Baidu and The Great Cannon

    There’s no longer a debate about whether the NSA is spying on everyone. Among Information Security professionals (the people most people call “hackers”) there never really was. But, it took Edward Snowden taking files from the NSA and sending them to Glen Greenwald at The Guardian to let the rest of the world know. What those files and that reporter did was take the NSA’s activity out of the realm of speculation or conspiracy theory. Edward Snowden gave the world the evidence it needed. He gave proof.

    The natural reaction by most people, and why the NSA’s activities were originally in the realm of conspiracy theory in the first place, is that people have an emotional attachment to their sense of privacy. They feel naked, or abused, violated. That reaction has been instilled in American’s so deeply that it’s now believed to be a vital factor in the functioning of democracy.

    While all the media and many of the InfoSec people are decrying the violations of privacy that the NSA perpetrated, using words like “Unconstitutional” or “Illegal” or even “Unethical”, very few people are asking why the NSA was granted that power to begin with.

*          *          *

    The hard truth is that the nature of warfare, the nature of nation-state interplay has changed.

    In the 1950’s the U.S. and the U.S.S.R. were in a cold war that essentially became an arms race. The weapons of that warfare were kinetic in nature, missiles, bombs, guns, even nuclear warheads.

    With the advent and adoption of computers into every aspect of the way we now do life, governments don’t need nuclear weapons to bring a nation to its knees. Hackers can do that. Here’s a made-up hack and what it might look like:

    China wants information that the CIA has. They’re not going to attack the CIA directly. Instead, they will spend months researching a California based “California Made”. 

    China will research division head Jane, and then they will send an email that looks like it came from a from Jane to subordinate Bob. That email will look legitimate in every way. The only way Bob would know it wasn’t from Jane is if Bob actually got up and asked Jane, which he wouldn’t do because he gets 20 emails just like that, every day.

    Bob’s going to open that email and click on the Excel document that’s attached. The moment he opens that Excel file, his computer is taken over. 

    China will then use Bob’s computer, to take over the rest of California Made’s network.

    An attack will come, maybe weeks later, from California Made, up to Canada Syrup, using similar tactics. Then, from Canada Syrup to French Wine. From French Wine to Florida Orange. From Florida Orange, it gets relayed to the CIA.

    If someone were to look at the attack, it would look like it came from Florida. If they looked really hard, they would think it might have come from French Wine. The result of that false conclusion may result in degraded diplomatic relationship between France and the United States. It may even result in people dying.

    The only way to prevent that total diplomatic collapse is for the NSA to monitor all traffic, all over the world, all the time. The NSA must violate U.S. Citizen’s privacy in order to prevent war.

    That’s the way things were in 2013.

*          *          *

    There’s a company called Google. Go ahead and google Google to find out what it is. 

    In case you don’t want to do that, Google is a search engine, among other things. To be a search engine means they have to have a lot of computers with a very good connection to the Internet. I would write stats here but they’re so big that they really wouldn’t have much meaning to most people.

    Google is based in Mountain View, California. Last year Google made $66 billion. It’s a major player in not only the tech world, but in the entire world.

    China doesn’t trust the U.S. because it’s a different country with a different way of doing things and we humans tend not to trust the strange or different, at least not until we understand it. China’s distrust of the U.S. is completely understandable, and probably reciprocal.

    China was more than happy when a company that does pretty much the same thing as Google arose in their country. That company is called Baidu. Baidu is huge, like, as big as Google is to the U.S. multiplied to the scale of China. 

    And Baidu growing.

*          *          *

    One of the common ways to attack a website is what’s called a Distributed Denial of Service attack, or DDoS. Here’s how it works: when I type www.brandxindustries.com into my web browser, my computer sends a packet (a small amount of data that’s basically like a greeting) to Squarespace, the company that hosts brandxindustries.com. The servers at Squarespace will then send a response to my computer, letting it know that Squarespace heard my request and is waiting to know what I want.

    My web browser will wait for Squarespace to respond to the greeting before sending another packet. 

