Wouldn't the attack on github not have resulted in any traffic spikes from China? If the DDOS scripts are injected into browsers viewing Chinese content outside the firewall/canon, the traffic spikes would be distributed from all over the globe where ever there are Chinese expats

That's correct. I work at a company in the US, and visitors to our website were giving the "Malicious Script" alert because we had Baidu analytics installed. Defending against this is much more nuanced than just blocking all traffic from China.

I'm curious what prompted installing Baidu analytics in the first place.

So block the Baidu analytics CDN and call it a day?

That would work, assuming there isn't a workaround. If they were really serious about the attack, though, it's easy to imagine ways around that, especially if you add the possibility of browser caching and exploits in the injected script.

I don't think DDoS is a real offensive weapon in cyber-warfare. It's just a noise-making attention-drawing machine.

What the paper calls targeted exploitation is the real weapon here. The main thing I took away from this paper is that the Chinese government now has the infrastructure to pwn anyone who visits websites hosted in China. This is pretty scary and simultaneously an amazing engineering feat.

Any advice for visitors of those websites hosted in China? As a Chinese, I am always wondering if there is a way to avoid this. Many of us are aware of the backdoors in the Chinese apps (across all the platforms). No matter how big names they are, they have to comply with the order from the ruling ones (I guess most of them cooperate with little guilty feeling). The best I can think of is to have different devices for visiting/using Chinese apps/websites. To a larger scale, I think average users have very limited resources to hide from big organizations. What average Joe could do is a more general question I have not figured out. Thanks in advance.

Some general advice, to decrease the chance any given browser exploit will work against you:

- Disable Java; disable or whitelist Flash; use a different PDF reader than Adobe.

- Use either Firefox with NoScript or Chrome. (Disabling JavaScript is highly effective at reducing attack surface, but on any sites you've whitelisted, Firefox is significantly less secure than Chrome due to the lack of sandbox, though they're working on it... I think that NoScript equivalents for Chrome don't work correctly, but could be wrong.)

- Don't use XP! It no longer receives security updates...

- For the same reason, on mobile, prefer devices that have up to date operating systems.

Not perfect, but that's the state of computer security these days.

Very detailed. Thanks for your input.

The ideal answer is to convince the sites you visit to use https.

If the Chinese government controls a single CA that's installed by default, couldn't they MitM any TLS connection that isn't pinning certs?

Are there any Chinese CAs in any browsers' default installs? If so, they should probably be removed immediately.

CNNIC is no longer trusted by Chrome due to recent incidents, and you can manually remove it from Firefox and IE. While you're at it, take a few minutes to browse the list and also remove anything that sounds Chinese.

If any website you visit legitimately uses a Chinese SSL certificate, you can whitelist it specifically. I actually do this for SSL certificates signed by my own country's CA (not China), and it works wonderfully.

I don't think, practically, we could expect anything positive from the other side. But still thanks.

Given that the Chinese government could inject malware into any insecure connection you make across the firewall, you may also want to do most of your browsing through a virtual-machine.

Thanks, note taken.

Most of China is running on outdated, no-longer-supported software with lots of vulnerabilities. Pawning those computers is easy as there is an abundance of well documented exploit vectors available.

I disagree. If the history of EW/SIGINT has taught us anything it's that denial of service through saturation is effective. E.G. "Jamming".

The question is if that truth transcends well from broadcast media (i.e. Radio) to packet based, routed networks such as the Internet. Esp long term effects.

Great points. The short term effect was costly, but was handled. But now the world knows that the capability exist and will start taking long term countermeasures. Thus the cost of developing GC has now to some degree been wasted.

But more scarily, the deployment showed that the method used worked (to some degree) and others will learn to implement similar tech. Thus the long term side effect is that more MITM tools will be developed and deployed.

This is the premise of cyberweapons: fairly ineffective, esp on long term against the intended target. But long term side effects is big since once deployed you hand over the knowledge about the weapon tech to others when deployed. Just like Stuxnet.

One big difference between the u.s. and china is that chinese politicians tend to have engineering backgrounds while american politicians tend to have law backgrounds.

I'm not completely disagreeing with you that chinese politicians may not understand the internet, but I don't think you can apply the same view of politicians you have in the u.s. to china.

"Username checks out"