back to article China ALTERED its public vuln database to conceal spy agency tinkering – research

China has altered public vulnerability data to conceal the influence of its spy agency in the country's national information security bug reporting process. The damning finding from threat intel firm Recorded Future follows months of research examining the publication speed for China’s National Vulnerability Database (CNNVD …

  1. Bronek Kozicki Silver badge

    ok, and the surprise is ...

    oh, there is none.

    1. Anonymous Coward
      Anonymous Coward

      Re: ok, and the surprise is ...

      Friends, it's 1934 and each of us can point to a number of possible 'Balkans'.

      And where are we going to flee to? It's getting hard to even imagine an enlightened country in these times.

  2. Gene Cash Silver badge

    And this is different from the US NSA stockpiling vulns, how?

    Other than they don't share a building?

    1. hellwig Silver badge

      Well, the NSA discovers their own vulnerabilities and simply doesn't report them. They don't scour company databases, find important vulnerabilities, and then force the public DBs to remove or hide those vulnerabilities from the public.

      China is operating under the guise of openness, by offering to scrub numerous databases to create a centralized public database. But they are instead using the vulnerabilities already reported by others, seeing if they provide value to their spying programs, and if so, hiding them from the Chinese public.

      So in theory, the Chinese citizens and companies would know about these public vulnerabilities as soon as the rest of the world if the Chinese government were not doing this.

      When the NSA hoards an exploit, in theory (their theory), only they know about it. The NSA's actions can hurt the world. So see, the US is doing it better.

      1. Pascal Monett Silver badge

        Re: "the US is doing it better"

        Yeah, right up to the point where the NSA gets hacked and its hoard escapes into the hands of Russian hackers.

      2. P. Lee Silver badge

        >>China is operating under the guise of openness

        And the US/NSA operates under the guise of, "for the people."

        I think it is a matter of a difference of degree, not principle.


    Some useful use case for blockchain after all?

  4. Anonymous Coward
    Anonymous Coward


    It's not often that I agree with the government but from my own hobby of research I do not trust much of anything coming from China.

    Case in point: Last week a local company had a prize giveaway to attract potential customers to their place of business.

    One of the "prizes" was a "smartwatch" from China.

    The watch came with instructions that included a QR code to download an app to the users Android phone to link to the smartwatch.

    There were over 100,000 of these smartwatches purchased for giveaway.

    (URL shortenedlink to VirusTotal results)

  5. razorfishsl

    If you buy hardware from China , you throw away your security.

    If you guys could actually read Chinese and were on the forums you would piss yourself with shock at the information available, people selling the ability to load " modified firmware into devices at the factory level, Illegal reverse engineering & hacking to openly steal I.P & you guys think an exploit database is news.....

    don't even get me started about malware being injected into hotel feeds by government sanctioned companies or HARDWIRED "bypass" boxes fitted to patch ROUND firewalls, all thanks tof your local government funded police & security dept.

    1. Anonymous Coward
      Anonymous Coward

      "If you buy hardware from China , you throw away your security."

      I'm interested in a list of computer hardware without a single "Made in China" label on them.

    2. P. Lee Silver badge

      On the assumption this is true, this is why we have application proxies.

      Your infrastructure has no need to talk to the internet.

      Oh wait. You bought Microsoft Windows 10? You use AWS public services?

      You probably need to stop doing stupid things which make your security impossible to maintain, just because "everyone is doing it" or "its cheap."

      Security problems are like staff problems: everyone complains its not possible, when what they really mean is they don't want to pay for it.

  6. Anonymous Coward
    Anonymous Coward

    Strange conclusion

    "For a foreign multinational company to comply with all the provisions of the CSL means (in effect) co-operating with Chinese security and intelligence services."

    Does that mean that foreign multinational companies in the US don't have to follow US laws telling them to cooperate with US security and intelligence services, along with gag orders and secret FISA trials so they can't say anything?

    Let me say that I'm not convinced, and the long history of US meddling makes this criticism hard to swallow.

    How can we expect China to be better when we're not able to democratically control our own Western intelligence agencies?

    1. Claptrap314 Bronze badge

      The agent problem

      There is no theory in which an actor can be completely protected from a rogue agent. That is, whatever powers you entrust to someone can be abused.

      The entire question becomes what level of trust you can manage for your agent.

      Formally, western powers have constitutional limits on the actions of their governments, including various bills of rights. In practice...well, it doesn't always work that way.

      China has nothing comparable. 1) The government is not seen as an agent of its citizens in the first place. 2) The Chinese language does not even have the concept of human rights that we have in the west.

      In particular, anyone posting anonymously in these forums complaining about the behaviours of our intelligence agencies is NOT doing so to avoid detection by these agencies. We are completely confident in our ability to freely criticize the actions of our government so far as the government goes. We worry much more about individuals objecting & that limiting our job opportunities.

      THAT is the difference. And we hold to the thin hope that this freedom can be used to turn the corner and reign in our agent, the government.

      1. Alan Brown Silver badge

        Re: The agent problem

        "anyone posting anonymously in these forums complaining about the behaviours of our intelligence agencies is NOT doing so to avoid detection by these agencies."

        No, because we assume those agencies already know who they are and if not, will know in about 5 minutes or less.

        The only difference between the agencies is that western ones claim they're not doing it. The motivations of the governments might be slightly different but "democracy" doesn't enter much into it except for lip service.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019