First, There is a nice counter argument in the article -
But what about the argument that the U.S. is shedding crocodile tears?
America (and Israel) were almost certainly behind the most successful known
cyber attack to date: the Stuxnet virus that impeded Iran's uranium-
enrichment program. There might be some comfort in knowing that the U.S. is
doing unto China what China is doing unto the U.S.
Second, I think people who are saying - "I don't care" to China reading their email account are unaware of the implicit repercussions. Another snip from the article
"If I had access to your bank account, would you worry? If I had access to
your home security system, would you worry? If I have access to the pipes
coming into your house? Not just your security system but your gas, your
electric—and you're the Pentagon? Maybe nobody's been killed yet, but I
don't want you having the ability to hold me hostage. I don't want that. I
don't want you to be able to blackmail me at any point in time that you
want."
It's the potential ability for a foreign host to keep you hostage which is the real worry was a citizen.
I don't care why (and if) China is reading my email (I have a Gmail account).
Can you please answer why the US and EU is reading my email? Both has related laws, email retention policy, email "wiretapping" systems, and have been known to abuse the "court order" system and just go ahead and read everything they like.
I could not care less for China reading it, because China is more than ten thousand miles away, and is not known to interfere with my country and people's lives, unlike the US and EU.
I found it quite amusing that in both countries people work really hard to exaggerate threats from the other country thousands of miles away while what most citizens care are broken health care, environment, getting a job and nonstop increasing taxes. I believe in China most of the attacks were for getting funds from the government. Not sure if it is the same in the U.S. but it does sound similar.
Solutions exist, but no one uses them. You are getting spam because you are not requiring hashcash. They are reading your email because you are not encrypting it.
Government and law-enforcement, even if trust-worthy, function via intermediaries who may not be. This will just never improve and I think we have to address that with the tools we know will do the job.
"They are reading your email because you are not encrypting it."
One of the problems we have here is that tools like PGP and S/MIME require the receiver to do something before the sender can encrypt a message for them. We need something like identity based encryption, where the sender decides if the message will be encrypted and the receiver does not need to publish anything in advance (threshold IBE systems should probably be used to ensure that no single entity can read everyone's mail). Unfortunately, IBE and related technologies are thoroughly patent-encumbered, and so it will be a long time before we can just deploy it freely.
I'd prefer if people encrypted email before sending it to me, but most don't. So my email server encrypts it with my public key on the way in. This is obviously not as good, but it provides several benefits.
First of all, if you gain access to my email account, you can't read my email because you don't have my PGP key. So for example, even if you trigger a password reset email for any of my other online accounts, you wont be able to access the confirmation link/code contained within in order to take over those accounts too.
Secondly, the mail store on my server and all of my email clients, eg inside K-9 mail on my phone/tablet and Evolution on my laptop are all encrypted. So if you compromise/steal any of those devices, you don't automatically get direct access to all of my mail.
Thirdly, it means I use PGP every day, so I become more familiar with the way it works and how to use it over time. I tried using PGP in the past but ended up forgetting how to use it properly because people rarely sent encrypted mail to me.
How awesome would it be if we woke up tomorrow and Google had added a section to their GMail settings page where you could upload your public PGP key and it would automatically encrypt all of your incoming mail with it? Especially if they released an addon for Chrome which allowed you to safely use PGP within the GMail web interface.
You need to exchange key's before you can encrypt a message.
Think of it like this in a pure one way communication you send all parts of the message, and anyone who reads it can decode it. If you instead get one of there key's (even if it's from a 3rd party) you can encrypt something for them. Or you can think of it like this, if the receiver never makes any key's there is nothing special about them that prevents others from reading there messages.
In identity based encryption, there is a key generator that gives out secret keys, and a master public key that the sender needs for encryption. To encrypt a message, the master public key and the receiver's "identity" (e.g. email address) are used. Thus the sender and the receiver do not need to exchange keys in advance; the receiver must get their decryption key from the key generator, but there is no need to do so before the message was actually encrypted.
The key generator can decrypt any message, of course. That is why I said threshold systems should be used, so that no single party is the key generator. In that model, the receiver would have to request that several parties jointly compute and issue the decryption key. It is also reasonable to imagine a world where there are many IBE authorities, and the sender of the message can choose which IBE authority the receiver will have to get their keys from.
