Google’s empty allegations, again, but what next?

Students learning to become hairdressers at Lanxiang Vocational School in Jinan

Google has been up to making empty allegations against China since it decided to withdraw last year. In its latest salvo, it accused the Chinese government of a phishing attack on Gmail accounts. As predicted, such allegations are spreading like wild fire in the Western media. In fact, the innuendos are narrated into facts, and it is always amazing to see how this propaganda machinery works.

It claimed the phishing attacks “appears to originate from Jinan, China.” The Lanxiang Vocations School which was at the center of Google’s last year claim of Gmail attacks is also in Jinan. Apparently, the hairdressing students at Lanxiang no longer find this spotlight funny.

Did Google offer any more facts than last time? No. But, seriously, let’s look at some real ones. In this respected business and venture capital journal, Venture Beat, Matt Marshall tells us:

Here’s what we know: Mila Parkour, the Washington-based IT specialist at the security specialists Contagio Malware Dump who first spotted the attacks three months ago, and wrote about it here, documented a series of attacks from various locations. These also included Korea and New York.

This has some other experts asking questions, including Mary Landesman, a respected senior security researcher at Cisco. I called her up to ask her point of view of the attacks, and she pointed out that the Contagio documentation alone is not enough to pinpoint Jinan as the source.

“The Jinan, China connection seems to be coming from fact that some phishing emails were sent through 163.com,” she says, “but if that’s evidence, then I think it’s worth questioning. That’s a funny email for cyber [activity].” The domain 163.com may be based in Jinan, but that doesn’t mean that’s where the attack really originated.

By way of explanation, if someone sends a phishing attack through a Gmail account, that doesn’t mean that the attack originated from Mountain View, California (the home of Google, which owns Gmail), she said.

It is rather mind boggling, because this was basically what Google said (“Jinan, China” my emphasis):

Through the strength of our cloud-based security and abuse detection systems*, we recently uncovered a campaign to collect user passwords, likely through phishing. This campaign, which appears to originate from Jinan, China, affected what seem to be the personal Gmail accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.

Google used the words ‘appears’ and ‘seem’ to qualify their innuendos, because it knows in case the real truth is revealed and the Chinese are not actually involved, then they have a fall-back position. But it also knows what the Western media will do with this short little paragraph. I thought it pretty funny why the Western media doesn’t bother to go to Lanxiang Vocational School and do some real reporting.

As predicted, the Western media parrots each other with the same narrative; concludes with innuendos and he said she said, while leaving out crucial facts:

1. Google offered no conclusive evidence the attacks came from China, but, Wyatt Andrews of CBS on June 2, 2011 headlines:
China Google hackers’ goal: Spying on U.S. Govt.

2. The New York Times in a he said she said piece on June 2, 2011 by JOHN MARKOFF and DAVID BARBOZA:
F.B.I. to Investigate Gmail Attacks Said to Come From China

In this article, the New York Times also talked about Mila Parkour, but completely ignored facts in her report where the attacks also traced to South Korea and New York! Remember what Mary Landesman, a respected senior security researcher at Cisco, said to Matt Marshall, tracing the attacks to the 163.com domain only proves that Jinan was a ‘stop.’ A hacker could have taken over a computer in Jinan from Washington, D.C., or anywhere else on the planet. In turn, it could be a dozen or more hops before we find the real hacker.

3. In the BBC, it also did a he said she said on June 1, 2011 and took Google’s innuendos to conclusion:

In Washington, the BBC’s Adam Brookes says it is extremely difficult for analysts to determine whether governments or individuals are responsible for such attacks.

Wait a minute! There is no conclusive evidence the hackers were physically from Jinan, China. How can it become the basis of an accusation of either the government or individuals in China?

4. Fox News on June 2, 2011 reports:

Suspected Chinese hackers tried to steal the passwords of hundreds of Google email account holders, including those of senior U.S. government officials, Chinese activists and journalists, the Internet company said.

Fox News might want to add ‘suspected American hackers’ and ‘suspected Korean hackers’ in that report.

The Chinese government has publicly rebuked Google’s allegations. Foreign Ministry spokesman Hong Lei told reporters:

Allegations that the Chinese government supports hacking activities are completely unfounded and made with ulterior motives.

What next?

In my opinion, Google has basically given up on the Chinese market. The analysis I have done is exactly how the Chinese feel towards Google. Foreign Ministry spokesman Hong Lei couldn’t have summarized the sentiment any better. Frankly, what rational people, upon consideration of the real facts, wouldn’t draw this conclusion about Google?

Many of you who have been active on this blog know that we have written quite a bit about Google. (Click on the Google topic at the top of this blog to see ‘Google‘ articles.) The company is constantly battling justice systems around the world and dealing with myriad of contentious issues.

Google has found alliance with the current U.S. foreign policy of ‘Internet freedom.’ The U.S. government wants to push ‘democracy,’ ‘freedom,’ and ‘human rights’ ideologies unfettered. It wants to do this over the Internet. Google on the other hand wants to pull users from around the globe to its Internet services. The bigger Google, Facebook, and Twitter become, the more powerful they are as channels for the U.S. government.

By the way, this is no secret – the Obama administration has recently announced terminating Voice of America broadcasts into China in favor of leveraging the Internet more to accomplish VOA’s intended purpose.

