days, but where she appears to suggest that if we'd passed SOPA this kind of attack wouldn't have happened. She's not just wrong, she's incredibly clueless.
Here's what she said:
Wolf, you don't know who is behind this, you do not know if it's foreign or domestic. What I do know is over the years we have tried to pass a data security legislation. There's been bipartisan agreement in the House. It has not moved forward in the Senate. We also know that a few years ago we tried to do a bill called SOPA in the House which would require the ISPs to do some governance on these networks and to block some of the bad actors.
And of course, there were all of the cyberbots that took out after us that were trying to say 'no you can't do that you're going to impede our free speech.' We said 'no we're trying to keep the roadway clear and to keep some of these bad actors out of the system.'
So, what you have now, whether it is foreign or domestic, no one knows. No one knows who has released some ransomware, spyware, malware into the system that is cau... and bear in mind also this malware can live on your system for a year or much longer before it is detected.
And that is how you've had some of these extensive data breaches because the malware gets into the system, it rests there, it is pulling information and at some point, it activates. And as I tell my constituents, be careful what websites you go to, be careful what emails you open because you may be unintendedly inviting that malware or spyware into your system.
Okay, so. Almost nothing that is said above has anything to do with the DDoS attack. Not at all. Not the "data protection" bill, which is basically about requiring companies to reveal breaches to those impacted. But most certainly not SOPA, which had nothing whatsoever to do with anything having to do with cybersecurity or online attacks or DDoS. And "cyberbots"? Is she implying that the millions of people who spoke out against SOPA were some sort of fake bots? SOPA wouldn't have done anything to stop this kind of attack at all. It had nothing to do with this issue in any way shape or form. Not that Wolf Blitzer seems to know or care about any of that as he just accepts that answer and moves on.
So that's the first dumb response. Now the second: the IANA transition. We've been discussing this for years, and as we've explained, the transition is a good thing in taking an argument away from countries like Russia and China who have been trying to get more control over internet governance, by dropping an almost entirely superficial connection between the fairly minor IANA function and the US Commerce Dept. The transition happened a few weeks ago and nothing on the internet has changed, nor will it, because of this transition. It's a non-story. But, Ted Cruz tried to make it a story and now it's become a partisan thing for no good reason at all. And thus, given an opportunity, partisan sites are blaming the IANA transition for the DDoS:
Today there was a major attack on a part of the Internet that few people pay any attention to. It’s critically important though, and any disruption threatens both our prosperity as Americans, but also our freedom to communicate with each other.
This is a great reminder of why President Obama’s Internet handover plans are so threatening to our way of life.
Probable foreign attackers effectively took thousands of companies off of the Internet today by attacking a major Domain Name Service (DNS) provider: Dyn. This two-hour outage surely cost many people, very much money.
What is DNS, and why is it so important? Put simply, DNS is the system that tells people how to find you online. It converts the names of servers and sites, into numbers that the Internet Protocol can find. It’s an essential service of the commercial Internet.
And yet Barack Obama is trying to hand control of DNS over to the Chinese and the Russians. Ted Cruz has been warning people about this, and so have I. People tend to tune it out, because it sounds like a very technical, obscure issue that isn’t very important.
Well, first of all, newsflash: the transition happened three weeks ago, and Neil Stevens at Red State is so concerned about this he didn't even notice. Damn. Sneaky Obama. Second, the hand over of the IANA functions has absolutely nothing to do with a DDoS attack or what it would take to prevent it. Yes, there are some ridiculous aspects to the DNS system, some of which are managed by ICANN. But (1) the IANA transition has nothing to do with "handing control" over to the Chinese or Russians (in fact, it's the opposite -- it takes a big argument away from the Russians and Chinese that they had been using to try to seize more control, and actually makes it much more difficult for them to take control by making sure nationstates actually have very little say in internet governance). And (2) the IANA transition has fuck all to do with DDoS attacks.
