back to article 'Aurora' code circulated for years on English sites

An error-checking algorithm found in software used to attack Google and other large companies circulated for years on English-speakinglanguage books and websites, casting doubt on claims it provided strong evidence that the malware was written by someone inside the People's Republic of China. The smoking gun said to tie Chinese …

COMMENTS

This topic is closed for new posts.
WTF?

Do you know what else?

We think Iraq has WMDs!

Please, folks... FACTS this time.

5
2
Grenade

Iraq told everybody they had no WMDs.

They then (commanded by the very recently late Chemical Ali) used them on several thousand of their Kurdish population.

They then repeatedly told everybody that they still had them, even when (hindsight's a marvellous thing) it turned out that they didn't.

What were we supposed to think? That they had suddenly become honest all of a sudden? That they were being truthful THIS time? Tell it to the people of Halabja.

Grenade, because there's no icon for nerve gas.

1
9
FAIL

Nice Astroturfing

Unfortunately no-one but you believes it. Iraq has oil reserves of >120 billion barrels. At 75 bucks a barrel that's 9 trillion dollars worth. Wars have been fought for far, far less.

11
1
J 3
Flame

Sure

And North Korea has TESTED nukes. What are you doing about it? When was the invasion by you righteous folks?

Oh, wait, they are not swimming in oil. Who cares, then? Let's do diplomacy.

10
1
J 3
Grenade

And by the way...

The chemical weapons? You knew they had them. Because you sold it to them (to use on Iranians).

7
1
Black Helicopters

Goo

In fairness, neither Google nor the US government have claimed that the CRC algorithm or originating IP addresses are factors in their dispute with China.

3
4
Joke

Really?

English SPEAKING websites?

Wow must get one of those....

0
0
Stop

Re: Really? A/C 12:07

Easy peasey lemon sqeezey.

Just look at some of the sites aimed at pre-school children. Nickjr.com and disney.com have websites where the word on clickable buttons is spoken through the PC speakers so kids who can't read yet can still navigate around.

0
0
Unhappy

American Culture

Shoot first, ask later.

This time around just shooting their mouths off.

9
2
Happy

I knew it!

The Chinese don't invent anything (ok, apart from fireworks)

0
0
Black Helicopters

Smoking Gun

Now when was the last time anyone uttered the phrase 'smoking gun'? Oh yeah, Iraq & the WMDs that never were!! Smoking Guns tend to say far more about those who say they've spotted than those who're apparently weilding them. This sounds a like crass attempt by the yanks at smearing the Chinese, probably because the 'home of the free' is feeling a bit intimidated by them.

3
2
Thumb Up

It's hard not to say..

.. I told you so.

If someone has the brains to launch a successful, targeted attack on a company, it is logical to assume they also know how to hide origin - unless they WANTED something to be found.

Well, QED. Thanks. I can now annoy people with being right - again :-).

PS - that means the "why Google did this" theory will probably stand as well, but I won't push my luck. The facts will speak for themselves in a few weeks, I think.

0
2
Silver badge

Meanwhile Simmering on a Hot Stove and Piped in from A.N.Other Fab Labs ....

"Digging this a little deeper though, the algorithm is a variation of calculating CRC using a nibble (4 bits) instead of a byte," programmer and Reg reader Steve L. wrote in an email. "This is widely used in single-chip computers in the embedded world, as it seems. I'd hardly call this a new algorithm, or [an] obscure one, either." ....

Would it be accurate to say that it is more a new paradigm in chipped computers/Global Operating Devices ..... with novel embedding and nibbling use/spooky capture of raw source with cyclic redundancy check routines that use tables of unknown strength and/or length for Constantly Deeper Cover and Stealth. A "skinny thin client fat lode algorithm" to wriggle into all those attractively tight and interesting Space Places/Locked Cupboards/Guarded Vaults?

0
1
Flame

As I said before

Quite clearly the idiot who put down the China link in the first place never ever had to be subjected to the cruel and unusual punishment of:

1. Learn the verses of Cruiser Aurora by heart

2. Sing it at a school assembly

A correction of this is on order: http://www.karaoke.ru/song/298.htm

Что тебе снится крейсер Аврора...

And so on...

1
0
Megaphone

BLACK HELICOPTER ALERT! BLACK HELICOPTER ALERT!

I think there's more to this than meets the eye. China would be exceptionally stupid to launch an attack from a Taiwan IP - and the Chinese are not stupid.

This gives a few possibilities - it is the so called 'Western World' who have orchastrated the attacks and then got google to go public first later sending in the politicians.

