Browsers really have to be a lot more skeptical about the code they run. Running code should not be able to randomly attack any IP address on the internet. Code from non-TLS pages should not be able to run at all. Perhaps that should also apply to code loaded from 3rd party sites.
Connecting to a web page should not be consent to allow the operators of that web page to make my computer/phone do whatever they want on the net. It certainly should not be consent to delegate that power to others, either via a embedded link or a MITM attack.
This sounds like a knee-jerk reaction that doesn't take into consideration the ramifactions of the suggested policy. It won't stop DDoS attacks, because those exist _because the internet exists_ and unless you dismantle the very concept of interconnected "everyone can reach everyone" networking, all you're doing is locking down access to more and more people until only technical experts or the people with enough money to hire those experts get to use it.
Advocate the other direction: more freedom, including the freedom to say "thank you, browser, for being locked down by default, but I trust this website and I am okay with everything it wants to do".
Instead of locking the web down, let's give users the freedom to put on or remove as many locks as they want to live with. And letting make mistakes with that, too: you don't make things better by taking away important life lessons, either.
This, on the other end of the spectrum, seems overly and naively liberal, when not being paired with a workable solution to the massive body of education required to provide adequate technical sophistication to (what has to be most of) 8 billion people.
>> a workable solution to the massive body of education required to provide adequate technical sophistication
The problem doesn't have to be one of education if it is tackled as a legitimate UI/UX problem and served by a WC3 that supports the needs of end users over corporate partners.
I have NoScript installed on FireFox, and when I visit sites, I individually grant temporary permission to anywhere from one to more than twenty javascript sources. I suspect that I am among the 1% of those willing to make that effort.
I haven't noticed NoScript distinguish between http and https sources for javascript, but perhaps I don't visit sites that pull in javascript via http.
I did this last summer and managed maybe 1-1.5 months until it drove me crazy having to fiddle to get (way too many) sites to work with a minimal amount of accepted JS. Which is a shame, because it's quite a fool proof method of rendering most malicious actors helpless.
TLS should be required, but it seems likely to me that the Chinese government can issue TLS certificates for MITM purposes that their browsers will trust.
As for the DoS aspect, maybe it's time to do a CORS preflight on ALL cross-origin requests, including images. (Webfonts, for whatever reason, already require a CORS preflight. Probably because Adobe is on the W3C and they sell a service where certain origins can legally use certain fonts from their servers.
I hate it when user security features get turned into subsidies for large corporations, but here we are.)
Of course, if you have broken TLS I guess you can just forge the CORS response.
Edit to add: I have read more comments and better understand the attack now. China is modifying the Javascript on Chinese websites that are being viewed from outside China. Making TLS mandatory would be a big help here. China could say "all Chinese companies must buy certificates from the Great Chinese CA" and they could still do the MITM. But with evidence of the CA issuing fake certificates to DoS websites, browsers would probably stop trusting that CA entirely. I imagine China would like to avoid that, so I feel like this would have stopped the attack.
> Connecting to a web page should not be consent to allow the operators of that web page to make my computer/phone do whatever they want on the net.
But that is literally what web users want.
Everything you named is a fine opinion, but runs contrary to the wishes of the vast majority of millions and millions and millions and millions of web users.
EDIT: That said, browsers have features for users such as yourself to disable JavaScript, and there are third party extensions for finer-grained control. Again, adding these limitations is unpopular among web users.
Just because a user doesn't understand what Javascript is or how to diagnose why their computer is slow (is it an app, website, update, virus etc) does not imply consent.
Pretty sure that most people just want to be able to visit a website without it causing problems to their computer or to others.
To reiterate threeseed’s point: the user wants the website to work well and work efficiently. They don’t care if it’s HTML or an interactive app. In a lot of cases, the web works better when pages are served as plain static HTML.
Websites also work better, IMO, when every page doesn't use remote resources on 10 different domain names hosted by 3rd-party vendors. This is one of the reasons I use Vultr instead of Digital Ocean: instead of locally hosting their own JS pages, DO uses 3rd-party services. (Maybe they don't have a choice if the 3rd party requires it.) Whereas with Vultr, I only had to enable one or 2 domain names and the whole site worked. It's a much better experience for the user IMO.
Sure, a simple marketing site for a local restaurant can work with only HTML and CSS, but practically all of the top 20 most popular sites would cease to function without JS.
I think you'll need some evidence for that. Silence is not consent, and it's certainly not enthusiastic consent.
And even if you do want to take silence for consent, the fact that the vast majority of millions of millions of web users do not install an extension to route around Google AMP indicates that they do not want the operators of the web page to do whatever they want, they want to run a restricted subset of what the web designer might imagine. AMP is extremely popular among web users; approximately 100% of Google users use it. (The more defensible argument, of course, is that users don't really want AMP, at which point the question of what users really do want gets back on the table.)
Also, users did vote with their feet against downloading EXEs from the internet - which can actually do whatever the developer wants - and using JS on the web platform, which can make unrestricted GET requests (even if it can't see the responses), sure, but can't do anything near "whatever." It stands to reason that users would gladly accept even more restrictions on the execution platform.
That's one of the negative consequences. If you phrase it as "In order for you to use the web as you're used to it, lihkg.com will go down, do you care" then sure, users may say "no." But if you phrase it as "When you visit this website, a portion of your bandwidth and battery life will be used to suppress dissident communications in Hong Kong, would you like to use your bandwidth and battery life on it," do you expect users to say yes?
No, that is not what web users want. No one asked them and they probably don't even have an opinion on that. It's what web developers and browser makers want.
It's certainly not what browser makers want, since the browser makers dropped native extensions and Flash and Java, and it's not what many web developers want, given the popularity of Content-Security-Policy.
You don't need to inject scripts to make this sort of thing work. Just add img or style tags with the source set to the target you want to attack. The browser will happily go try to fetch the files from the server, adding to the request load.
You can see unintentional examples of this happening. Small sites get taken down occasionally when larger sites directly link to images or videos hosted there.
Each individual user isn't doing that much, just loading an asset from another site, which is fairly inconspicuous. It's when billions of users start doing it that it becomes a problem (the first D in DDoS), but any individual person isn't doing anything out of the ordinary.
Unfortunately there's a giant category of devices that can't serve TLS. Like pretty much every consumer router in existence that you connect to through a webpage. Someone needs to come up with a solution for that. Ideally one that works with free and open source projects and not just well funded companies.
> Unfortunately there's a giant category of devices that can't serve TLS. Like pretty much every consumer router in existence that you connect to through a webpage.
Come on now. Of course those devices can use TLS - they just can't do so in the capricious constraints imposed by the system of "certificate authorities". It's not a fundamental limitation of the technology.
If we were using something like noise protocol, nobody would be saying that tiny devices are incapable of proper security at the transport layer. There's just no clear way to assess the validity of a self-signed cert in the browser given today's political constraints.
Why do they have to use self-signed certs? Ship the device with a valid cert for $last_three_octets_of_mac_address.$vendor.com to the device, and print it clearly on the setup instructions. Typing in something like d63d15.ui.com isn't onerous.
The CA/Browser Forum allows certs up to 27 months - do routers sit on store shelves for 27 months before being configured? Do they even sit for 12 months? (Once they're online, they can renew their cert, possibly with the help of the vendor who can track the private key or something.)
That would require significant effort for the vendor to set up and most internet devices such as routers are an absolutely minimal cost device. Literally every cent counts in production and vendors rather remove some features than shell out the 2 cents extra to add another 64mb of storage.
Furthermore, this would require either not being able to change the IP for your device (bad) or sending information about the layout of your network to the vendor (I wouldn't trust them with that info).
Very few people care about this and the effort of maintaining a custom DNS and a CA certificate system (which, by the way, would need to be subjected to rigorous security testing) just isn't worth it.
Lastly, what's the point? Adding a little padlock isn't worth it if anyone can get a certificate for the router ip anyway. How do you ensure that the router connecting to your IP really has the mac address it claims? It only takes one person to get root on their router to invalidate the entire security system and given how somehow router vendors are still shipping command injection vulnerabilities, I wouldn't assume that they can prevent that as much as they'd like.
What I want is the option to give a router my own security certificate instead of the self signed one. Let me use my own CA or let me mess around with letsencrypt, split-horizon DNS and Selenium scripts if that's what I need. Consumers don't care about TLS on their router and this would be the cheapest option to solve it for prosumers.
We sell industrial equipment which will live its entire life (20+ years) off the internet.
Browsers and the people who sit on these committees are understandably more focused on their own use cases, but there really does need to be a viable certificate solution for small embedded devices, preferably works with mDNS too. I'm not going to hold my breath, but until this happens any/all IOT devices will remain largely insecure. Big co's (like my employer) can develop and deploy a custom solution, most companies cannot.
That's a little bit of a different problem, since the client end of the connection isn't the general public. (At least for industrial equipment.) The router problem is that you need a normal, unconfigured web browser to be able to access the router's config page.
The immediate solution that occurs to me is installing a private CA, possibly one with name constraints for the vendor, because private CAs aren't held to the same rules about validity. I'm curious why this doesn't work - is it just that the tooling needed to make it happen isn't polished enough for small vendors?
I'm guessing that internet of things devices are, by their name, on the internet and can talk to a CA. Yes, this will require some way to give them a real domain name, but you could either give them names on the vendor's site or encourage people to get a domain name for themselves.
No need for even that. TLS should have an extension which says "I don't know how to verify my identity, but send this data to vendor.com and then they'll verify my identity".
Vendor.com can then look at the opaque blob forwarded from their hardware and decide if they want to deligate trust to it.