    That’s the way the Internet normally works.

    If my computer doesn’t wait for Squarespace responds, but instead keeps sending the greeting packets, as many as it can, that’s called a Denial of Service. Squarespace’s servers will answer as quickly as they can. If too many greetings come in too quickly, the greetings will be treated in a first-come-first-served order. A line forms. 

    That line is called a buffer. The buffer is only so big and it can fill up. When the buffer fills up, it can overflow into places it’s not supposed to be. A buffer overflow can lead to the attacker taking over the server.

    There are a couple ways to defend against a DDoS, but the best, most reliable way is to have more servers and more bandwidth than the attacker. Companies like Google have more servers and more bandwidth than just about anything else on the net, which makes them essentially invulnerable to DDoS attacks.

*          *          *

    When computers were first built, there wasn’t any software for them. Anyone who wanted a computer to do anything had to manually type in the program they wanted to run on the computer. The early hackers quickly realized this was slow and started sharing each other’s programs or code.

    Eventually business men had a profound realization: If the program is big enough, It’s faster to buy a program than to write one. So, they started selling programs. But, the early hackers didn’t much care for that, so they continued to share code among themselves. 

    That sharing eventually got a label: Open Source.

    Open Source programs have recently found a home on a website called GitHub. It’s a general repository for almost anything Open Source.

    Hackers like information to be free. 

    China doesn’t.

    China has constructed what the rest of the world calls The Great Firewall. Hackers figured out a way to allow the Chinese people to get past The Great Firewall. And, as is their habit, they gave the code away, posting it on GitHub.

*          *          *

    This next part involved some guess-work on my part, and some facts. I’ll keep the distinction clear.

    Fact: In order to have a telecommunications company in the United States, the U.S. government requires that they be allowed access to all communications in case it’s important for some legal reason (see the hypothetical described above).

    Guess: China probably has the same deal with Chinese companies. 

    Guess: If China does require similar deals, those deals are probably a lot more detailed and intrusive than what U.S. law requires.

    Fact: GitHub was attacked with a DDoS that lasted nearly 5 days. The attack had so much bandwidth that it essentially took GitHub offline.

    According to the amazing InfoSec research group Citizen Lab, the GitHub attack came from China using Baidu servers

    If Citizen Lab is right, that has some very interesting and serious implications.

*          *          *

    In November 2014, Sony Pictures was hacked. The hackers broke into Sony’s network and took a lot of data, including movies, employee information, and quite a bit more. At the time, there was some debate about whether that attack came from North Korea as a response to the movie “The Interview” that made North Korea look bad.

    If the attack had come from North Korea, the debate continued as to whether such an attack constituted an act of terrorism. The public eventually lost interest without much resolution, leaving quite a few questions, including things as basic as  North Korea even being involved.

    I bring up the Sony hack because of the possible terrorism connection.

    The United States invaded Iraq and Afghanistan under the pretext that those countries were facilitating terrorism.

    If the GitHub DDoS did in fact come from China, by way of Baidu servers, then it might constitute a terrorist attack. This is where things get a little muddy. If Baidu is, voluntarily or otherwise, part of a Chinese terrorist group, and since Baidu is publicly traded on the New York Stock Exchange, then anyone owning, buying, or selling Baidu stocks may be directly funding terrorism, or at the very least, funding a hostile enemy combatant.

*          *          *

    We live in a world where it’s hard to trace the morality of our actions. If I buy clothing that was made by slave-children in a foreign sweatshop, does that make me a bad person? How would I even know if that’s the case? And, if I do find out, is there an alternative ethical company from which I can buy my clothes? Or, is the world simply too interconnected for us to ask those questions anymore?

    Is Wall Street evil, good, or morally neutral when it facilitates clothing companies that exploit children, oil companies that exploit workers, or computer companies that facilitate nation-state level cyber-warfare?

    I don’t have answers to most of those questions. But, it’s a discussion we need to be having, if only to let us sleep at night with relatively clear consciences. What we do know is that the world is changing and we get to choose how that change happens.