Or its someone who wants China to think that they are getting set up, and the US to think that China is getting a little hostile.

So who could that be? Possibly someone wishing to sell better software or 'IT Solutions' or what ever the buzz word is now a days to the 'Western World' or maybe who sells an awful lot of militry hardware?

Or maybe its just some kids out for a laugh? Or even an international terrorist group? Maybe its even a global newspaper baron wishing to sell more newspapers and our only hope is James Bond who is waiting in the wings?

On a lighter note - there is an economic theory that the US needs a war every decade to prop up its economy. Bigger deficits call for bigger wars.

Follow the money.

And AC obviously cos of the black helicopters, I am now going to fetch my tinfoil hat.

3
5
Boffin

Anyone else notice...

the code on 8052.com is sub optimal. In the second read of the CRC table, he's masking the lower nibble twice:

crc = crc_table[((crc >> 12) ^ (data & 0x0F)) & 0x0F] ^ (crc << 4);

... could be optimised slightly to ...

crc = crc_table[((crc >> 12) ^ data) & 0x0F] ^ (crc << 4);

... saving approximately one instruction cycle, give or take depending on the efficacy of the compiler. (Probably more like 4 instructions and a register if using gcc!)

2
0
Boffin

as in the other code?

; x = ((crc>>8) ^ data) & 0xff;

; x ^= x>>4;

0
0

Interesting. Is the suboptimal code normally used in the west?

Interesting. Is the suboptimal code normally used in the west?

0
0
Joke

title

"Interesting. Is the suboptimal code normally used in the west?"

called "Microsoft software"

0
0
Happy

Simply put: it depends

"If proof beyond a reasonable doubt is good enough in courts of law, shouldn't it be good enough for relations between two of the world's most powerful countries?"

No necessarily. If one of said countries wants to have a confrontation no doubt is relevant, reasonable or not. Beyond there being something fishy about this I can't figure out which one of them it is, though. Baidu might have a good business case for wanting Google to shove off. Google might have a good business case for wanting to shove off. PRC might want to be rid of something so high-profile as Google. The US of A might want to nudge the Chinese a little bit, just to take them down a peg or two. Ain't international politics FUN?!? ;-)

1
0
Silver badge

Beyond a reasonable doubt is for people you trust

like your own citizens. For people you don't trust the standards are much, much lower. This would be the case between countries.

1
2
Silver badge

I'd actually say the common use of code like this in smaller chips

argues in favor of it being China. They are known to be active in espionage for that hardware. Lift it from there and apply it to software. Simple, efficient, smart.

1
0
Silver badge
FAIL

reading books and websites

certainly qualifies as espionage when done by the Chinese.

Do you have any other bulletproof accusations like that one?

0
1
J 3
Alien

Either way...

Are the Chinese the only people capable of reading Chinese?

I know it might sound like a very alien concept to some Anglophones out there (specially those of a Merkin' persuasion), but one CAN and often does learn another language. I mean, it's not like English is the first, even second, language I've learned... E.g. I've been told by Japanese speakers that they can understand a lot of the ideograms written by Chinese and vice-versa (since they have a common origin), even if they can't speak each others' sounds.

Just saying.

3
1
Silver badge
Pirate

Are the Chinese the only people capable of reading Chinese?

Certainly not! I am a native English speaker, I'm getting on with French (living in France, kinda have to in order to get along properly) and I am picking up some Japanese, but very little of the written side.

That said, I completely understood the document El Reg linked to by the guy that used it to "prove" it was Chinese origin. How? Google Translate. That's how. I have also signed up with a Chinese service to download a few datasheet PDFs not available elsewhere - lots of cut'n'paste to the translator and some inspired guesswork. :-)

Where there's a will, there's a way...

...and in light of these new facts, I think we can discount the "it's the Chinese for sure!" bloke and go back to square zero. IP addresses in Taiwan. Do we know WHAT? What do they resolve to? Is it a company? Private users (like 123.456.678.dslgateway.blah.bt.com sort of thing)? All roughly the same origin or several different?...

...what I'm trying to get to is this an attack orchestrated FROM Taiwan, or just zombies?

How to shoot down the Chinese angle in lieu of a better argument: It is easy. 34 companies in the US were compromised in a rather worryingly efficient and clever attack. What's to say a number of systems in Taiwan were compromised equally effectively in order to launch the attack from.