Think it through, your treating public information as a private key which is hardly secure. You could also use the users email address as the seed for a random number generator which would spit out keys and not involve 3rd party's but that's also unsafe.
After all, what tells the Key Generator that bob@bob.com is actually bob@bob.com and not Alice?
I did. Look at the picture provided it's the authenticate step that's the problem. Alice wants to send Bob a message. Alice contacts public key authority and says give me bob@bob.com's private key, encrypts the message and sends it. So far so good.
Now, someone contacts the key authority and says I am Bob@Bob.com what's my private key. Without prior communication between Bob and the key authority there is no way to do that exchange over an open channel securely. Assuming email addresses are public information and someone can get bob's email address before he communicates with the key authority.
Err, I did. Look at the picture provided it's the authenticate step that's the problem. Alice wants to send Bob a message. Alice contacts public key authority and says give me bob@bob.com's public key, encrypts the message and sends it. So far so good.
I speak/read Chinese and Japanese fluently, since 1987.
The scale of China's corporate hacking is historic and state-sponsored - exceeding any nation in history by a wide berth.
State sponsored hacking at this unprecedented scale wrecks society in both China and America. The massive level of invasion will leave us all living in a more broken down world.
It has always puzzled me that even sophisticated audiences like HN regard this situation by killing the messenger. Usually reactions are mostly "meh", "Where is your tinfoil hat?", or "the US does it too".
At the end of the day, as proprietors of Internet services, the information being stolen from you or your company is your customer's data. You should care and be alarmed.
I'd just keep track of the usernames who say that, wait until they reveal their identity elsewhere on HN via a "Show HN" or something, then ask them publicly to explain what their stance is on protecting their users' data. When they give the famous cookie-cutter response of, "Obviously we care." then you can hit them with, "but did you not say 'meh' when this same issue came up a few months ago?"
Wow, this is fantastic. The US media is preparing a new scapegoat: Chinese hackers, so if financial institutions fail(they are currently set to fail for their selves) they have an enemy they could use.
Note in the article, if people can't use their ATMs, like in Cyprus, Chinese are the ones responsible!!
Brilliant, like Nazism used Communism(Reichstag fire) and Communism(Stalin) used Nazism as an excuse to gain more and more power from its citizens, US of America needs new enemies, as Sadam Hussein and Osaba Bin Laden are dead in order to make the powerful more powerful, the TSA more freedom killers and citizens less autonomous from the government.
OMG, it's like we can't focus on multiple things at once.
How about this revelation: people in cyprus can't use ATMs because they can't manage their money, and Chinese government-sponsored hackers are also targeting American businesses. I know, it's a lot to concentrate on.
But seriously, I like many others on this tech-centered news site where we pretty much run the entire internet collectively, have seen first hand Chinese-sponsored hackers. So you can't really pull the wool over our eyes so easily.
To the other readers: Whenever you can read the kind of articles like the TFA you can be certain of only one thing: some propaganda office somewhere either wrote it or motivated somebody to write it that way. The military people have zero interest to present such details to the public, the propaganda people do but only if the purpose is "to prepare the opinion at home" (the pretext) for something that is going to follow. So just remeber this for now, I'm sure you'll see something will happen soon but not initiated from the other side. It's not a tinfoil-hat-imagined conspiracy but how "the machinery" of structures with different interests imperfect as it is "shines" to the outer world. For examples of similar actions from not so long ago:
>> you can be certain of only one thing: some propaganda office somewhere either wrote [the article] or motivated somebody to write it that way.
When you wrote that, my first reaction was -- is he part of "the 50 cent army"? 1/2 :-) The propaganda thing goes two ways.
I've seen arguments that the reason why e.g. the Mideast countries are swimming in tinfoil-hat conspiracy theories, is that they LIVE inside a conspiracy theory -- auctoritarian dictatorships. The same goes for Chinese people. And you, too?
Do you remember the times when Americans not only believed that Saddam took part in 9/11 (heck when Bush says so it must be true) but that he was also ready to nuke US?
Now Chinese are almost presented as posessing "the weapons of mass destruction" because... Wait for it... They have access to the internet!
I mean, really...