That doesn't quite work, because the premise of accessing a router setup page is that your internet connection doesn't work yet. So your router has to be able to prove its identity to the client entirely offline.
(You cannot special-case "This server is untraceable", else a repressive government could blackhole that server and trigger the relaxed validation rules.)
Yes, it will complain and for good reason: it has no way of knowing whether the kid next door is spoofing your router's IP or Mac address and presenting their own self-signed certificate.
I wouldn't go as far as calling it «capricious constraints imposed by the system of "certificate authorities"» but at the same time, I agree that it's not a fundamental limitation of the technology.
Better protocols could be developed to allow a browser to trust a server without (all) the limitations of the current system.
- let companies register a wild card domain in the .local (or a newlocal) namespace: .acme.local
- designate the acme company with the ability to issue certs that never expire for any name in ".acme.local" but the browser will refuse to use certs signed with that key for anything outside "*.acme.local"
pros:
- the acme company can now make equipment that the users browser can connect to over an encrypted channel with zero config on the user's part
- the equipment can live off the internet indefinitely
- if the acme company is breached, and their signing key is stolen, the attackers can only use that key to impersonate acme company, it doesn't allow them to impersonate any other domains
cons:
- the browser manufacturers don't care about this use case so its never gonna happen
- the cert on the device never expires... and can never be replaced automatically somehow. I think the only workaround is acme could enable users to load their own certs if they are so inclined, but that shouldn't be required.
You should only have to store the self-signed cert exception once, at least on a given device. Now, if you're being targeted by a state-sponsored actor they might somehow be able to get you onto a honeypot network within the 2-minute window between plugging in your router and making your first connection to its web interface, but for everybody else a self-signed cert that you accept once during initial setup should be plenty good enough.
Can there be a list that come up so user who want control can see what pages the link they have selected to link implicitly. Just on the side perhaps. They can explicitly block or AI learn etc. It may have to a feature as deny or enable all is too rough to be useful.
For china need some way to handle that whole commerical-military-party all one entity.
> Browsers really have to be a lot more skeptical about the code they run.
I absolutely believe you, and wrote a document how to make improvement.
> Code from non-TLS pages should not be able to run at all.
Whether or not it is TLS is irrelevant. Either way the user may wish to put their own code, and either way the server operator can change things whether or not is what the user intends. (TLS does prevent spies from adding code, but not all unwanted code is from spies.)
> Instead of locking the web down, let's give users the freedom to put on or remove as many locks as they want to live with.
I agree. Furthermore, allow the user to override any behaviour they want to do, too.
Allow the user to examine and copy the script (possibly with modifications); if the script changes (whether due to MITM or due to the author altering it or due to some other company purchasing them), it no longer runs unless the user approves the new one, too. Extensions that only allow free software to run don't help either; just because it is free software does not necessarily mean it is a program the user wants their computer to execute. Or, maybe the user wants to execute a modified version instead!
> It's called hyperlink and doesnt require any code or javascript to run.
Hyperlinks generally don't open themselves. There is an obvious exception -- img tags[1] -- and I think it's worth considering whether they should be allowed to have the behavior they do. As far as I see, img tags load themselves so that, if you're editing HTML by hand, you don't have to deal with binary image data in the middle of what was supposed to be a clean text file. That may not be the right tradeoff.
[1] The img model got extended to other external resource loads, like script and css. But both of those frequently do appear as part of the same HTML that uses them. Image data can, but usually doesn't.
Also, external script loads are such an obvious problem that we got the Content-Security-Policy just to deal with it.
HTML was initially intended as, and still largely is, a markup language. An HTML file provides a container and presentation for other types of content. If you saved all those types of content into the same file you'd have many of the problems HTML was specifically designed to avoid, like bloat, vendor lock-in, format incompatibility, and editing difficulty.
They are specifically suggesting that HTTP-only sites not be able to load from third party sites, which is quite a bit different than your interpretation of generally preventing any site from loading any external content. HTTPS ought to be the default and browsers can, and should, move towards that.
But to answer your question more directly, yes they clearly know what they are suggesting.
This seems overly generous. I personally would not assume that the government of China couldn't persuade Baidu or qihucdn.com to serve government-provided JavaScript.
It also assumes that the end users ("victims") here don't trust any Chinese certificate authority.
I'll speculate that there are sufficient locations failing to use https that they haven't felt a need to use https. I further speculate that China is sufficiently entangled with the international internet that they would prefer not to have their certificate authorities de-listed by the major browser vendors.
> But to answer your question more directly, yes they clearly know what they are suggesting.
Highly unlikely, or else the suggestion would be to just ban http all-together. Http without the ability to load resources from other domains would break the majority of sites.
“a web site Lihkg.com” is really an understatement as its title indicated. Given the “be water” and no leader, lihkg is really the only way to try to have some sort of info among possible noise (which popo is likely also post their confused Messages). There were discussion to cut off access by hksarg and a rush to install vpn is promoted. Guess they cannot firewall hk given its financial centre status.
The evil empire and culture will try and try to harm liberty and human rights. If it is not so important you would not see many of hkers like me instead of posting in here and other places, but in concentration camp as northern Turks up north.
So, maybe firewall off China for a couple of days? Sure, it would hurt on both sides but at least it would be clear that abuse at this scale leads to being blackholed.
This doesn’t work. The DDoS requests actually come from outside China when oversea visitors are hit by the malicious js while browsing Chinese websites.
That would be the kind of signal that would be hard for the Chinese to spin in such a way that it would make them look good, and the economic effect would be pretty much instantaneous.
There is plenty of historical precedent for this: spammers' IP ranges would be blackholed to send a message to their ISPs that such behavior wasn't tolerated. That the Chinese authorities decide to play this game at the nation state level should not give them a free pass, but should result in a nation state level response.
There are innocent users outside China who like to view innocent websites inside China. If you block the connection, you make the innocent users, and the innocent websites, mad. They might very well interpret it as censorship.
That's not the issue. The issue is that there is speech accompanying the malware, which should not be systematically censored. (Though any individual is free to do so for themselves.)
> The issue is that there is speech accompanying the malware
I'm either misunderstanding what you're saying, or it doesn't make sense. If a bunch of people take signs (with legitimate messages, free speech) and hang them off a bridge over the highway (causing accidents), then those people go jail. The fact that their message is free speech is irrelevant. The source of the message is being punished/jailed, not the message.
Another iteration of this and we'll have bullets with text on them and killing someone with those bullets will be an expression of free speech. The degree to which the 'free speech' analogy is contorted is amazing, more so because the original scope was quite narrow, both legal and geographical.
The problem is closer to a ne'er-do-well taking someone else's signs and hanging them off a bridge over a highway. The person producing the speech is having their speech hijacked for malicious purposes by an MITM; that doesn't mean that it's not censorship when the sign's/webpage's creator gets caught in the censorship crossfire during the attempt to take down the malicious actor.
To put it another way: if someone steals my car and uses it to rob a bank, even if that car is now evidence in a criminal investigation, it's still my car. The police have every right to confiscate it from the thief—it's not their car—but that doesn't mean that it suddenly belongs to them; it belongs to me. In both this case and the above case, I have a right to not be unduly punished for the actions of an unrelated third party (by having my website taken down; or by having my car permanently confiscated, respectively.)
The context here is very similar to a story that was on HN just yesterday (https://news.ycombinator.com/item?id=21671579). Banning a site from the internet for happening to be MITMed by China is very similar in its ethical implications to banning a site from the Internet for happening to have a domain-name that fits a pattern used by a botnet.
At this point we really need to start doing the "You wanted a Great Firewall? Enjoy. You now have no connection."
Removing China from the internet would also likely cause things that phone home to China to break. That would actually create some consumer awareness to boot.
The spin would be "US cuts off global internet in a petty attempt to interfere with China's management of its own network". Justified by a technical backstory that approximately nobody understands, I don't think it would play well even outside of China.
It is possible: De-peer AS4134 (China Telecom) and reject all of their routes. They are the only international ISP that lands into mainland China. They are extensively peered around the world.
It's not just them. AS4837 (China Unicom) and a few others who have intl permission to route in and out of China. That said, you're going to hurt a lot of non-china multinationals who operate there.
> That said, you're going to hurt a lot of non-china multinationals who operate there.
Not my problem. Figure out a better way than getting in bed with fascist countries and then complaining when the inevitable door swings shut due to rightful backlash.
I agree that such bad behavior should be punished, but why just couple of days? This would be similar to UN trade sanctions that are imposed on bad state actors.
I think we generally overestimate the hurt on the outside and underestimate the hurt on the inside considering the massive trade imbalance that China enjoys with the rest of the world.
Personally I have already pi-holed entire .cn and other domains.
> This would be similar to UN trade sanctions that are imposed on bad state actors.
UN sanctions are not imposed on bad state actors. They are imposed on weak state actors. UN sanctions have never been imposed on the US, China, Russia, Britain and France easily the worst state actors globally - the biggest weapons sellers and the cause of instability all over the world. They also are the 5 permanent security council members with veto power.
> I think we generally overestimate the hurt on the outside and underestimate the hurt on the inside considering the massive trade imbalance that China enjoys with the rest of the world.
China doesn't enjoy a trade imbalance with the "rest of the world". The enjoy it with the US primarily. They are net importers of Japan, South Korea, Saudi Arabia, Brazil, etc.
Germany, Japan, South Korea, etc also enjoy trade imbalance with the "rest of the world". Do you support sanctioning them?
> Personally I have already pi-holed entire .cn and other domains.
That doesn't do much if you really think about it. It's not like chinese individual, company or government are barred from owning everything from coms to orgs.
> UN sanctions are not imposed on bad state actors. They are imposed on weak state actors.