Both of these examples seem to be completely clueless, technically illiterate people using real problems (the fragility of DNS systems, the massive unsecured bot-infested systems out there, the ease of taking down important systems, overly centralized critical systems), and using them to pitch some entirely separate personal pet complaint or project. But both are completely ignorant. The only question is which one is worse:
Last month, we wrote about Bruce Schneier's warning that certain unknown parties were carefully testing ways to take down the internet. They were doing carefully configured DDoS attacks, testing core internet infrastructure, focusing on key DNS servers. And, of course, we've also been talking about the rise of truly massive DDoS attacks, thanks to poorly secured Internet of Things (IoT) devices, and ancient, unpatched bugs.
That all came to a head this morning when large chunks of the internet went down for about two hours, thanks to a massive DDoS attack targeting managed DNS provider Dyn. Most of the down sites are back (I'm still having trouble reaching Twitter), but it was pretty widespread, and lots of big name sites all went down. Just check out this screenshot from Downdetector showing the outages on a bunch of sites:
You'll see not all of them have downtime (and the big ISPs, as always, show lots of complaints about downtimes), but a ton of those sites show a giant spike in downtime for a few hours.
So, once again, we'd like to point out that this is as problem that the internet community needs to start solving now. There's been a theoretical threat for a while, but it's no longer so theoretical. Yes, some people point out that this is a difficult thing to deal with. If you're pointing people to websites, even if we were to move to a more distributed system, there are almost always some kinds of chokepoints, and those with malicious intent will always, eventually, target those chokepoints. But there has to be a better way -- because if there isn't, this kind of thing is going to become a lot worse.
We've increasingly covered how the "internet of poorly secured things" has contributed to a rise in larger DDoS attacks than ever before. The barely-there security standards implemented by companies more interested in hype than quality meant it didn't take long before hackers were able to incorporate "smart" refrigerators, power outlets, TVs and other IoT devices in the kind of DDoS attacks that recently took down security researchers like Brian Krebs. The end result is DDoS attacks that continue to break records, first 620Gbps in the Krebs attack, then more recently a 1.1 terabits per second attack on a French web host.
But just how bad have things become? A new report by Akamai warns that hackers are using a 12-year-old vulnerability in OpenSSH to funnel malicious network traffic through IoT devices. SSH certainly can be implemented securely, but as with every other security aspect of the IoT, many hardware vendors aren't bothering to do so. Akamai's data indicates roughly 2 million devices have been compromised by this type of hack, which the firm dubs SSHowDowN.
CVE-2004-1653 is a default configuration in old versions of OpenSSH that can be exploited by an attacker to forward ports, letting a hacker route malicious traffic through the device as part of the overall DDoS command and control infrastructure. To pull this off you need the device's admin username and password; certainly not a problem in the IoT space where default logins are often the norm. Akamai notes that many IoT devices not only ship with this vulnerability intact, but with no ability to fix it:
"We’re entering a very interesting time when it comes to DDoS and other web attacks; ‘The Internet of Unpatchable Things’ so to speak,” explained Ory Segal, senior director, Threat Research, Akamai. “New devices are being shipped from the factory not only with this vulnerability exposed, but also without any effective way to fix it. We’ve been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality."
Of course the internet-of-poorly-secured things isn't just useful for DDoS attacks. Brian Krebs has penned a new blog post noting how criminals are often using hacked IoT hardware as proxies to obscure their real location as they engage in tax return fraud and other criminal activity, courtesy of your not-so-smart WiFi-enabled tea kettle or home-automation system. An anonymous researcher tells Krebs he was able to track the various "honeypot" systems he configured as they were traded and sold as malware-infested proxies in exchange for bitcoin.
In short, flimsy Internet of Things security, combined with already often-dubious embedded security in routers, is kind of a throwback to the wild west of the 1990s when the idea of your mom's PC as a botnet participant was kind of novel. Krebs' source puts it this way:
"In a way, this feels like 1995-2000 with computers," my source told me. "Devices were getting online, antivirus wasn’t as prevalent, and people didn’t know an average person’s computer could be enslaved to do something else. The difference now is, the number of vendors and devices has proliferated, and there is an underground ecosystem with the expertise to fuzz, exploit, write the custom software. Plus, what one person does can be easily shared to a small group or to the whole world."
