Friday, 29 April 2011

Glass Houses and Chinese Culture...Cyber Stuff

If you are in the Oz very small minority and are in the middle of a self-imposed Royal Wedding blackout, you are probably taking the dog for extra long walks or wasting too much time on the internet. Not having a animal companion to moult hair all over the place while extending my life-span in this vale of tears, I've opted for the latter.

Now most sinologists go for the big Google China news search and then, if time permits, check the ChinaDigitalTimes to congratulate themselves that they have already ready that article. Yep, I'm crucial and am on top of the game.

Well. CDT excerpted this piece on China's internet vulnerability today:

Glass Dragon: China's Cyber Offense Obscures Woeful Defense published in ThreatPost - The Kaspersky Lab Security News Service written by Paul Roberts 27 April 2001, which you can read in full here. And I will spare you the done-to-death Spy v Spy graphic.

To quote:

For the last 18 months, Dillon Beresford, a security researcher with testing firm NSS Labs and divorced father of one, has spent up to seven hours a day of his spare time crawling the networks of China's state and provincial governments, as well as stealthier networks belonging to the PLA and the country's top universities. Armed with free tools like Metasploit and Netcat, as well as Google Translate, he's pulled back the curtains on the state of cyber security in China. What he's discovered may come as a surprise to many U.S. policymakers and Pentagon officials.

Aside from identifying the benefits of divorce, lots of freed up net time, Beresford
found that:

Contrary to the image of China as a nearly invincible cyber powerhouse,....that the fast-growing nation suffers from woeful cyber security practices at home that leave, literally, thousands of networks and databases vulnerable to even trivial, remote attacks.

He then went on to identify the full menu of security flaws in Chinese govt networks which embrace the PLA, major universities and SOEs at the State level, and also at the Provincial level. Reading thru the detail of Beresford's finding, China's web networks sound like Swiss cheese.

Previously, "Beresford informed Wellintech (a Beijing based professional automation software company) (of a critical security vulnerability) and CN-CERT, China's national Computer Emergency Response Team, but hasn't heard back from either.

Now why advise CN-CERT of his previous finding and also make his more recent findings publicly available.

The media hype in the U.S. is all about cyberwar and how the Chinese are kicking our ass. I wanted to know how vulnerable are the Chinese, and what I found is that they are just as vulnerable as the U.s. if not more-so. In large part, I think its because of this lack of transparency and openness. I'm hoping that, as a result of my work, they might realize this and maybe tone down their aggressiveness towards U.S. After all, we have the best people and it won't be long before other researchers will do as I have.

Naive thinking to put it mildly, and not surprising that a significant number of US article commenters all but called him a traitorous swine.

However, Beresford made one good point which cancels out the demands for a public lynching:

In Chinese culture, also, its hard to publicly come out and admit mistakes - a fear that people will lose faith in their abilities.

I develop this point:

Never over estimate the cultural "face" factor, and the inability of individuals in the Chinese net system to admit their security laxity. Even if Beijing issued a diktat calling for a major and comprehensive security overhaul, be sure that the response would be an ad hoc 'going through the motions' exercise.

A cup of tea, a fag and a few calls to local comrades to decide on a local face saving exercise, do the report and hey, problem solved.

Obviously, most of the commenters above who are ready to lynch Beresford have no understanding of workplace methodologies and crisis management in China.


  1. I take it that Mr Beresford plans no travels to China any time soon.

  2. JR. Beresford would probably get a 30 tourist visa to China if he didn't announce his profession. He faces far greater danger from The Donald, FOX and Tea Party types who would really enjoy stringing him up by his essentials for sharing his findings with China.

    Im more interested in views on the face factor noted above.Cheers.

  3. Frankly, the only victim I could - remotely, very indirectly, and very unreliably - link to FOX and the Tea Party so far would be Gabrielle Giffords, and I'm not even sure about that link, KT.

    I agree with you that Beresford would get probably get a visa to enter China. I'm just wondering how long - beyond 30 days - he might have to stay. Had he travelled American intranets, authorities there might have a number of questions to him, as well - and what's a state secret in China depends on the priorities of the day.

  4. Never over estimate the cultural "face" factor, and the inability of individuals in the Chinese net system to admit their security laxity.

    "No lies, nothing accomplished".

  5. No surprise. I used to work for NUAA - Nanjing University of Astronautics and Aeronautics (worked at NUFE at the same time, hence not in CV). I stayed on campus in a place I was told by a reliable source the telephones were bugged in. The reason for this kind of paranoia? The university was also the place where they were developing China's UAV's, space suits (although apparently they ended up buying those off the shelf from Russia), stealth technology etc.

    Computer security there was lax as hell though. I remember one conversation a friend of mine had with the guy who was in charge of reverse-engineering the design of the American F-16. He said he was secure against hackers because he had a Windows password.

    I had always just assumed that the CIA, MI6 etc. were simply all over China's systems. The problem is, of course, there's likely not much for them to find there. We don't want to copy Chinese technology, and if they had any sense whatsoever they wouldn't be keeping serious intelligence (i.e., identities of spies, military plans etc.) on a net-accesible network.

  6. Good one FOARP. The general silence by the US about its penetration capabilities within the Chinese networld sort of gives me confidence that this is not a one way street with the PRC garnering all the publicity.