That is a great point and I agree with it.
However, the way I look at it, a state sponsored attack like this is no different from a country firing missiles or shells on another country from over the border. And as such, such attacks should not go unpunished and there need to be consequences. In addition, the countries being attached have a right and a moral duty to protect themselves.
The mechanisms of such I leave to those with the power to make it happen.
And yes, blocking .cn doesn't do much, but it does some.
Google has had a lot of success blacklisting domains that spam. Getting blacklisted and losing 30-90 days worth of traffic because you wanted to bump your pagerank a bit is a bit silly.
We could potentially have sanctions that require Google to block commercial sites in China. That would definitely get their attention without massive financial implications on the economy.
This type of behavior CAN NOT be allowed to continue.
I would rather see more rigorous trade policy. Frankly fewer low-quality or fraudulent Chinese imports will probably be a net positive and even if it is more expensive, I would rather our trade dollars support countries with less corrupt governments and better ethics with respect to intellectual property, fraud, environmental protection, etc.
I’m sure this will garner plenty of whataboutism regarding how the west is imperfect (never minding that I didn’t say “the west”)...
The west is constantly pushing for stuff like this in every trade policy with China and others...
There’s a limit to how much leverage any one side has on a sovereign countries policies (and how much they actually enforce them when they agree).
There’s also the question of the benefits of having China at all in these deals, some concessions and a growing dependence on western markets from initial deals is better than no deals.
Plus a wealthier China is good for the world and the billion people coming out of poverty, getting educated, and slowly becoming an advanced economy.
> There’s a limit to how much leverage any one side has on a sovereign countries policies (and how much they actually enforce them when they agree).
I’m not advocating for anyone controlling sovereign Chinese policies. They can continue their awful anti-humanitarian policies, fraud, IP theft, etc. I just don’t want my country aiding and abetting it. At very least I want my fellow citizens to be able to make informed purchasing decisions.
And I’m all for lifting people out of poverty, but I’d rather do it in a country with some minimum base line respect for human rights and integrity, and where my purchasing dollars don’t end up propping up some dictatorial system that bullies other countries.
The UK kept trade with the US when slavery there was rampant. Any country will have hiccups throughout its development.
It's convenient but counterproductive to categorize every argument against yours as "whatabouttism".
> The UK kept trade with the US when slavery there was rampant.
And we’re I a citizen of the UK in this tortured analogy (with my contemporary morals and all that), I wouldn’t want my money supporting that.
> Any country will have hiccups throughout its development.
Right, but we don’t have to support those “hiccups”. Anyway, China had 60 million hiccups in the last century. They’re all out of hiccup passes.
> It's convenient but counterproductive to categorize every argument against yours as "whatabouttism".
Not every argument, only the ones that start with suggest I can’t criticize China until <other countries that I presumably support> are completely without blame. Such as yours.
No they don't. They want to use it as a weapon against targets of their choosing and co-opt the rest of the net in doing so. The economic importance of the internet to China can not be overstated.
I think what parent is saying is that (unrelated to TFA) China wants a separate information sphere, where only party-approved sites and services are available to their citizens. They have largely accomplished this.
I doubt it. China gets a lot of business from overseas via the Internet. Think about all those fabs where you upload a PCB design and for $2, they manufacture it and mail them to you. If Americans could not visit the Chinese Internet, those companies would be out of business overnight. When nobody has a job or money, people start questioning the government, which the government would probably like to avoid.
The reality of China is that they need the global economy as much as the global economy needs them. No one entity can really pick up their ball and go home, as much as China would probably love to.
The web needs to start moving towards a strong same-origin policy for all embedded content-- require sites to proxy requests if they want third party content.
The first step could be sending CORS preflight, then requiring it, then just not allowing cross origin to different domains (but allow sub-/sibling- domains).
If you read the OP they say they were specifically crafting links that led to an image resizing webservice, so each load wasn't just requesting static content, it was consuming non-trivial compute cycles. Of course you can have a DDoS comprised of tons of requests for HTML or JPGs but the added overhead of performing a "resize" was at least a part of the plan. Failing a pre-flight would have eliminated that hit.
About a month ago we were discussing this and a few of us came to the conclusion that an eventually-required CORS header for cross-origin GETs would be a good thing. CDNs and SSO services could start sending this header so they can stay in business when the browsers turn off all cross-origin requests by default.
Unfortunately (from my perspective) that'll do nothing to stop third party ad tracking but you can't have everything, I suppose.
The problem right now is that the originating server sets an http response header. Given the MITM can modify that header.. it indicates things need to be done automagically in the browser. But that will break A LOT.
I'm curious: is it technically and politically possible for the operators of all internet cables receiving traffic from China to filter out malicious scripts?
AT&T's writeup says the injection is only possible because it's HTTP (not HTTPS), and that there are two specific JavaScript files which sometimes serve up the malicious code.
So in case of known malware like this being served from within a geographic region... is there any way to filter this out at scale? Or is that computationally infeasible at scale, so it would have to be built into the browser or something?
The article also doesn't make clear -- is this DDoS coming exclusively from outside of China? Or is it injecting the same malicious code inside of China as well, and they're just not bothering to distinguish between requests coming from inside or outside the country? (In which case, the DDoS will continue regardless, just not with the rest of the world's help.)
I'm not a huge fan of anybody (china or otherwise) performing content inspection or filtering on my behalf transparently. That's just another instance of the Great Firewall with other people at the reigns. If you chose to do that at your edge network, kudos for you. Just don't force it upon me.
>I'm curious: is it technically and politically possible for the operators of all internet cables receiving traffic from China to filter out malicious scripts?
Considering that the halting problem is undecidable, it's impossible to filter out the malicious scripts with complete certainty. The best you can do is use blacklists/heuristics which lead to an arms race.
>So in case of known malware like this being served from within a geographic region... is there any way to filter this out at scale? Or is that computationally infeasible at scale, so it would have to be built into the browser or something?
foreign ISPs can block port80 or http requests from coming into china. sure, it's going to break a lot of sites, but it's relatively simple for any site to get unblocked - all they need to do is set up letsencrypt.
> Considering that the halting problem is undecidable,
This doesn't mean that you can't prove a big subset of scripts safe.
> The best you can do is use blacklists/heuristics which lead to an arms race.
You can also allow the scripts that automatically prove safe, plus other popular scripts you decide to explicitly allow, plus other scripts that are low-rate enough that you don't believe them to be a concern.
Technically possible maybe, politically possible no.
Any ISP could force unencrypted traffic through a deep packet inspection system that looked for this kind of malicious behavior. That would be widely seen as a betrayal of the "big dumb pipe" expectation.
The computation itself is not infeasible at scale. But any ISP attempting this would see swift and brutal political pushback and almost certainly lose customers over it.
So if the cannon is created using the great firewall, how does the Chinese government establish any sort of plausible argument that this isn't state-sponsored activity?
Do they just not care?
Some day soon a war will not be started with an assassins bullet but with a tool like this. I wonder when we start looking at them the same way?
They don't need to hide anything. This type of activity is playing off of the success of the North Koreans and Russians in neutralizing US power in the face of a completely inept and corrupt government.
The audience is other Asian and African states. The message is "we can act with impunity". The US will probably do some tit-for-tat exchange, but the US scope to do anything is limited due to the potential for impact on US businesses.
According to the article, the attacks are currently ineffective for a number of reasons, one being their js code is bugged. Imagine Gavrillo Princip's gun was prone to jamming consistently.
This... actually inspires very little confidence. The assassination of the archduke involved several assassins who each failed iteratively for ridiculous reasons on the motorcade route. Princip himself had decided to give up on the assassination, only to find out the cafe he had gone to ended up being directly on the motorcade path. The serendipity of his proximity was probably the only reason Ferdinand ended up dead that day.
The cannon doesn't have to work all the time, just once effectively, and possibly even accidentally.
The Merck attack seemed to be an accidental offshoot, and nothing on an international political scale happened from that. Until we have some more tech literate politicians, or an agency to explain what's happening in simpler terms, I don't see these kind of attacks being taken seriously, or even understood on a basic level.
In reality it was the setup of the triple entente by Edward VII that was most responsible for the WWs. The archduke may have been the match, but the triple entente was the detcord strung around Europe.
Well, Gavrillo and his co-conspiritors planned to kill Archduke Ferdinand with a thrown bomb, which the Archduke defected with his arm. The bomb exploded without doing much harm, and only later by pure chance the Archduke drove by Gavillo and was shot. It's a miracle that the assasination worked at all, the story is full of incompetence from the assassins. As such the parallel to the Great Cannon fits perfectly.
Given Gavrillo Princip's gun was only involved because the grenade missed and then everyone concerned made a series of unfortunate decisions that allowed a second attempt, that example isn’t bringing me any hope.
Wait, didn’t that happen though? I thought the arch duke was originally supposed to be killed in a failed bombing, and the handgun was a second and happenstance scenario.
There was a royal procession to City Hall in Sarajevo, during which a grenade was thrown at the Archduke. It (barely) missed, they drove off, and had a meeting with some local magistrate.
After the meeting, Franz wanted to travel to the hospital to visit the civilians who'd been wounded by the errant grenade. En route, his driver, confused, took the same route from the morning procession. When they realized what was happening, they told him to turn around and get the out if there. When the driver stopped to turn around, they were ~1 block from the site of the first assassination attempt. One if the co-conspirators (who had lost his nerve the first time, and had been milling around and hoping that Franz would come back by), was standing where the car came to a stop. Two shots killed Fran's Ferdinand and his wife.
