Anyone see a game changer here?

Gadi Evron ge at
Fri Jan 15 16:13:57 UTC 2010

On 1/15/10 5:52 PM, Steven Bellovin wrote:
> On Jan 15, 2010, at 10:43 AM, Jared Mauch wrote:
>> On Jan 15, 2010, at 10:37 AM, Jon Lewis wrote:
>>> Does anyone really believe that the use of targeted 0-day exploits to gain unauthorized access to information hasn't been at least considered if not used by spies working for other [than China] countries?
>> I think only those not paying attention would be left with that impression.
>> Spying has been done for years on every side of various issues.  Build a more complex system, someone will eventually find the weak points.
>> Personally I was amused at people adding cement to USB ports to mitigate against the "removable media threat".  The issue I see is people forget that floppies posed the same threat back in the day.
>> The reality is that the technology is complex and easily used in asymmetrical ways, either for DDoS or for other purposes.
>> The game is the same, it's just that some people are paying attention this week.  It will soon go back to being harmless background radiation for most of us soon.
> The "difference" this week is motive.
> In the 1980s-1990s, we had joy-hacking.
> In the 2000s, we had profit-motivated hacking by criminals.
> We now have (and have had for a few years) what appears to be nation-state hacking.  The differences are in targets and resources available to the attacker.

And indeed, what do we even know of this incident _for_sure_ so far?

The reports, depending on vendor, blame either PDF files via email as 
the original perpetrator, or lay most of the blame on an Internet 
Explorer 0day. Both are likely vectors which have been seen used before.

Regardless of what really happened, which I hope we will know more on 
later, these things are clear:

1. Unlike GhostNet, which showed an interesting attack but jumped to 
conclusions without evidence that it was China behind them -- based on 
Ethos alone I'd like to think that when Google says China did it, they 
know. Although being a commercial company with their own agenda, I am 
saving final judgement. Did Google ever say it's China rather than from 

2. The 0day disclosed here shows a higher level of sophistication, as 
well as m.o. which has been shown to be used by China in the past 
(consider 0days patched by Microsoft and reported by the Taiwanese 

3. If this was China, which some recent talk seems to make ambiguous, 
but still likely; they would have more than just one weapon in their 
arsenal. The attack would not have been against all these corporations, 
but rather multiple attacks, and possibly multiple tools.

4. This incident has brought cyber security once again to the awareness 
of the public, in a way no other incident since Georgia has succeeded, 
and to political awareness in a way no incident since Estonia has done.

As to "everyone does it", here is an example I wrote of the German 
experience (not my best writing, but good analysis):


Gadi Evron,
ge at


More information about the NANOG mailing list