And again, while the abysmal state of IoT security can often be funny, firms like Gartner predict that the population of Internet of Things devices will top 20.8 billion by 2020, up from 6.4 billion or so today. Researchers like Bruce Schneier have been warning for some time that the check is about to come due in the form of attacks that may put human lives at risk at an unprecedented scale, lighting a fire under researchers who believe that automated cyberdefense and self-healing network technologies we haven't invented yet are what stand between us and the not-so-smart device cyber apocalypse.
from the if-you-build-it-(poorly)-they-will-come dept
We've been talking at length about how the lack of security in the Internet of Things space is seen as a sort of adorable joke, but isn't always a laughing matter. While the hillarious stupidity of some of the "smart" products flooding the market is undeniable, the reality is that the abysmal state of security in "IoT" devices (read: little to none) is creating millions of new attack vectors every year. And as Bruce Schneier recently warned, it's only a matter of time before the check comes due, and these vulnerabilities contribute to hacking attacks on core infrastructure resulting in notable fatalities.
Refrigerators that leak your Gmail credentials are one thing, but this looming calamity is going to be made notably worse by the rush toward "smart" cities. The same hardware vendors that can't bother to secure their consumer-side hardware haven't done a much better job securing the gear they're shoveling toward cities under the promise of a better, more connected tomorrow. Case in point: Kaspersky Lab researchers have discovered that a significant number of city speeding cameras are, you guessed it, easily hackable:
"According to Vladimir Dashchenko and Denis Makrushin from Kaspersky Lab, these devices can be easily manipulated. The results were published in a security conference paper about the security hazards in smart cities...The Russian researchers were using the Shodan search engine to explore the security implications of the "smart city" fad. They hypothesized that the rush to deploy high-tech, "Internet of things" devices to improve the municipal infrastructure often meant that security was left behind.
And they were right. Except security wasn't just subpar on speed cameras made by vendors like Redflex Traffic Systems. In many instances it didn't exist whatsoever:
"We decided to check that passwords were being used," Dashchenko and Makrushin wrote. "Imagine our surprise when we realized there was no password and the entire video stream was available to all Internet users. Openly broadcast data includes not only the video stream itself, but additional data, such as the geographical coordinates of cameras, as well."
The researchers noted that even in not-so-smart cities, the cameras are already processing gigabytes of citizens' data with little to no protection. Worse, the researchers found that given these cameras are tied to larger networks, hackers could potentially gain access to databases of stolen vehicles and add or remove vehicles from said lists. Their full paper, Fooling The Smart City (pdf), is worth taking a look at, and highlights how a significant number of kiosks -- used for everything from ticket sales to bicycle rentals -- are also vulnerable.
The result isn't just an exponential explosion in vulnerabilities. These compromised devices are now being used in historically massive new DDoS attacks, that appear to be getting larger by the day. On the heels of the recent, record-setting 620 gigabit-per-second DDoS attack against Brian Krebs (which was fueled in part by compromised IoT devices), a new attack this week launched against a French web host peaked at an incredible 1.1 terabits per second, driven in part by -- you guessed it -- hacked security cameras.
Last week, an absolutely mammoth distributed denial of service (DDoS) attack brought down the website of security researcher Brian Krebs. His website, hosted by Akamai pro bono, was pulled offline after it was inundated with 620Gbps of malicious traffic, nearly double the size of the biggest attack Akamai (which tracks such things via their quarterly state of the internet report) has ever recorded. Krebs was ultimately able to get his website back online after Google stepped in to provide DDoS mitigation through its Project Shield service.
According to Krebs, the attack came, he believes, after he began digging more deeply into various gangs that deliver DDoS attacks on-demand. And according to Krebs, this time they had the help of the hystercially piss poor security of the internet of things (IoT) industry:
"There are some indications that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords."
So not only are "smart" refrigerators, TVs, tea kettles and power outlets leaking your unencrypted data to any nitwit with a modicum of technical knowledge, they're being utilized to amplify existing attacks on security researchers who are actually trying to make things better. The attack comes directly on the heels of Bruce Schneier warning us the check is about to come due -- after IoT companies and evangelists that prioritized hype and sales over security fundamentals helped introduce millions of new network attack vectors into the wild over the last five years or so.