Fun fact about this--Franz Ferdinand's death was not the cause of the Great War in the way that people tend to think it was. The assassination caused the war in the sense that it was a convenient excuse for a war that the Austro-Hungarians already wanted, but not because (Austro-Hungarian Emperor) Franz Joseph wanted revenge or anything like that. In fact, Franz Joseph's secretary later said that he "almost seemed grateful" that Ferdinand (whose marriage was so problematic that he had been forced to proactively abdicate on behalf of his children) was out of the way.
My middle school history teacher always stressed the point about reasons vs. triggers for events, and it has stuck to me since then, as it makes looking at things like this much easier. Basically, there is a giant list of political reasons for the Great War, I am not gonna list all of them here, but I fully agree with you that the assassination was not one of them. Franz Ferdinand's assassination was the trigger.
0 - Peace
1 - Trade War
2 - Financial War
3 - Electronic War
4 - Shooting War
Note that 1 & 2 are different types of Economic war, and could be grouped together. The steps occur in order, but steps can be skipped.
From a US-centric point of view, North Korea and Iran seem to be at #3. China & Russia are at a limited version of #2.
Chinese/HK seem to be at #3 with each other.Given how invisible Electronic War can be, it's possible that they are deep in #3. It's also possible that #4 might be initially fought with HK Police forces as a proxy. Think of that as "4a".
> "Countries that trade with each other don't make war with each other."
I'm pretty sure this was the prevailing thinking prior to World War 1. A large scale conflict would be so damaging on a human and economic level that most assumed the people in power would find away to stop a massive war from breaking out. Well, they were right about the first assumption, but very wrong about the second.
It's also why the EU was founded, and in that instance it worked great. European powers used to be constantly at war with each other, but in the last 70 years there was no large-scale war within Europe (except for Ukraine/Russia, both not in the EU), and war between EU states has become unthinkable.
This is surely a contributing factor, but being first-class citizens of Pax Americana US hegemony has been a larger one IMO (doubly so during the Cold War, when a common enemy on Western Europe's borders united them).
There's plenty of good things from a moral perspective about power being diffused away from a hyperpower hegemon, but stability and peace have never been among the side effects.
Foxconn's suicide rate is lower than China's, along with all 50 US states. They just employ a gargantuan amount of people (400k). I don't know much about the working conditions there, so I don't have a position, but it doesn't look like there's evidence to suggest that the working conditions have anything to do with the fact that some of their employees committed suicide.
To put it another way, there's roughly as much evidence of this as there is that working in a factory in Nigeria causes sickle cell anemia.
A car park in the UK closed off the top storey and it's common to see older MSCPs adding tall fences to the top floor, and for new buildings to have these designed in from the start.
You are interpreting a correlation as a causality. More likely (IMO) is a common cause, countries that consider themselves enemies for whatever reason are both unlikely to trade with eachother, and likely to go to war with eachother.
Europeans tend to credit the EU/EEC for the peace, but as an American, I find that totally implausible. The peace was because Europe was divided into two vassal regions and the actual superpowers decided not to go to war because of MAD. Now that the Cold War is over, we've already had a series of wars in the Balkans and various wars in the Russian periphery. True, France and Germany have taken a break from fighting each other for a long-ish stretch, but I think that trend would continue even with a Frexit because it's mostly built on memories of how bad the last two wars were.
MAD and the cold war prevented war between countries on either side of the iron curtain, sure.
But then you go on to claim that war among countries on the Western side was prevented by memories of war and not the EEC, without any reasoning as to why. I don't buy it. The first World War was already terrible, yet these countries were at each others' throats only a few decades later.
Russia and Ukraine are not EU/ECC members, and neither were the balkan states back when they balkanized. Wars outside the EU don't disprove that the EU plays a major role in bringing pace among its members. I would agree that it didn't necessarily bring peace to all of Europe, but that's a stronger statement than most people intend to make
"If soldiers are not to cross international boundaries, goods must do so. Unless the Shackles can be dropped from trade, bombs will be dropped from the sky."
At best, that has held in limited places and times since WWII.
At worst, it was an affirmation repeated, as with most affirmations, in the hopes that the repetition would make it true, which it doesn't, and for the usual reason, that it generally wasn't.
The United States and Germany during WWII, as evidenced by Ford, General Motors, IBM, Coca-Cola, Kodak, Chase Bank, Random House, Associated Press, Dow Chemical, Brown Brothers Harriman, Woolworths, Alcoa, AT&T, and others.
> 0 - Peace 1 - Trade War 2 - Financial War 3 - Electronic War 4 - Shooting War
How many major wars in the last 100 years were preceded by trade wars or electronic wars (I don't know what a financial war is, trade embargoes? - embargoes are not trade wars)? Perhaps my view is a bit us-centric (there have been many small wars in africa that I don't know the history of), but I don't think that us conflict participation in Iraq, Yemen, Libya, Grenada, Vietnam, Korea, WWII, or WWI were preceded by those sorts of policies. To find a trade war that preceded a war I think you might have to go to the US fighting in central america (banana wars), or maybe the civil war.
Meanwhile the US has engaged in trade wars with plenty of countries it hasn't fought with, dominantly europe (via the banana trade wars, not to be confused with banana wars, e.g.), and Japan.
John Perkins has written extensively on this topic, as he has had a career conducting 2 and 3 for the US. His book Confessions of an Economic Hit Man is instructive.
Hobbes would say this is backwards, since the state of nature is a state of war.
"Peace" is built from war's stalemates. As the most violent (and therefore effective) means become ineffective, combatants shift towards less effective means, to the point that the war (which is still ongoing) continues through diplomacy and trade.
Hence, "war is diplomacy by other means."
Diplomacy and trade are means of gaining an advantage in the underlying (now "cold") warfare. They're maneuvers to defeat the existing stalemate. If either side is able to obtain an economic (or other advantage) sufficient to defeat their opponent in a more violent form of warfare, then they will return to violence because that is the basal state of nature.
The worst thing you could ever have in trade / diplomacy is a good working relationship that isn't balanced and equal. A trade failure is itself a stalemate which can strengthen peace, so long as it occurs before too great of an advantage is gained any group.
As the grandparent said - steps can be skipped. Since 3 is a relatively new medium for offensive actions, I suspect there are not a lot of well-known examples around. Would be interesting to see if any currently active conflicts were preceded by DoS (not necessarily Distributed, could be just a "cable cut" from outside), and how long before it escalated to active conflict.
What's wild is how at times the GFW will be abused to profit the operators of the GFW itself. Redirecting people to sites owned by friends to drive traffic/sales, etc. Due to the nature of the GFW, there isn't a lot of auditing or transparency there. Only the Chinese carriers can generally engage them and it usually involves a visit to a specific building in Beijing (no foreigners allowed).
For one, we should all be making sure our websites use https all the time. If all you have is a personal website serving up mostly static content then it might not seem like you need to bother with a certificate but things like the Great Cannon are a great argument that you do. It's not unlike a public health argument for why everybody should be vaccinated.
HTTPS will help your users not getting infected by code that a 3rd party injected on your site. But it will probably not help against the cannon, because the Chinese probably have some china controlled certificate installed.
>But it will probably not help against the cannon, because the Chinese probably have some china controlled certificate installed.
The whole point of the cannon is that you can leverage the bandwidth of other countries. The CCP already controls the telecoms in China. They don't need to hijack Chinese computers for DDoS attacks when they can directly DDoS from their ISP's backbone.
Of course they could do something about it, they just don't want to because it would be economically painful. Unified trade sanctions against China would likely have effects pretty quickly, but would impact economies significantly more than the Trump-imposed tariffs that everyone is already freaking out over.
I don't think that last line is helpful. If you believe that the Chinese government is akin to the Nazi party, better to make the argument explicitly than to use a term like "Chinazis", which could be interpreted as overly broad and highly insulting in the best case.
This. The Final Solution and the extermination camps only happened in 1942, after every major player already entered the war. Eugenics was reasonably popular at the time, so that wasn't a reason to go to war either, and while the concentration camps were immoral and at the start of the war they were comparatively humane and not much out of line with what was deemed acceptable at the time (US internment of Japanese, Russian labor camps and the current ICE camps come to mind). The conditions drastically worsened as the camps filled up, but by that time Europe was already at war.
What Hitler did was terrible, but that's not the reason we had a war. "Germany (or Japan) might invade us next" is what was really in everyone's mind.
As WW2 progressed the Nazis attempted to ship the jews elsewhere. Sadly countries refused to accept these refugees.
Nazis then started to pile up Jews into Ghettos. Note that these Ghettos are almost identical to the Uyghur's current situation.
As the Ghettos started to fill up, the Nazis needed a plan on what to do as the ghettos started to reach capacity. Their decision is known as the "Final Solution" or death camps.
Although the Soviets certainly were mass murderers before WW2 and British and USA still sided with them.
Hitler was elected under the pretense that he represented socialism that was friendlier to the middle class and workers. This way people could get their socialist improvements to the economy (which was shit due to bad world-wide economy and war reparations) while still having defense against the the sort of upheaval and murderous destruction that the Reds represented.
The take-home lesson of WW2 shouldn't be that 'The other side was evil and we won'. Because the entire Eastern half of Europe and most of Asia was submitted to governments that were incredibly evil due to the Soviet victory.
WW2's lessons are meaningless without WW1. They really are effectively the same war. The treaty of Versailles and the humiliation of the German civilian government are directly responsible for the rise of power of the Fascism in Germany.
The take-home lesson of the 20th century wars is that massive murder and atrocities are only possible because people obey their governments. That 'The people' cannot discern true evil running the state until it's far too late.
