> "the San Francisco-based startup said"
GitHub has been going since 2008 - the "startup" label no longer applies.
GitHub's servers are being hammered by web traffic from an army of unwitting cyber-foot-soldiers. It appears when thousands of people visit websites that serve ads and tracking code from Baidu – China's answer to Google – from outside the Middle Kingdom, network gateways on the Chinese border silently inject a JavaScript …
"The term is a state of mind..." The term isn't a state of mind, unless that state of mind is really confused or doesn't understand English well. Startup describes the origin of starting, not sure how "startup" became a synonym for "new". For example, "A startup company based out of XYZ,..." and "A new company based out of XYZ,..." are now considered exactly the same, but won take English much bad.
Anyone who knows owt about JS could pretty easily tell what that code is - unless your idea of semi-obfuscated is 'contains no comments', in which case the majority of code in circulation is probably semi-obfuscated.
(For the record, it randomly picks a target to send AJAX requests to based on the current time and continues to hammer the pages for 30 seconds.)
> One wonders what other miracles of injection are being silently performed by network devices, gateways or otherwise, seeing HTTP traffic going hither and forth.
I'm still wondering what sort of an orphanage allowed Cyril Smith to wonder around with his cock up a little boy's bum until he bumped into an unnamed senior police officer coming the other way with his cock up another little boy's arse and nobody in that 5 eyes thing or Ropey Murdoch's stable of rags caught on.
I can't believe that all the money spent by GCHQ/NSA etetera etcetera is just there to help hide petty peckerdildoes. But what else could it be designed for?
Yes... Quite how everyone at the BBC seems to have known about Saville, yet nobody actually did anything about it for decades.... And yet there seems not to be a proper police investigation or public enquiry into the BBC and who knew what and when. Makes it very difficult to believe it's not an on-going problem.
Baidu is one of the default webpages on the Chinese language version of Windows, so is installed and used by millions of Chinese ethnic people around the world.
My wife has been trying to force her copy to use Google.co.uk, so she can make local searches, but it keeps going back to .cn alternatives.
To this day I am unsure if the cheap - "Chinese only" versions of WinXP, Vista and Win7, are a genuine Microsoft product or a Chinese government project to help control of their own population (I bought SWMBO WinXP and Win7 disks for £1 each in 2010)
Likewise, the locals are told to use the 360 browser because it is safer - it is a malware loaded POS - basically a clone of IE with Chinese government spyware included.
>To this day I am unsure if the cheap - "Chinese only" versions of WinXP, Vista and Win7, are a genuine Microsoft product or a Chinese government project to help control of their own population (I bought SWMBO WinXP and Win7 disks for £1 each in 2010)
If you trust that software then you get all you deserve ... £1 each smells fishy, so it might not even be a "pure" official Chinese version - the official Chinese version most certainly has a rootkit installed. What you got could potentially contain an additional rootkit or two ... My advice: buy a bargepole to throw them into the the bin !
Assuming it's a Chinese govt op, someone needs to tell them it makes them look like a bunch of sorry-arsed limp dicks. If your regime is so good, why do you have to censor what your citizens read? If it's not that good, then FFS invest the resources to fix it. This exploit has all the appearance of a child's tantrum, not the work of a once-proud nation.
>escalatory retaliation
At least until someone gets the bright idea of a pre-emptive strike--at which point things could get shouty-pouty with lots of finger-pointing and toys being thrown around the big rooms.
When is D. Bowie going to do a Chinese version of "Heroes"?
Uninstalling Java won't do anything. The stuff they're using is JavaSCRIPT, which can only be dealt with by either NoScript or by disabling JavaScript on your browser. But the latter would break all tyhose Web2.0/HTML5 bloatware eye candy so the only real solution is NoScript on dodgy websites.
I can see CORS becoming mandatory for JS this year... Chrome and Firefox start it; site owners jump to keep their analytics working; IE9-and-under users have to upgrade. That would break half the internet, but if this kind of attack becomes rampant it'll break the whole thing.