Jolt-swigging psychopath in Minnesota pulled this off bouncing it all through somewhere on the other side of the planet. Laughs so hard he pees every time Google mentions China: and now that he understands the scope of the political arena, he's a nervous wreck. Does he kick out again to get the two countries even more against each other "for fun" but risk exposing himself, or does he rein it all in and let this power play take whatever course it may?

[there's no evidence as yet for anything much, so it's an equally possible alternative]

0
0

It's the targets...

...that lead to at least the strong likelihood that the attacked originated in China and perhaps had some level of support from the Chinese govt. They were going after gmail accounts of anti-Chinese govt.dissidents - probably looking to find out their contacts and activities. These guys weren't trying to get credit card numbers or product plans to a new hot video game - they were target locked onto people who were critics of the Chinese government. That's not a typical hacker target and I think that lends a lot of support to the Chinese govt. being behind the whole thing.

4
1
Silver badge
Alien

Or

the attacker(s) want people to think the Chinese are behind it.

But it must be nice to have little suspicion about matters like these.

0
1
Anonymous Coward

Exactly!

It's the targets that point to PRC involvement, or to someone else trying to make it look like PRC involvement. So, about as clear as most (international) politics then!

Really, people believe what they want to believe, which I guess implies that all governments do is make whichever claims they think people are up for believing at any one time.

0
0
Silver badge
FAIL

Dumber than Soup

I've used that algorithm myself in various embedded applications since 1995, and knew about it before then (how else would I know to use it?) And I certainly do not speak Simplified Chinese, nor do I now or have I ever lived in the "People's" Republic.

How an "authority" can make such a statement with a straight face escapes me....

3
1

Do you think Joe Stewart is an authority any more?

He is the one making the claim.

http://www.secureworks.com/research/blog/index.php/2010/1/20/operation-aurora-clues-in-the-code/

From what I can find, Joe seems to just be a regular IT person with no official capacity, Director of Malware Research with SecureWorks, a private company. I doubt the US government or Google is making any decisions based solely (or even partly) on his theory.

This must all be embarrassing for SecureWorks.

1
0
Unhappy

re: It's the targets...

Speaking of which - how do Google know the hacked accounts belong to Chinese dissidents?

Possibilities include...

1. The accounts are named like BeijingAntiGovernmenttDude23@gmail.com etc. (Hmm...)

2. Google have been 'peeping' into accounts themselves? (Would never happen of course).

3. The allegations are fabricated in some way

4. 2. The gmail users complained: they really were Chinese dissidents: the hackers genuinely were working for the Chinese Govt. (Possible - assuming the dissidents had a spell between being rumbled and a bullet in the back of the head subsequently billed to their next of kin)

I just hope it wasn't the last

0
1

Or the most obvious and most likely...

During the month before they went public with this, Google, the CIA, NSA and Air Force managed to look inside the accounts and their massive database of persons of interest, then put two and two together. The dissidents themselves having long since been (no doubt politely) shown the door off this mortal coil by the happy-go-lucky friendly Chinese government everyone here seems so painfully eager to defend.

1
0
Anonymous Coward

How about

Google were weighing up whether to do a Yahoo! and give them up to the Chinese (thus the PRC had supplied the IDs), but when they didn't get the deal they wanted...?

1
0

Target of the attack

Surely which attack was used is virtually irrelevant. The important fact is that the attackers seemed interested only in accessing the Gmail accounts of Chinese dissidents. I can think of very few groups who would find that particular information valuable.

3
0
Black Helicopters

And...

Probably the most important, *somebody* who has an interest on making China look bad. Surely we can figure it out?

1
0
Silver badge

Depends upon your angle

We all know about the Chinese concept of "freedom". We all know about the infamous great-(fire)wall-of-China. We also know how China likes criticism and dissidents. How long has that bloke been stuck at Narita, not permitted to return to his own country?

If you wanted to start a spat with, say, Estonia, you might have to do quite a bit of digging around to find a vector to pull. China? Easy. Google for things like "china is a threat" and "china human rights" and you ought to be able to collect a few soft targets that people could be persuaded into thinking the Chinese authorities would want shut up.

Note, carefully, however. This is NOT a defence of the country or their administration. Nor so are a fair number of seemingly "pro China" posts, for if you all read carefully... China launches an attack using a Chinese-specific algorithm (disproven) from Taiwanese machines to affect the mail accounts of Chinese dissidents. I'm sorry, doesn't this all sound a little TOO convenient?

0
0
Grenade

Target of attack

CIA,

Interpol,

MI5

to name but three

0
0
FAIL

Speaks poorly of Google

"Two weeks ago, Google said it was the victim of highly sophisticated attacks "

Highly sophisticated = 1 nibble... What happens if someone used a whole byte?