Because evil doesn't show up saying "Elect me because I want to gas the Jews". They gain power by promising what you want. By telling you what you want to hear. And once they gain power then it is the average person's willingness to obey authority and carry out orders is what turns shoe makers, engineers, and doctors into mass murderers.
Which is the sort of thing that is happening in many parts of China.
Always remember that in Vichy France when they rounded up the Jews for the holocaust it wasn't the Germans troops that went around arresting them. It was the French police that rounded up people to be put on those trains. It was under the order's of the French politicians. This problem of obeying governments is not something that is limited by national borders.
But wait, we'd get millions sending their hopes and prayers and everyone in power coming on broadcast news TV to talk about how awful the Chinese genocide is.
I can tell because that's how it already went down with the Tibetans and Uhgyrs. Because the CCP has already committed a multiple of genocides including their planned mass famines in 1960 that killed tens of millions of their own citizens.
The downvotes might be from the fact that the Nazi concentration camps only turned into extermination camps in the very last years of their rule, so the danger of extermination camps might be at least partially inherent in the concentration camps?
So what if China isn't running death camps per se? The problem is that it's running something of the magnitude of Nazi Germany and getting away with it. No sane government would go 100% Nazi overnight, but if they see that being 50% Nazi is OK, then they might raise it to 75% etc. It's a game like all authoritarian politics. They're probing ground, and many other authoritarians around the world are looking at the result. This is why it's important that China gets called out for its atrocities, and called out hard.
That is quite a big "per se" there. My point is there is a huge distinction between concentration camps and death camps. The Nazis progressed from one to the other, but that is not a guarantee (this is where that US reference might come into play). There is a large difference between "let's segregate these people" to "let's kill all of them" and we shouldn't blur the lines between either the Nazi's decision to make that leap or China's decision to as of yet not.
I wouldn't have felt the need to make my comment if the original comment was modified with "early Holocaust" rather equating it to the entire thing which inherently includes and is often more synonymous with the death camps.
Also what China is doing is not in the magnitude of the Nazis.
I am not saying any of this to defend China. I just want these things clear because this is the type of rhetoric that is often used by Holocaust deniers.
Correct me if I'm wrong, but these aren't segregation centers. There's a big difference between "let's segregate these people" and "let's re-educate these people." China seems to be well into the re-education process and while they may not have trains headed to death camps, I think it's more accurate to say that they are closer to those death camps than they are to Jim Crowe laws, having already surpassed cases like re-education boarding schools [1] which AFAIK are considered genocide by international law.
Some food for thought: In Tibet, people regularly self-immolate themselves to show to the world how desperate the situation of Tibetan is. Imagine in what circumstances you would need to live to see people around you self-immolate. It's not just one person, and just a dozen.
I'm not defending China at all, they have tons of shitty policies. I'm just saying it is nothing like the holocaust and it is pretty absurd when people do those kind of comparisons. It reminds me of just before the Iraq invasion when the propaganda was at it's highest (Freedom fries and Dixie Chicks).
If I again compare with the US as an example even if people don't like that. You have had many hundred if not thousands of suicide bombers that have stated that they sacrifice their life to strike against targets because of US imperialistic ways. Imagine the circumstances that lead to that.
The problem is you have two types of people, you have the guy that sees his kid get blown up and is like F'it I am going to detonate myself. I get it, I could be that guy under the right circumstances. The problem is the world is just as full of people ready and willing to exploit that guy and that is what happens. The situation is a lot more complicated than the American imperialist kills babies meme. The problem is though when you go after the other guys, who need going after, some good people get killed and it creates a newly exploitable class based on that anger and resentment.
The guy who just wants to be left alone is constantly pushed into a corner by the guy that wants to control and manipulate people and those are the two types of people in the world. The American revolution was filled with guys that just wanted to be left alone. Congress is now filled with guys that want to control and manipulate. They are naturally attracted to power. It will take them pushing the US citizen who wants to be left alone (AKA the silent majority) into the corner before anything changes.
>The problem is you have two types of people, you have the guy that sees his kid get blown up and is like F'it I am going to detonate myself. I get it, I could be that guy under the right circumstances. The problem is the world is just as full of people ready and willing to exploit that guy and that is what happens. The situation is a lot more complicated than the American imperialist kills babies meme. The problem is though when you go after the other guys, who need going after, some good people get killed and it creates a newly exploitable class based on that anger and resentment.
That is also the exact motivation that China uses for its re-education camps. It is because of terrorism that they need to go after.
> I'm just saying it is nothing like the holocaust and it is pretty absurd when people do those kind of comparisons.
It's clearly not exactly the same as the Holocaust. But it's disingenuous to say it's nothing like the Holocaust either, because there are a lot of similarities.
I think they're closer to Nazi internment camps (which rather quickly transitioned to death camps) than the various US internment camps, yes.
Are they death camps yet? Well, perhaps not. But there are none the less a hell of lot dehumanization. There are reports of forced abortions, rapes, medical experiments, and other tortures.
To be clear, the US internment of the Japanese is a horrendous stain, but it clearly is far less evil than these camps.
If you can’t distinguish between the Vietnamese War and the Axis Concentration Camps on a scale of atrocity, I’m doubtful there’s any intellectual exercise that’s going to clarify that for you.
Absolutely, there's no intellectual process to get there. [0] Rather it requires a lifelong immersion in "news" media
committed to minimizing USA war crimes, coupled with an aggressively jingoistic ignorance of history.
[0] that is, one brutally murdered innocent child of innocent parents is not really different than some other brutally murdered innocent child of innocent parents.
I didn't see this as a problem solved by war, honestly.
We need to weane ourself off a dependency on China for cheap goods. We need to decide that we value human life over a cheap phone.
China gets away with what it does because it feeds our need for shiney new trinkets. Frankly, it's disgusting. The world could stand up to China and say it doesn't want it as a trading partner. Maybe that wouldn't even help, but do we really want to be doing trade with a country that operates like China does?
With all due respect - from a systems perspective, that's not a solution; it's a wish for a pony, no less so than complaining "where are China's values"? Solutions are required because people are selfish and shortsighted - merely pointing this out accomplishes little.
It's like saying that police aren't a solution to murder - what we really need is to stop killing each other.
The current president isn't wishing for a pony. He has aggressively, unilaterally changed USA trade policy with respect to China. One might suspect his goals in this exercise. Still, if he can do this in pursuit of his idea of "fairness", then some other president, perhaps with the cooperation of Congress, could have done similar with the idea of penalizing some of the more odious behavior of the Chinese state.
That hypothetical president who cared about e.g. Tibet or the Uighurs couldn't have expected any popular intellectual support for that effort, however, since our popular intellectuals act largely to feather their own nests with Panglossian tributes to how wonderful TPP could have been.
All kinds of bad things are happening in the world. This thread is discussing a bad thing being done by the Chinese government. That doesn't suggest that other bad things are any better or worse.
I’m a U.S. citizen and I’m “dealing with the US” in my own way. But such a thing takes time. You don’t upset and entire economic regime in a year or even a decade. It takes the utmost patience, to the point of organizing for outcomes you may not even see in your lifetime.
One shouldn’t mistake a seeming return to the status quo as proof that the status quo is just as strong.
Bullets have been obsolete for decades. Wars are currently fought by selling shitty financial instruments en masse to your opponents while you sit and watch them implode from afar.
WW1 turned out to be far more deadly because the participants were stuck thinking of war in terms of old conflicts while technology advanced. I don’t see ground invasions working the same way against adversaries with nukes.
This should be mitigated by browser vendors by integrating HTTPSEverywhere as a core functionality of the browser that needs to be explicitly turned off (instead of the current state of affairs where we have a tiny minority on the web who are familiar with installing security add-ons). Visiting a HTTP site should come with a scary warning. I understand this throws old sites under the bus, but there could be other solutions here such as restricting 3d party resources as a second layer defense once the user clicks through the first warning to access the HTTP content.
and in case I'm totally wrong, what mitigations are feasible? More trade war such as by compelling ISP's to null-route Chinese businesses like Baidu.com as a form of sanction?
I recently (4 or 5 months ago) joined an online community of aircraft owners and pilots that is primarily focused around a single brand of aircraft (although it's not an official site of, property of, that brand nor is it endorsed by that brand).
When I signed up, they emailed me to welcome me to the site (they actually require manual authorization of users by an admin, which is... refreshing, but uncommon). The email ended by stating that if I lost my password, they could "recover it" and send it back to me.
I raised a thread about it in one of their off-topic sections, and got harassed - "How secure do you need your browsing to be?" (And hey, I mean, I was asking them to do more work)
But it stands out that most of the public doesn't know, and doesn't care to know. Even a site that's populated by people with net worths and/or incomes that average in the six-to-seven figure range, that they probably signed up for with the same email address and password that they use for their bank and brokerage accounts.
HTTP should come with a warning. Furthermore, it would be fan-fucking-tastic if there was some generalizable way to (automatically) audit a website's security practice. Like, a crawler that just runs standard OWASP-style attack-vector checks, and sends an email to the site's owners when one succeeds. And then put that data into a database and warn users (with a browser plugin) when they are creating credentials for sites with bad security.
I'll top that. I used TABCPermit.com to get licensed to serve alcohol in Texas. Their signup form says "no special characters in password". I used one anyway, putting in "password$1" for example. It accepted it, and I worked on the test.
Next day, I can't login. I use the "forgot password" link. They send me and email, and it has my password in it! Bad, right?
That isn't all. My password, they said, was "password1". They silently stripped out the special character.
I just about flipped a table at how security-shallow people who build websites can be.
Are you sure your password has a $ in it? What makes you think that they don't strip the $ when you set and enter your password?
If it seemed like they were doing a hash then compare, I would wonder if they are using the legacy unix crypt that truncates passwords at 8 characters.