In a recent blog post, Schneier also noted that these larger DDoS attacks come as multiple groups and individuals (likely nation state sponsored hackers) have begun probing for vulnerabilities on an unprecedented scale:
"Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they're used to seeing. They last longer. They're more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure."
And they're finding, as many have warned, millions of poorly secured Internet of Things "smart" devices with stupid default passwords -- or in many instances no security at all. In most instances the buyers of these products are utterly clueless of their participation in these botnets, and very frequently these devices don't give the end user transparent end control over what's being sent over the network anyway.
In a follow-up blog post by Krebs, he makes it clear that in addition to being immensely dangerous (potentially fatal if the right systems are targeted), these larger scale DDoS attacks propped up by the IoT should also be seen as a growing assault on free speech. After all, few independent journalists would be able to afford the kind of DDoS mitigation technologies necessary to truly stop these new, larger attacks:
"In an interview with The Boston Globe, Akamai executives said the attack — if sustained — likely would have cost the company millions of dollars. In the hours and days following my site going offline, I spoke with multiple DDoS mitigation firms. One offered to host KrebsOnSecurity for two weeks at no charge, but after that they said the same kind of protection I had under Akamai would cost between $150,000 and $200,000 per year.
For a country that likes to talk a lot about cybersecurity (mostly to justify awful government policy like backdoors that make us less secure than ever), the United States isn't doing all that much to mitigate the looming threat. Much like Schneier, Krebs calls for a more coordinated effort by industry and government to wake up and begin greater institutional-grade collaborative efforts to shore up our collective security before things spiral out of control:
"I don’t know what it will take to wake the larger Internet community out of its slumber to address this growing threat to free speech and ecommerce. My guess is it will take an attack that endangers human lives, shuts down critical national infrastructure systems, or disrupts national elections."
And it probably goes without saying that this threat looms as we ponder electing two of the least technically sophisticated Presidential candidates in recent memory. These are two researchers who aren't prone to hyperbole, so it seems like we might just want to take their advice before the Internet of Things devolves from a running gag into a potentially fatal shitshow.
You may recall that a year ago, a massive DDoS attack was launched against GitHub from China. The attack itself was somewhat clever, in that it effectively turned the Great Firewall around, using Chinese search engine Baidu's ad platform and analytics platform to basically load code that contributed to the attack. The target of the attack were two tools that helped people in China access material that was blocked in China by the Great Firewall. Of course, this attack was actually the second attempt by China to stop people from accessing such information on GitHub. The first attack involved just using the Great Firewall to block GitHub entirely (it needed to block the entire GitHub, rather than just specific pages, because GitHub is all HTTPS) -- but that caused Chinese programmers who rely on GitHub to freak out and point out that they rely on GitHub to do their jobs.
The post at https://github.com/programthink/zhao/issues/38 vilifies our President Xi as a murder suspect, which is a groundless and malicious slander. We hereby express our strong concern and request you to take it off your website at the earliest time possible.
Cyber Security Association of China
June 8, 2016
Address: No.190 Chaoyangmennei Street, Dongcheng District, Beijing. Zip Code: 100010
The blog post link above where we found this story also notes that the entire repo that includes this content is currently not accessible in China, though it's accessible outside of China. At the very least, that suggests that GitHub disabled access to it within the country. It's, of course, unknown if China believes that disabling access just from within China is enough based on its takedown, but it is the equivalent of just blocking it via the Great Firewall -- so perhaps.
Last month we wrote about Mozilla's move to deprecate HTTP in favor of encrypted HTTPS, which followed on Chrome's move to do something similar. What surprised me a bit was the response from many in our comments who didn't think this was a good idea. People talked about how it added complications to development, or pointed to problems with the whole concept of trusting certificate authorities and a variety of other problems. Some worried about the costs associated with getting a certificate. Ben Klemens, who has written eloquently for years about the problems of software patents, wrote an article noting that this would make it difficult for individuals to easily set up their own web platforms, and require them to rely on a third party with whom you'd have to identify yourself (the certificate authority).