(OK I know nothing about the hack but....)

0
1
Alert

The US Government is going to be using its own evidence

Obviously the USA's defence intelligence community tries to monitor internet traffic coming out of China. We know the USA monitors all internet traffic entering the USA.

With all that monitoring, and all that analysis, I think it is likely that the US government is determining its foreign policy primarily based on what it "thinks it knows" from what it has detected itself, as opposed to the theories of outsiders.

Of course the USA could be making a mistake. Personally, based on how China is known to treat people with differing opinions (what it calls dissidents and traitors), I think the Americans probably have this one right or partly right.

After all, make enough accusations and some are bound to be correct. It is just too bad Blair and Bush have destroyed the credibility of their respective homelands.

By the way, the article is incorrect on the level of proof required by US courts. In some civil cases a "balance of probabilities" is required, in other civil cases a "preponderance of evidence" is required. Only in criminal cases does a conviction requires "proof beyond reasonable doubt". Under international law, the level of evidence also varies depending on the kind of case.

And that one piece of evidence fails means nothing. The question is whether there is any good evidence.

Of course in this case the evidence will probably never be made public, because IF it exists it would embarrass China too much, and diplomats will see no point to doing that. Also because revealing the evidence would likely give insight into hour much privacy we all lost forever -- to what extent internet traffic is monitored by our governments -- because of decisions made and precedents set by US Republican President Bush and UK Labour PM Blair.

0
0
Megaphone

Either Stewart updated his report, or the Register's article is misleading

Joe Stewart points out this is an old well known old algorithm in his accusatory analysis.

http://www.secureworks.com/research/blog/index.php/2010/1/20/operation-aurora-clues-in-the-code/

He talks about it being used in microcontrollers way back.

His point is the mis-optimization is only found in Chinese code.

If you read the full report, he is quite cautious in what he says.

I'll just quote a small section:

"This source code was created to implement a 16-bit CRC algorithm compatible with the implementation known as "CRC-16 XMODEM", while requiring only a 16-value CRC table. It is actually a clever optimization of the standard CRC-16 reference code that allows the CRC-16 algorithm to be used in applications where memory is at a premium, such as hobby microcontrollers. Because the author used the C "int" type to store the CRC value, the number of bits in the output is dependent on the platform on which the code is compiled. In the case of Hydraq, which is a 32-bit Windows DLL, this CRC-16 implementation actually outputs a 32-bit value, which makes it compatible with neither existing CRC-16 nor CRC-32 implementations."

0
0

But blaming the Chinese is so much fun -

and helps to distract from what certain others are doing in places like Iraq, Afghanistan, Pakistan, Yemen, etc, etc ! And besides, since «the Chinese don't invent anything» save fireworks (one can only wonder what Joe 47 uses to wipe himself after defecation - the Chinese invented both paper and toilet paper, but he would seem to be unfamiliar with the latter) and thus are not to be included in the creative portion of humanity, they are, of course, fair game....

Henri

1
1
Gold badge
Thumb Down

Very thin evidence

Micro controller progammers *everywhere* are always on the lookout for smaller, lower overhead code to carry out functions. Being able to drop in a serial protocol to allow update in fewer bytes -> faster eprom burning -> lower cost.

A systematic bug in implementations *only* found in chinese code would be more signficant. But it's still *very* circumstantial.

And to be honest aren't quite a few black hats in it for the money? Hand them a bag of cash (of whatever nationality) and they will do the job.

Unimpressed.

0
0
Thumb Down

Additional problems with "China Code" Claim

1) Mr. Stewart seems to have neglected the fact variable names are truncated or stripped out during code compilation when he alluded to a variable name in the Aurora machine code. There is absolutely no link between the "crc_ta[16]" variable he identified as Chinese, and the machine code in Aurora.

A slightly different Google using "crc_table[16]" as keyword turns up many such code examples outside China:

http://www.google.com/#hl=en&source=hp&q=crc_table%5B16%5D

2) On closer examination of Mr. Stewart's citations, the alleged Chinese white paper containing the CRC algorithm, and code snippet found by Googling "crc_ta[16]", both turned up different code than what's in Aurora.

Specifically, the Aurora code contains a 12-bit shift optimization (found as early as 1988 according to The Register article):

crc16 >> 12

however the code passed around in Chinese sites is unoptimized code using two divisions:

((uchar)(crc/256))/16

0
0
This topic is closed for new posts.

Forums