I know when I registered and typed twice that my password had "$" in it. And they mailed me back my password without it. Finally, it wasn't just a truncate because there were characters after the position where "$" should be.
And if they did strip it out, that is bad. That's the point.
I'd recommend using an OpenID Connect provider to authenticate if you're concerned about their practices but it's just as easy to improperly implement auth even with mainstream libraries to help you connect something like Auth.0 to your app.
e.g. Don't assume the email address is owned by the person making the claim. You can sign up for an account with an email and if it's not verified or the verification is mis-clicked or phished into being clicked the original account owner would never know the difference.
Still, at least with OpenID Connect you know your password isn't sitting in plain text.
That's a bit too harsh. The GA people are lobbying to continue to be able to fly their aircraft. The FAA has been sitting on the problem of non-leaded avgas for something like 30 years now. The GA people don't like being exposed to lead any more than anyone else.
Yes, harsh on people literally choosing to spray a neurotoxic heavy metal compound over populated areas for their fun. Their advocacy is the roadblock to the adoption of safer fuels.
It doesn't actually accumulate in any particular area. There was a study done at at an airport that showed no particular accumulation at the airport. Leaded gas ends up poisoning the whole world a bit.
This "dilution is the solution to pollution" argument is the excuse the FAA uses for forcing everyone to use leaded avgas. This should be more of a scandal. The FAA is basically helping maintain a harmful oil company monopoly at the expense of the world.
This is not just about recreational aircraft. For example, 45% of the Canadian commercial fleet is piston engine based. Incidentally, Canada was involved in a test program with the FAA for leaded fuel replacements. The FAA recently dropped out of that program.
I think we'd all rather burn cheaper / more prevalent gas than a leaded fuel that is the output of specialty refining. We're not allowed to by regulation, though, and furthermore present solutions would also endanger safety in a big slice of aircraft. The fleet of general aviation aircraft is really old, after all.
> This should be mitigated by browser vendors by integrating HTTPSEverywhere as a core functionality of the browser that needs to be explicitly turned off (instead of the current state of affairs where we have a tiny minority on the web who are familiar with installing security add-ons).
We're talking about China, so that's probably not going to work: Chinese users are using Chinese browsers [1] to access Chinese websites. I don't think Chinese browser-makers and website operators are going to take action against their government like that.
That's fine. If the Chinese government wants to commandeer their own citizen's resources to DDoS other people, that's on them. They could very well also direct their state controlled ISPs to do the same. Doing either would be obviously be attributed to them and would be cause for them to be de-peered - solving the problem.
sure. but that would still limit the attack to only come from within CN (and possibly users outside with a CN browser) and not from every potential user who has Safari/Mozilla/Chrome.
It would mitigate attacks from inside China against outside entities, which for somebody not based in China is all I want.
The concern here is people using Chinese websites abroad. The Great Cannon rewrites javascript for a subset of remote users visiting Chinese sites, causing the users' browsers to participate in a DDoS against a target.
for anyone interested, Brian Krebs did an excellent article[1] on The Great Cannon after the Citizen Labs incident.
> [Nicholas] Weaver said the attacks from the Great Cannon don’t succeed when people are browsing Chinese sites with a Web address that begins with "https://", meaning that regular Internet users can limit their exposure to these attacks by insisting that all Internet communications are routed over "https" versus unencrypted "http://" connections in their browsers. A number of third-party browser plug-ins — such as https-everywhere — can help people accomplish this goal.
> But Bill Marczak, a research fellow with Citizen Lab, said relying on an always-on encryption strategy is not a foolproof counter to this attack, because plug-ins like https-everywhere will still serve regular unencrypted content when Web sites refuse to or don’t offer the same content over an encrypted connection. What’s more, many Web sites draw content from a variety of sources online, meaning that the Great Cannon attack could succeed merely by drawing on resources provided by online ad networks that serve ads on a variety of Web sites from a dizzying array of sources.
> and in case I'm totally wrong, what mitigations are feasible? More trade war such as by compelling ISP's to null-route Chinese businesses like Baidu.com as a form of sanction?
Probably something like this, but I'm afraid of where that would lead.
If the Chinese government wants to man in the middle traffic to foreign sites they can just force PC vendors to install a CCP controlled CA root on systems and make it illegal and/or very difficult to remove it. Shit, they can require vendors include a hardware backdoor, especially since so much of that hardware is produced domestically.
Then they can view the traffic even going to and from foreign sites who would not comply with an order to share private keys and no safe browsing blacklist (like that would be accessible from inside the regime anyway) will help you.
>If the Chinese government wants to man in the middle traffic to foreign sites they can just force PC vendors to install a CCP controlled CA root on systems and make it illegal and/or very difficult to remove it.
>Shit, they can require vendors include a hardware backdoor, especially since so much of that hardware is produced domestically.
If they're only doing it for local computers, the consequences/response is the same as the previous paragraph.
If they're doing it for foreign computers on a mass scale required for a DDoS attack, if discovered will torpedo their entire electronics sector. All the "ban huawei" politicians will have a field day with that.
The Chinese government can do this for systems sold within China. They don't have the authority to do it for computers globally.
If I'm understanding other comments correctly, browser vendors installing HTTPSEverywhere cuts down the potential for this Great Cannon attack from 7.7 billion users to 1.4 billion. An 80% reduction seems significant.
I was under the impression that the other commenters were referring to HTTPS as a solution for those in China to protect themselves from their own government. Perhaps I was wrong.
> In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if the private key of the server is compromised.[1] Forward secrecy protects past sessions against future compromises of secret keys.[2][3][3]
Forward secrecy only helps you if the server private key is comprised in the future. If it's compromised already, and an active attacker can modify traffic between you and the server, forward secrecy doesn't help.
Ultimately, if an attacker has all your keys and controls all your traffic, there's nothing left that distinguishes the attacker from you. No security is possible in that scenario.
I fail to see how this attack has anything to do with http? The scripts can be served over https no problem, it’s the host that is compromised. Maybe you’re thinking of sub-resource integrity attributes?
It's injecting the malicious script into the source of http pages.
With httpS, this is not possible unless you also change the root certificate of the computer.
In most javascript sandboxes if you request a domain from an site you are restricted by the same content policy. This makes it harder to do things like make requests to sites for example that don't use https when your on one that does use it.
I don't quite understand the mechanism after reading the article. Is the attacker (presumably the PRC) MITM'ing these CDN resources at the infrastructure level? If they had exploits in place within these CDNs (presumably within the PRC's capabilities) HTTPS wouldn't help, no?
More than likely they placed a phone call to Baidu and told them exactly what to do. I doubt it's a technological MITM probably just a social one. A totalitarian state can do that.
that's why probably null routing at ISP level is more likely. the time it takes to adapt to new defenses is much less than what it takes to come to an agreement in cabforum. When things escalate nobody will push vendors to agree on new security features when a blunt instrument like legislation is cheaper. If things escalate they'll just sinkhole all traffic going in and out of China.
I understood it so that if things escalate what would stop them from simply serving malware from Baidu. If CN sees these actors as an attack on their freedom and autonomy to shape internal policy then they could easily justify this (at least to themselves).
Notable reason (for those unfamiliar) is that tee will overwrite the file unless given the -a argument which will append the input to the end of the file.
>and in case I'm totally wrong, what mitigations are feasible? More trade war such as by compelling ISP's to null-route Chinese businesses like Baidu.com as a form of sanction?
A slightly less broad measure that's just as effective would be to block unencrypted http traffic from entering China. Want to get unblocked? Get letsencrypt.
A even better (but slightly greyhat) route would be to inject HSTS headers with the maximum expiry date. This will cause any visitor's browsers to get "infected" with an unskippable warning, forcing them to upgrade no matter what.
surprised the relevant powerful/time tested and highly technical participants at whichever appropriate layer of networking aren't just forcing https only. #studentquestion
I didn’t see this anywhere in the article (maybe I missed it), but because this utilizes the Great Firewall, it’s undoubtedly done by the Chinese government, right?
> operates by injecting malicious Javascript into pages served from behind the Great Firewall. These scripts, potentially served to millions of users across the internet, hijack the users’ connections to make multiple requests against the targeted site. These requests consume all the resources of the targeted site, making it unavailable:
If you're negligent in securing your site and it gets infected, your site should be blocked. You shouldn't be able say "well it's technically not us, it's the CCP!" whilst not doing anything about it. As for badiu being a major site, that can be resolved by browser vendors displaying a special page explaining to its users of the situation.
Isn't this the firewall itself rewriting request responses that happen to be from http://baidu.com? How is Baidu infected in this case, and what can they do to prevent this on their aside aside from strict HTTPS upgrades?
We all know who the attacker is here, but it's not literally "proven" to the standard of evidence that would be required in a US court. The attacker still has plausible deniability.
I know that this website is very USA-centric but I really fail to see what US courts have to do with the subject at hand. The question is more "as far as the international community is concerned, is there any reasonable technical doubt that the Chinese authorities are behind this?"
This is important for public discourse at least, because if it's technically undeniable that Chinese authorities are behind this attack then you can immediately assume than anybody saying that China has nothing to do with it is either acting in bad faith or is largely uninformed.
As we've seen multiple times in the past the existence or non-existence of conclusive proof is largely irrelevant when it comes to international policy anyway so the opinion of US courts is frankly besides the point.
No. "Behind the Great Firewall" is another way of saying "served from China". Perhaps -- or even most likely -- it is the government. But this is hardly a smoking gun. There are plenty of people on the mainland that hate what's going on in HK, and who are not the government.