Of course, there are many attempts to deal with these issues, such as the big Let's Encrypt project from EFF and others to offer free certificates. And, if you're hosting websites online, you're likely already going through a third party hosting provider, and it's not clear how dealing with a certificate authority is really all that different.
But the most compelling argument I've seen for why this is so important comes from Eric Mill, who discusses why this is so important by highlighting the many, many ways in which the web has changed over the past few years -- allowing both companies and governments to readily abuse the unencrypted nature of the legacy web, putting all of us at risk. This is a real problem that HTTPS goes a long way in solving:
But when I look at the last few years, I see a very different web than the one I was introduced to:
Verizon injects tracking headers into unencrypted traffic so they can sell your browsing activity to advertisers. This program started in 2012, after Verizon realized they "had a latent asset", but wasn't noticed until 2014.
Other companies like Turn piggyback on Verizon's tracking header to sell your data to even more people, because they "are trying to use the most persistent identifier that we can in order to do what we do", says Turn's chief privacy officer.
Comcast injects ads into unencrypted traffic, because "it's a courtesy, and it helps address some concerns that people might not be absolutely sure they're on a hotspot from Comcast".
Andreas Gal (Mozilla's CTO, in his personal capacity) has claimed that Yahoo and Bing "can acquire search traffic by working with large Internet Service providers" to harvest users' Google search results to improve their own -- and strongly implies that they used to do this before Google shut them out through encryption. Even if you support better competition against Google, I doubt you expected your ISP to make deals to sell your traffic to other corporations without your knowledge.
Pretty much everyone agrees that the security certificate system has its problems. We've been pointing that out for years. But encouraging more encryption now is solving real problems today. And, as Mill notes, Klemens' and others' concerns about this move towards HTTPS being a kind of "recentarlization" of the web are also misguided. All of those examples above show how big companies and governments are, themselves, abusing the unencrypted nature of the internet to take control and force a distributed system to act more like a centralized system by inserting themselves in the middle. HTTPS actually helps protect a more decentralized web by blocking those man in the middle attacks:
When I look at all these things, I see companies and government asserting themselves over their network. I see a network that is not just overseen, but actively hostile. I see an internet being steadily drained of its promise to "interpret censorship as damage".
In short, I see power moving away from the leafs and devolving back into the center, where power has been used to living for thousands of years.
What animates me is knowing that we can actually change this dynamic by making strong encryption ubiquitous. We can force online surveillance to be as narrowly targeted and inconvenient as law enforcement was always meant to be. We can force ISPs to be the neutral commodity pipes they were always meant to be. On the web, that means HTTPS.
The security certificate system isn't perfect. But an unencrypted web has serious and dangerous flaws that put us all at risk. In the old days, people could keep their homes unlocked as well, but that got widely exploited so now most of us lock our doors. It's not perfect and it has problems, but the overall protection is worth it. That's even more true online where encryption is important in enabling greater freedom of expression and protection of privacy.
Edward Snowden sabotaged the intelligence capabilities of the U.S. and its allies, and now we learn he may have given the Chinese regime a weapon to spread Internet censorship across the planet. The Great Firewall, the unofficial name for a suite of blocking tools, stops Chinese citizens from accessing outside information. In the past few weeks Beijing has deployed a new offensive capability, dubbed the Great Cannon.
First of all, Snowden didn't "sabotage" any intelligence capabilities at all. He revealed to journalists how the NSA and its partners were abusing certain powers, likely breaking the law. That's not "sabotage." Second, the "we learn" is not based on anything the WSJ's nameless author of the opinion piece actually "learned." It's based on wild speculation by stringing some misleading and unrelated ideas together. So we're already off to an inauspicious start to the piece.
According to a report from the University of Toronto’s Citizen Lab, the Great Cannon is similar to Quantum, a tool developed by the U.S. to track potential terrorists and criminals abroad. Snowden, a former system administrator for the U.S. National Security Agency, revealed the existence of Quantum for the first time in 2013 when he fled to Hong Kong and then Moscow.
Loose connection #1.
