The GitHub attack and internet self-defense

In an earlier post I talked about how the Chinese government has used its "Great Firewall" censorship machinery on an expanded list of targets—from its own citizens to ordinary Americans who happen to visit internet sites in China. By intercepting the ad and analytics scripts that Americans downloaded from Chinese sites, the Chinese government was able to infect the Americans' machines with malware. Then the government used that malware to create a "Great Cannon" that aimed a massive number of packets at the US company Github. The goal was to force the company to stop making news sites like the New York Times and Greatfire.org available to Chinese citizens. The Great Cannon violated a host of US criminal laws, from computer fraud to extortion. The victims included hundreds of thousands of Americans. And to judge from a persuasive Citizen Lab report, China's responsibility was undeniable. Yet the US government has so far done nothing about it.

US inaction is thus setting a new norm for cyberspace. In the future, it means that many more Americans can expect to be attacked in their homes and offices by foreign governments who don't like their views.

The US government should be ashamed of its acquiescence. Especially because the Great Cannon is surprisingly vulnerable. After all, it only works if foreigners continue to visit Chinese sites and continue to download scripts from Chinese ad networks. They supply the ammunition that the Great Cannon fires. If no one from outside China visits Chinese search sites or loads Chinese ads, the Cannon can't shoot.

That shines a spotlight on the limited number of Chinese sites with broad appeal outside China. Baidu one of them. It's the fourth most popular site in the world—the Google of China, and a popular search engine for many Chinese speakers outside China. Like Google, it makes a great deal of its money from advertising. It supplies ads (and the javascript that runs the ads) to a host of Chinese-language sites. The first time China used its Great Cannon, in fact, it relied heavily on the popularity of Baidu. As Citizen Lab put it, China "intercepted traffic sent to Baidu infrastructure servers that host commonly used analytics, social, or advertising scripts" and "sent a malicious script back to the requesting user" about 2% of the time.

At the time of the attack on GitHub, Baidu denied any involvement and said that its own internal security hadn't been compromised: "After careful inspection by Baidu's security engineers, we have ruled out the possibility of security problems or hacker attacks on our own products," the company said. That may well be true. It looks as though the Chinese government injected malware into a stream of Baidu packets after the packets left Baidu's premises. But if Baidu investigated the attack carefully by logging on to its site from the United States, it seems likely that it could have figured out the source of the attack, just as Citizen Lab did. Since its denial of a security problem on its own network, Baidu has apparently stayed silent (the company didn't respond to my request for comment).

Whatever it knew at the time, Baidu's sites were the key to the attack. They drew the foreign traffic that made the attack possible. And it's quite possible that the Great Cannon could be spiked if Americans and other foreigners simply stopped going to Baidu and its affiliated sites. The Cannon would certainly fail if foreigners refused to visit any site inside the Great Firewall. Which, frankly, would only be prudent, since we now know that China can add malware to any javascript leaving its borders.

So protecting Americans from malware and depriving the Great Cannon of ammo both begin with the same step. We need to let Americans know that every time they visit a site inside China they are exposing others to attack and themselves to malware. Venturing inside the Great Firewall is both antisocial and dangerous—sort of like littering, if littering also caused cancer. A lot of internet users will want to avoid that risk, or at least minimize it. All they need is a good way to warn them away from dangerous sites.

The experts I've consulted think it's actually pretty easy to identify sites that are inside the Great Firewall. If so, it shouldn't be hard to write a browser extension that would warn users every time they click on a site that sits on the wrong side of China's attack infrastructure. The extension could even be programmed to offer outside-China alternatives to risky sites. There are plenty of Chinese-language search engines and ad networks that aren't inside the Great Firewall. (You might have heard of them: the big ones are Chinese-language versions of Google, Yahoo! and Bing.)

Ok, so this is where I turn from blogging to blegging. I'd welcome tech-savvy volunteers who'd like to do a proof-of-concept browser extension that provides this service to uneasy users. It shouldn't be that hard. We're talking about a combination of Noscript and Adblock (or, maybe, Catblock, a charming extension that turns all that evil javascript into entertaining pictures of, what else, cats).

The irony is that this might not hurt the browsing experience. If a site in Taiwan is getting its analytics and its ads from Baidu, there's a good chance that the extension I'm proposing would block the bandwidth-wasting ads and analytics as well as China's malware—while still delivering the Taiwanese content. Now that's a win-win.

Well, for everyone except for Baidu and the Chinese ad networks. They'll lose clicks and views and customers abroad, not to mention revenue. But, really, isn't that another win? It means that the bill for China's breathtaking aggression will be paid by China's own internet companies. That's as close to justice as it gets. If Baidu figured out what was happening to its customers back in March, it did nothing for them and said nothing to them. If Google or Facebook or Twitter had breached their customers' trust in that way, they would be paying for it for years. Indeed, they'd be punished just for allowing their government to do something like that. (In fact, the New York Times and Pro Publica just published a piece that is only newsworthy if you believe that AT&T should be punished for helping the US government collect intelligence.)

This time, though, the shoe's on China's foot, and those who've been trying to make the U.S. tech sector pay for NSA's sins should have the courage to say the same about China and its far more egregious abuse of both the internet and human rights.

It would be satisfying if the internet achieved this goal on its own, without government, by writing and spreading code that ostracized the Chinese enablers of the Great Cannon. It would be equally satisfying if the big browser makers—or the principal US ISPs—offered a standard "Do you really want to go there?" warning to their customers before allowing them to cross the Great Firewall.

A successful voluntary response to the attack on Github would cast a cold light on the US government security cops that have been wasting their time protecting Americans from far smaller dangers. Take the Federal Trade Commission, which demanded a twenty-year consent decree from Twitter on the ground that the company "deceived consumers and put their privacy at risk by failing to safeguard their personal information." How did it do that? According the FTC, the company failed to ensure that its employees used unique passwords on every website they joined, and this failure contributed to a compromise of customer security. If that's a violation of the FTC Act, how can the FTC fail to even investigate Baidu and its ad providers for failing to warn their customers about an ongoing injection of malware? Or take the FCC and the much-touted cybersecurity role of its Public Safety Bureau. It's been pursuing voluntary security measures with ISPs for years, but somehow the Great Cannon hasn't even come up? Or take DHS, so full of enthusiasm for information sharing about cybersecurity risks; yet as far as I can see, it has never identified the malware risk of visiting Chinese sites.

Those agencies should all be ashamed of their inaction, and we should continue to shame them, not just with words but with code. So if you'd like to join me in building a tool to spike the Great Cannon, please send email to spike.the.great.cannon@gmail.com.