This is not true, the traffic for the previous github incident with the great cannon was co located[0] with the great firewall (which is indisputably under the control of the chinese government).
Colocated with the Great Firewall is an entirely different claim, and not one that ATT makes. Your citizenlab article provides a possible case for it, but that's a different discussion.
And even then, it could be some third party cache poisoning attack, etc. The citizenlab evidence would look exactly the same.
This is likely China, as I said, but let's not pretend that we know more than we do.
Also the Great Firewall isn't one box admin'd by a single actor. It's a set of network firewalls managed by different network entities to fulfill legal obligations. It could be one of them acting alone.
Then there's the question of how separate the operating company is from the Party..
Please. For it not to be the government would mean that there's an extra-governmental organization within the PRC with the resources and network access to conduct a massive DDoS attack, which the communist government would never allow.
Either someone hacked the root Baidu servers, Baidu is involved, or the network requests are being manipulated by Chinese controlled entities.
There’s a high probability this is state run. There’s probably tons of offensive cyber teams in China and these are hitting sites like Greatfire.org which documents Chinese censorship (which was also why Github was hit if I’m not mistaken).
It’s not surprising that the organs of censorship would be used to target attempts to expose said censorship.
Except that's not what's happening here, unless your claim is they compromised baidu and Qihoo 360 and both don't care to fix it.
baidu and Qihoo 360 are massive companies. Serving the stuff either means they are doing it deliberately (on behalf of the government), or an active MITM is doing it, which given the scale can only mean ISP and ergo (since this is China) government level. The active MITM seems plausible since a) only unencrypted http traffic gets injected (so far), and b) the Chinese government wouldn't want to put the onus on two of their most important internet companies alone.
Baidu could be doing it only to http traffic to make people think it's the government... But I can't imagine that they would want to seem as if they're putting words in the government's mouth.
But these folks still have no answer for how free websites they consume daily (e.g. news) are to be funded, they don't pay, and don't want to see ads either. Yet they still expect these websites to exist.
I use Firefox's built Enhanced Tracking Prevention, that some sites call "ad blocking" but in reality it is super easy to have ads that don't get blocked by it, just make them non-creepy.
I think the primary argument line is something along:
1. Online ads today are so bad they must be blocked
2. But blocking ads blocks revenue for sites we like
3. So we should pay for them more directly
4. But I'm not about to set up 100 different monthly subscriptions. These corporations are not trustworthy and I cannot monitor this many bills.
5. We need a solution to simplify money -> content -> creator transfer
6. There's been many attempts at that, but there's too many players who want the power and control that comes with wedging themselves in between consumers and creators.
Same. But I think that once you've screwed the pooch this bad, you can't just take a single step backwards and expect everyone to be fine with that. The trust is gone. You've got to reboot and rebrand somehow.
The problem is that the advertising companies wanted the offline marketing spend so much that they started selling the dream of tracking with specificity, which caused marketeers the world over to finally have an answer to the age old 'I don't know which half I spend wrong' question.
Advent of Code does a great job at this. Its ads are text-based, relevant, and unintrusive. Of course, it has a pretty particular aesthetic, but plenty of sites could do a simple (non-animated) image or text to surface their sponsor without being annoying.
Shameless plug: this is what we are trying to do at https://contextcue.com. Ads that are targeted to the website you’re on, instead of the person viewing the ad. We’d love any feedback about what we are trying to accomplish!
Most of these sites offered a completely ad-free version for many years, then switched to an advertising model after they'd cornered the market.
There's no ethical reason for us to "pay" these scummy actors, including Google, Facebook, Reddit and Twitter, after they destroyed all viable alternatives by giving away their products free and THEN add advertising.
As you intimate, there's also nothing intrinsically necessary to the advertising model for it to be served by different domains, with 3rd party cookies and third party javascript. Nor is it necessary to have auto-play videos, popups, etc. Even someone fairly benign like the Guardian is now infested with up-sells and adverts if you look at it without an adblocker.
So the sites brought it on themselves.
You want to support their ads, go ahead, but don't ask us to come up with the alternative model. You have no moral high ground to preach to us from, all these sites used a bait and switch to get on top. Right now if I look at facebook every 2 or 3 stories are adverts, where 5 years ago it was far less, and for google a huge chunk of the top of the results page, up to three results worth, are adverts.
None of these are clearly marked imo, nor are they necessary, they're making billions in profit. They can do it because they monopolized the market.
> But these folks still have no answer for how free websites they consume daily (e.g. news) are to be funded, they don't pay, and don't want to see ads either.
It's not a question they need to answer, that's the problem of the companies that caused this mess.
> Yet they still expect these websites to exist.
Not really, they just use what exists, not what they expect to exist.
> But these folks still have no answer for how free websites they consume daily (e.g. news) are to be funded, they don't pay, and don't want to see ads either. Yet they still expect these websites to exist.
This folk has an answer: display ads the ol' fashioned way, with a pair of <a> and <img> tags.
Yes, because Adblock Plus did it in the shadiest possible way imaginable. From the Wikipedia page:
> * In February 2013, an anonymous source accused Adblock Plus developer Wladimir Palant of offering to add his site's advertisements to the whitelist in return for one-third of the advertisement revenue.[68] In June 2013, blogger Sascha Pallenberg accused the developers of Adblock Plus of maintaining business connections to "strategic partners in the advertising industry", and called ABP a "mafia-like advertising network".[69] He alleged that Adblock Plus whitelisted all ads coming from "friendly" sites and subsidiaries, and promoted their product using fake reviews and pornography.[70] Faida responded to Pallenberg's accusations, stating that "a large part of the information concerning the collaboration with our partners is correct", but that the company did not see these industry connections as a conflict of interest.*
"We'll whitelist acceptable ads. Btw, acceptable means 'willing to pay us a kickback'".
The move on Adblock Plus did nothing to make me safer, so of course I ditched them for a more secure solution. Of course, it's Adblock Plus's goal and right to try to make a revenue, but I don't owe them the continued use of their product.
And I absolutely reject the premise that I owe every website that's willing to send a 200 OK response the right to run arbitrary javascript in my browser. If you don't want me 'mooching' your content, fine - put up a paywall.
How big/relevant is the adblock user market segment?
Also, flattr and other micropayment sites could/would work. Just as patreon and other subscription methods.
After all paid-via-unskippable-ads is the inverse of consumed-without-payment. Both are the extremes of the spectrum and the majority of users probably would stop visiting/consuming if they were forced to look at the ads for a significant amount of time.
I mean TV channels probably spent hundreds of millions on trying to maximize ad time while keeping viewers. (And now YouTube too.)
But of course there will always be a segment that will be very bothered by ads. (Hence the success of Netflix.)
I for one certainly don't have that expectation. I understand sites have non-zero operating costs, and/or staffing and other expenses in order to create and serve interesting content.
If someone rolls out (without using the word blockchain or any derivative) a way of doing the web equivalent of .99 per track, no middlemen/Elsevier types, just 'pay the originating site for full permanent access to this page', I'll do that in a heartbeat.
I buy paper books and sit and enjoy them thoroughly... web content transparently priced with reasonable, honest rates get at least close to that style.
Don’t monetize your users’ data, monetize their use. When you log in with a paid account the ads should be gone.
If users don’t need an account to get the content and they still get ads with the paid account, what exactly are you offering in exchange for the payment?
The answers for that have been around for more than a decade. But rare are the people making the decisions that are willing to dump the current system...
On the contrary, people pay for Netflix. People also pay for the ad-free upgrade to Hulu. Speaking to text websites, people are also using Brave, though I don't know how that experiment will work out in the end.
When it is reasonably priced, people will pay for legal alternatives. If there was a Netflix for paid websites, which would provide subscriptions in a convenient way to all websites in bulk, people would pay for that. Current options are:
> Manage subscriptions of 10 plus websites manually
> Pay by your privacy
It is clear that both options suck, so people opt in to ad blockers instead. Legal options are just overpriced for the demand.
I think we need a solution for websites that aren't as unanimously popular as Netflix and Hulu. It's no surprise to me that the biggest entertainment services online can attract a subscription. But it would be a damn shame if those are the only services that can make much money. Just more and more centralization of content.
People often respond to this with "well, hobbyists make plenty of content for free," but the thing is that we benefit when our favorite hobbyists can make money from the craft and produce more work for us to enjoy instead of waiting around for their charity.
Though the growth of Patreon is a good step in the right direction, culturally. It shows a growing willingness to indeed pay content producers directly with small recurring transactions.
I think Brave is on the right track, but I am skeptical the kind of users that are aggressively anti-ad are going to like seeing ads straight in their notifications.
I'd prefer to just pay Brave e.g. $10/month and have it give out that money to sites I visit.
It always bothers me when I hear people say this, it's everyone's responsibility that their devices don't become part of a botnet or worse used to take part in an attack against infrastructure that we're increasingly dependent upon that either makes for an unpleasant time for people or threatens lives.
99.9% of devices are owned by someone who has absolutely zero technical ability to fulfill this responsibility. So I'd say the responsibility needs to be satisfied another way. Maybe it escalates to the ISP.
I mean, unless we start issuing Internet Licenses the way we do Driver's Licenses.
In the early 2000s my cable provider would outright shut off our Internet if my dumb brother or my dumb self got us all virused up.
I agree, most don't have the technical ability to administrate their devices although I'm not sure if that excuses basic competence. I like the idea that an ISP would disable the connection of a subscriber however that would depend on how they define malicious activity.
If ISPs were basic utilities it would probably be a fairly safe responsibility to give them. But no, they're media corporations, so they have an inherent drive to abuse that power.
One step in the right direction is to drop the marketing bullshit of "unlimited internet" (which doesn't exist) and always meter it, but make it completely transparent.