Did Snowden give the Chinese the code for the Great Cannon? He denies sharing anything with foreign governments. But then he’s an admitted liar, and we don’t know what the Chinese and Russian spy services have been able to copy from what he stole. In any event he alerted them to a weakness that could be exploited.
Wait, what? How is he "an admitted liar?" That seems like a stretch already, and seems like the kind of line you'd find in a conspiracy website, not the pages of the Wall Street Journal. Second, the idea that the Chinese didn't already recognize how to do online attacks via such methods until Snowden revealed it seems especially questionable. Among the other things that Snowden revealed: the NSA knows that the Chinese are among the most sophisticated in building tools for mounting online attacks. The idea that they would be totally ignorant of methods like these until Snowden's revelations came out seems difficult to believe.
A South China Morning Post report that the Great Cannon has been under development for about a year is suggestive. This means China’s hacking bureaucracy geared up to produce this new product soon after the Snowden leaks.
Loose connection #2. Also, notice that the WSJ doesn't actually link to the SCMP story, so we'll do that for you. It actually doesn't say it was in development for a year. It says that it's "been in operation for about one year." I guess the timing still sorta works if you're making loose connections, but it seems like a pretty big leap to argue that's somehow evidence that Snowden gave the info to the Chinese during his brief stay in Hong Kong.
It also means that in the name of “transparency,” Snowden and his media accomplices may have empowered one of the world’s worst censors.
Uh, no, it doesn't. If the WSJ's editorial board knew the first thing about technology, they'd know that it didn't require Ed Snowden to teach the Chinese how to build a giant DDoS machine.
This is another example of how the Western left fails to distinguish between the secrecy and surveillance required by democracies to preserve freedom and that used by dictators to quash it.
Huh? That sentence doesn't even make sense.
Either way, as one commenter noted, you'd think that the WSJ might realize that even if China modeled the Great Cannon on the NSA's Quantum, it really says something that we're building tools that can be used to censor the internet. And they should realize that's a problem. Instead, they try to blame the whole thing on Snowden, because... well, actually not for any actual reason that I can see -- just pure speculation. That's the kind of thing we'd expect to see on conspiracy theory websites. Not the Wall Street Journal.
A couple of weeks ago, Mike provided an in-depth analysis of China's new tactic in its longstanding efforts to restrict access by its population to material that challenges the official narrative. This powerful DDoS attack has now been dubbed "China's Great Cannon" by researchers in a fascinating analysis published by The Citizen Lab. As Mike pointed out, one reason why this new approach has been developed is that it is not possible to block individual URLs when HTTPS traffic is involved. Thus, ironically, the increased use of encryption -- which is meant to protect users online -- led to the development of a powerful new digital weapon that potentially makes them not just victims, but even part of the attack. However, encryption is also a remedy, as The Citizen Lab researchers write:
Our findings in China add another documented case to at least two other known instances of governments tampering with unencrypted Internet traffic to control information or launch attacks -- the other two being the use of QUANTUM by the US NSA and UK’s GCHQ. In addition, product literature from two companies, FinFisher and Hacking Team, indicate that they sell similar "attack from the Internet" tools to governments around the world. These latest findings emphasize the urgency of replacing legacy web protocols, like HTTP, with their cryptographically strong versions, like HTTPS.
However, the remedy is only partial. Writing on his blog, Brian Krebs quotes Bill Marczak, one of the lead authors of the Great Cannon report, as saying:
Relying on an always-on encryption strategy is not a foolproof counter to this attack, because plug-ins like https-everywhere will still serve regular unencrypted content when Web sites refuse to or don't offer the same content over an encrypted connection. What's more, many Web sites draw content from a variety of sources online, meaning that the Great Cannon attack could succeed merely by drawing on resources provided by online ad networks that serve ads on a variety of Web sites from a dizzying array of sources.
"Some of the scripts being injected in this attack are from online ad networks," Marczak said. “But certainly this kind of attack suggests a far more aggressive use of https where available."
This confirms that encryption is no panacea, but is certainly worth deploying. The fact that it can make China's Great Cannon attacks harder, if not impossible, should also give pause to government officials around the world as they try to demonize encryption and call for it to be weakened or even banned.