Btw I had to look up for the term you mentioned in Wikipedia. FWIW I've never read any sources that aren't the western ones. But I was already old enough in 9/11 and WMD times to read the articles like the above as they were written and the book from the earlier link the year it was published. Call me biased then. But do try to read a little on the subjects I refer to, and also try to avoid ad hominems. EDIT: I've just tried to see some of your earlier comments, to get your context. Hmmm:
1. There are lots of sources for intelligence services, saying lots of things. It is hard [for them] to select. [Edit: Besides, that was a totally different subject, with a different president administration, > a decade ago.]
2. You wrote that a given article was propaganda, without any support except your opinions. Here you seem to argue that the Western world (no, not only US) is lying about that China is doing extreme industrial spying. It is hard to take seriously.
3. I have seen lots of conspiracy theorist comments over the last years, both in English and my native Swedish, supporting Assad and other extremely horrible dictatorships against democracies. But sure, most of you guys are certainly just unpaid political extremists...
I bothered to find this for you, not that I expect you to be grateful -- you probably think that attacking your conspiracy theories is the same as attacking you...
It still isn't relevant for China, but a more serious viewpoint on how the Iraq WMD opinions were built:
These two spies are irrelevant to Tony Blair's clerks who were so desperate to actually take a student's thesis (!) as a constructed "proof" for the Irag's WMD, it's documented since 2003:
From the wikipedia page you referenced, that was something given to journalists:
>> issued to journalists on 3 February 2003 by Alastair Campbell, Blair's Director of Communications and Strategy
In short, a PR release had bad quality control. Wow, that must be the first time in world history...
You have gone from: Claiming propaganda offices get their world view out in media without criticism.
To: Pointing to low quality propaganda from governments, which is laughed at.
You're arguing against your original position. Film at 11.
(I might also note, re the original point, that you didn't answer when it is pointed out that lots of sources in other western countries say the same thing about Chinese spying.)
And so on.
(I don't know if you have a point, is trolling, you're writing from China -- or what the hell this is. It isn't interesting, so never mind.)
We do need a proper response to this kind of threat, but it's almost certainly not the response we're ever going to get from the politicians in Washington. Serious cyber policy should at least include the following:
A. Comprehensive technological education for employees who even might come into contact with sensitive information at government institutions, military institutions, or high-profile private firms like banks and software companies.
B. A push for using modern, transparent, open-source, reviewed software and hardware for all vital tech infrastructure. No more legacy FORTRAN or Windows XP or Internet Explorer 5.
C. Taking the power grid off of the public internet and onto a closely monitored and private infranet.
Definitely B. I think a scary percentage of IT managers feel that their legacy Fortran XP/IE5 computer systems are actually more secure than modern alternatives. We're going to have a find a way around that sentiment.
Unfortunately, all of those are easily bypassed by the average corporate employee who will still open that attachment, dismiss the warning dialogs, or click "OK" on any message that pops up.
What does FORTRAN have to do with computer security? FORTRAN is still the most common language used in high performance computing, but in no case is it used for security or web access.
Don't forget that we also need to establish squadrons of cyberwarriors to covertly hack into and steal information from Chinese government entities and large Chinese corporations.
I did go back, and checked my email account. No, its only me who is reading my emails, its a corporate espionage problem, corporations have to deal with it. Normal people don't have anything of interest for state sponsored intrusions, thus are not targeted. Please dear journalists, don't drag me in this war, I know someone is pissed here and there on both side, and both have armies like muscles, too tempting for both side to flex, but seriously, this is not diplomacy! We as people, should root out both govt democratically if they even dare to wage a open cyber war.
If my govt would do that, I would seriously vote against any war, no matter how just it may sound. Americans have a life, Chinese people also have a life. I don't see the problem in common people's life.
I don't see China as being made a scapegoat. I see the system working itself out. New technologies always create new relationships between people and governments. When the net rolled out, we thought the openness would bring about positive reforms. What seems to be happening is that governments are getting very good at controlling what citizens read. Instead they're using the openness of the net as an attack vector. Not exactly what we expected.
No they're not, this is unlike anything anyone's ever done before, unless you decide to generalize to the point where you lose almost all relevant data.
That was absolutely chilling! I am sorry I don't have anything of value to contribute but to me this is an historical equal to the Soviets launching a satellite into space. I think it deserves an internet infrastructure response from the US.