If your smart toaster is saturating your bandwidth, it should show up as an expensive line-item on your bill. You should see that "SmartToast9000" used $80 of bandwidth, "baidu.com" used $17 because it used your bandwidth to ddos. And, of course, the tooling to catch these things before they escalate would likely become part of our computing devices.
Right now, everything is completely opaque to the end-user and we all suffer except for bad actors. It's a problem when we can't even estimate how much bandwidth we used in a month off the top of our head. Instead it should be informing our decisions from the IoTrash we buy to which websites we use.
Example: the internet was regularly awful at my girlfriend's house. We couldn't figure it out despite calling the ISP. On a suspicion, I helped my gf install a bandwidth monitor on her laptop. We found that a recipes website she often had open would get stuck in some sort of ad-loading retry loop due to her adblocker and would saturate her download bandwidth as long as she had it open.
It's completely ridiculous to me that there's no feedback built in to the browser when I think it should be a first-class UI component. I think transparent + metered bandwidth (at a fair price of course) would start the ball rolling on this kind of tooling. Until then, it's like everything acts like bandwidth is unlimited.
And yet here you are. I'm interested how you would perceive something that might supercede the internet by being better (than a boiling toilet fueled by greed), ignoring network effects?
Everyone has to be somewhere. I would not be surprised to find someone, who feels like the modern internet as it exists is terrible, on hacker news. I believe the sentiment is more common here than say, the comments section on CNN.
I like the approach taken by the folks at the dat project and beaker browser. Let's make the web a DHT already. If we can force consumers to share what they consume then a DDOS becomes impractical for censoring speech (the speech spreads all over the network, making it counterproductive).
Exactly what I'm thinking. Not everything is awful but the insistence of turning the browser into a vm and loading random javascript is pure insane. I'm not advocating for stoneage html and frames but let's take a step back and realize that not every website has to be an interactive webpage some designer dreamed up. I want information, not entertainment or an experience. The experience is what I take away from the information, not the clown paint smeared all over it for show.
The Internet of the early 2000s was consumed by greed. What changes would you make to its replacement to prevent the exact same pattern from repeating?
Popular native apps could execute the same exact attack, except this time you wouldn't be able to simply open a browser's developer console to debug it.
This is not a good counterexample: the attacker is only able to do this because the analytics scripts are being served over HTTP. If you include the analytics on your site over HTTPS this sort of attack is not relevant.
What makes this attack powerful is not that sites within China can be shut down (the government can already do that) but that sites outside of China can be tricked into DDOSing other sites outside of China. Which is why this attack only works over HTTP.
Right, but the traffic is coming from users in China is past the point that HTTPS would help. The requests are already in flight from people in China who've been served malicious JavaScript.
What I mean is that China can just force a CA to give the CPC its root certificate and then just intercept and edit any HTTPS responses to Chinese citizens and resign them as secure.
DDoS attacks against business competitors are common and rarely punished in China.
Injecting ads/affiliate or whatever js in webpages, stealing social media tokens to do follower boosting business and selling optic fiber traffic dump is also common for Chinese ISPs.
Yeah except we will effectively be cutting off _all_ outside information from the Cinese citizens, who already have to face incredible amounts of censorship.
Cut them off completely, and we will never find out about all the human rights violations taking place in their country, and their government will be able to brainwash its citizens even more easily.
> It is unlikely these sites will be seriously impacted. Partly due to LIHKG sitting behind an anti-DDoS service, and partly due to some bugs in the malicious Javascript code that we won’t discuss here.
If I get the attack scenario right, valid user IPs from behind the great firewall are driving traffic to the webservers, and so what are some examples of anti-DDoS mitigations that are effective in filtering out the adversarial traffic?
Does anyone else have a sense of what (if any) pragmatic technical steps could effectively deter or neuter this tactic?
If the network can't demonstrate the ability to at least pump the brakes on this, it's hard to imagine other states or even the owners of large safe-monopoly ISPs won't get a little jealous of the tool.
If China is cut off, then people can't download the malicious JS either. Granted, it sets a pretty bad precedent and would have massive economic consequences.
Although Baidu does still default to HTTP, the Chinese government has the root certificates for every Chinese certificate authority. It can MITM traffic for anybody in China, even over HTTPS, so that wouldn't solve the problem.
I suppose I probably overstated the situation a bit. The PRC National Intelligence Law ( http://cs.brown.edu/courses/csci1800/sources/2017_PRC_Nation... ) requires, "Any organization or citizen shall support, assist and cooperate with the state intelligence work...", and China was observed making its own certificates for foreign sites before this ( https://news.ycombinator.com/item?id=5124784 ), but there's no direct evidence that China actually has all the root certificates currently or has used them maliciously. Of course, the law requires citizens to preserve secrecy and Westerners can't observe what China is doing, so that wouldn't be unexpected.
Generally, yes. In 2015 CNNIC's new certs were removed from most browsers after they gave an Egyptian security company an Intermediate CA certificate for internal use that got leaked to the public. But that was for incompetence more than malice, and I think everyone's accepted them back now.
It is worth noting that there haven't been any observed cases of China abusing their CA certificates in the last few years, but it's hard for Westerners to monitor what is going on inside China.
If this were a root cert, OSes and browsers could ban that CA. If you want this to work with SSL, giving the Great Firewall a domain cert would be enough.
Https is not hackable “yet” so you can’t intercept the traffic in the middle. They intercepted http traffic and swapped the malicious js file in http traffic.
Can't China just issue its own certificates to make the browser see a secure connection to the target server when it talks to a Chinese firewall server instead. I mean they have access to valid root certificates, right?
The fact that you can see these malicious scripts being served directly from a Baidu domain is a good reminder that effectively all major Chinese tech companies are totally at the whim of the Chinese government.
It makes using any product / service from a Chinese based company basically never worth it just because of the security concerns.
What would happen if we black hole all of china's IP range from all over the USA?
I suspect that a lot of businesses would flex muscle on both sides to get that to stop really quickly.
It would be a hard policy to implement on our side, but likely very effective. Its almost like we need someone in power smart enough to ASK telco's and carriers to DO such a thing.
Browsers should prompt user and require confirmation before sucking down resources repeatedly in this way. Especially since this is grabbing images/content that are then not going to be displayed.
baidu.com is not distributing the script. A proxy is taking advantage of unsecure connections (http) to serve the malicious script instead of baidu's script.
Baidu will serve the script over HTTPS (though firefox complained about a bad certificate), the issue is that it will also serve it over HTTP, and some 3rd party pages request the HTTP version.
IIRC there was a time when a browser (maybe IE 6?) would generate a mixed content warning when you would try to load https resources in a http served page.
It's not a matter of excuses. Baidu, like almost all large Chinese companies, is effectively an arm of the Chinese Communist Party. They will do as they're told.
Be careful what you wish for. Ironically the Chinese government would probably prefer it if Western companies and governments cut off a lot of Chinese traffic. It would give them political cover for their own blocking activities and allow them to plausibly claim that everyone is doing it.
Mainland china gov probably has part to play in this. As someone said above they anyway have access to https root certificate so htttps is also not safe.
The RPS isn't that great compared to some IoT botnets and this also gives the attacker rather limited control over the requests. It's a cool idea but I'm not really convinced that it's actually worth the trouble.
I see a lot of arguments for specific technical mitigations for the specific implementation of this attack. All these technical approaches are doomed to fail.
The attack uses network-level injection to add malware to HTTP requests for resources served from inside China. This malware then runs on hosts anywhere in the world and effectively DDoSes the targets. It is true that if these specific requests were made over HTTPS rather than HTTP, this particular attack would be mitigated.
Unfortunately the point that is being missed here is that if these resources had been served over HTTPS, this attack simply would have been implemented in a slightly different way. The suggested mitigations would work post-facto. However, if had they been in place prior to this attack, which is the alternative we have to consider, other means would have rendered them useless.
The fact is that any website hosted in China is directly accessible to the CCP for hosting these attack payloads. There is an ICP registration system and a chain of access to hosting environments that grants full network control and full access to any server to the authorities at any time they choose. Servers that are not part of this system are simply not allowed to host websites on the Chinese internet. Further, there is direct political control over every major internet company.
This is such a fundamentally different situation that it can be hard for American observers to understand what range of potential responses are meaningful.
The reality is that any network request that is served from China is fully within the political power of the CCP to alter. Whether this involves HTTP or HTTPS or whether implemented via the GFW or by direct changes to endpoints within internet companies is immaterial. Beyond the logistical costs of these actions within China, nothing of any consequence is changed by such minor technical mitigations.
What these attacks show is not just the capability but the willingness to use that capability in an offensive capacity against political targets.
The difference between the internet of independent sites in the US and the situation of near-total political control over resources on the network in China can hardly be overstated. This is why technical solutions that seem completely reasonable from an American perspective are pointless in reality. The threat model of the world's largest online population with all network resources under direct political control is simply too unfamiliar. If the political will exists to use those resources offensively, technical countermeasures will always be ineffective, unless they are so seemingly disproportionate that they become essentially political acts, like depeering.
Meaningful responses are those that affect the political willingness of the CCP to weaponize the internet. Weaponization will destroy the internet as we know it, and raising awareness before this kind of thing becomes routine may be the last chance we have to avoid it.
This is a political problem, and does not have a technical solution.
Interesting article, shame it happens to be on a site where undismissable hovering banners on the top and bottom of the screen gobble up 30% of real estate.
Connecting to a web page should not be consent to allow the operators of that web page to make my computer/phone do whatever they want on the net. It certainly should not be consent to delegate that power to others, either via a embedded link or a MITM attack.