If you are in the Oz very small minority and are in the middle of a self-imposed Royal Wedding blackout, you are probably taking the dog for extra long walks or wasting too much time on the internet. Not having a animal companion to moult hair all over the place while extending my life-span in this vale of tears, I've opted for the latter.
Now most sinologists go for the big Google China news search and then, if time permits, check the ChinaDigitalTimes to congratulate themselves that they have already ready that article. Yep, I'm crucial and am on top of the game.
Well. CDT excerpted this piece on China's internet vulnerability today:
Glass Dragon: China's Cyber Offense Obscures Woeful Defense published in ThreatPost - The Kaspersky Lab Security News Service written by Paul Roberts 27 April 2001, which you can read in full here. And I will spare you the done-to-death Spy v Spy graphic.
For the last 18 months, Dillon Beresford, a security researcher with testing firm NSS Labs and divorced father of one, has spent up to seven hours a day of his spare time crawling the networks of China's state and provincial governments, as well as stealthier networks belonging to the PLA and the country's top universities. Armed with free tools like Metasploit and Netcat, as well as Google Translate, he's pulled back the curtains on the state of cyber security in China. What he's discovered may come as a surprise to many U.S. policymakers and Pentagon officials.
Aside from identifying the benefits of divorce, lots of freed up net time, Beresford
Contrary to the image of China as a nearly invincible cyber powerhouse,....that the fast-growing nation suffers from woeful cyber security practices at home that leave, literally, thousands of networks and databases vulnerable to even trivial, remote attacks.
He then went on to identify the full menu of security flaws in Chinese govt networks which embrace the PLA, major universities and SOEs at the State level, and also at the Provincial level. Reading thru the detail of Beresford's finding, China's web networks sound like Swiss cheese.
Previously, "Beresford informed Wellintech (a Beijing based professional automation software company) (of a critical security vulnerability) and CN-CERT, China's national Computer Emergency Response Team, but hasn't heard back from either.
Now why advise CN-CERT of his previous finding and also make his more recent findings publicly available.
The media hype in the U.S. is all about cyberwar and how the Chinese are kicking our ass. I wanted to know how vulnerable are the Chinese, and what I found is that they are just as vulnerable as the U.s. if not more-so. In large part, I think its because of this lack of transparency and openness. I'm hoping that, as a result of my work, they might realize this and maybe tone down their aggressiveness towards U.S. After all, we have the best people and it won't be long before other researchers will do as I have.
Naive thinking to put it mildly, and not surprising that a significant number of US article commenters all but called him a traitorous swine.
However, Beresford made one good point which cancels out the demands for a public lynching:
In Chinese culture, also, its hard to publicly come out and admit mistakes - a fear that people will lose faith in their abilities.
I develop this point:
Never over estimate the cultural "face" factor, and the inability of individuals in the Chinese net system to admit their security laxity. Even if Beijing issued a diktat calling for a major and comprehensive security overhaul, be sure that the response would be an ad hoc 'going through the motions' exercise.
A cup of tea, a fag and a few calls to local comrades to decide on a local face saving exercise, do the report and hey, problem solved.
Obviously, most of the commenters above who are ready to lynch Beresford have no understanding of workplace methodologies and crisis management in China.