Not that long ago, Jon Huntsman opened Sina Weibo to try to reach Chinese netizens with U.S. ideology, but was shut down.

Google probably sees China (and other nations, maybe in growing numbers) with her firewall as the single biggest stumbling block in terms of market access. People will rightly point out that Google could drop its ideological nonsense and comply with Chinese law, and it would be competing in China just as are Microsoft and Yahoo still today.

Now that Schmidt is out and having read Brin’s past remarks, I am not surprised at all with Google trying to smear China; it wants to undermine the government there to get rid of its firewall. At the company, it probably believes sharing bed with the world’s most powerful government and breeding ‘democracy,’ ‘freedom,’ and ‘human rights’ is the best way to gain market access around the globe.

Google should realize that Western ideological pretensions have long been exposed. Perhaps Brin is still young and naive. Or perhaps he is brilliant and know that it is impossible for his company to win against the rest of the world, and thus forcing the rest of the world to accept Google given all of the company’s head start is the best way to go.

The first gamble backfired with the company leaving China.

With this incident, it appears the company has gone down the slippery slope further. I expect there will be many countries around the globe wanting to protect themselves, and just maybe, copy China’s firewall to filter propaganda.

9 thoughts on “Google’s empty allegations, again, but what next?

  1. Also came from Turkey, Dubai, Russia, etc.

    My Gmail account was hacked by someone in Turkey. I know it was from Turkey, because they actually accessed my Gmail account from Turkey, (and not merely sending a phishing email, which could have been done from any server any where in the world).

    Yesterday, UK actually announced that British Intelligence hacked and defaced a terrorist website, by replacing its bomb making receipe with a cupcake making receipe.

    Now, UK acknowledged that hacking, and argued it is legitimate against a terrorist organization.

    However, it is also well known that US and Israel may have designed the Stuxnet virus that crippled the Iranian Nuclear Reactor facility, almost causing a melt down.

    Cyberwar is already engaged by the West, and they are just now smearing China to justify their own actions.

    I mean seriously, phishing attacks against Activist gmail accounts, compared to hacking into Iranian Nuclear reactors?

  2. http://www.washingtonpost.com/national/list-of-cyber-weapons-developed-by-pentagon-to-streamline-computer-warfare/2011/05/31/AGSublFH_story.html

    http://www.huffingtonpost.com/2011/06/07/afghanistan-congress_n_869041.html

    Considering that the US is rethinking its occupation from Afghanistan since Bin Laden died, they need a new boogeyman. Why not pin China as some hacker state as an excuse to develop ‘cyber weapons?’ Spear Phishing is not complicated and some 13 year old can do it from his basement and why would Chinese government do this?

  3. China is one of the countries where most of the cyber attacks “originate” from, but so are the US and the EU because they have the most Internet users, and Internet-connected computers. Most of the Internet users aren’t technically sophisticated enough, and often fall into traps turning their computers into bots.

    A far more plausible explanation why a slew of Gmail users whom the “evil” Chinese government would potentially be interested in were subject to phishing attacks, is that they are likely linked to each other via email/IM contacts, and some of them were dumb enough to put their user ids and passwords into some phishing page. Most of these phishing operations work in an automated fashion – when a dumb friend of you loses his/her password, pretty soon you will get a phishing attack. Let’s get real, if the Chinese government is to hack their email accounts, the method will be no less elegant and tougher to detect than Stuxnet.

    To make a phishing attempt work, you need to have 2-way traffic — you need an incoming phishing email and then a fake web page to take in people’s real ids and passwords. The incoming SMTP mail log is hopelessly useless. I somewhat doubt all Google was able to do was pinning an email server in Jinan (163.com) as suggested. That would be at the intelligent level of the PKD crowd. It was probably the outgoing web page hosted in a server with an IP address, which the geolocation database returns as Jinan. But really, unless you hacked into that server and did a lot more digging, this really means jack. That machine could easily be just another compromised bot machine.

  4. And one can always count on New York Times to perpetuate their propaganda. The journalist, John Markoff, continues to insist on Lanxiang Vocational is founded by the military, even after I’ve sent him articles that say the school was started with few thousand RMB in a rented school yard:

    http://baike.baidu.com/view/2048364.htm

    …与其他学校合作、借壳办学的办法。怀揣着几千元钱,荣兰祥用20多天时间跑遍了济南市区所有中小学,寻找可租房源、探寻合作伙伴。教育部门一位负责人得知后深受感动,”我从事教育20多年都没转遍所有中小学,你却做到了。”这位负责人当即帮助荣兰祥牵线。1984年10月,天桥区宝华街一所十分简陋的院落内,一个小小的摩托车维修培训班…

    …partnering with other schools, offering shell classes. With few thousand dollars, Ron Lanxiang spent 20 days visiting all the middle and elementary schools in Jinan. An administrator at the education department was moved by this and decided to help Rong Lanxiang: “I’ve worked in education for 20 years and have yet to visit all the middle and elementary school, but you did it.” In October 1984, a small motorcycle repair class began at a decrepit court yard on Huabao Street in Tianchao District….

  5. @jxie #4,

    It was probably the outgoing web page hosted in a server with an IP address, which the geolocation database returns as Jinan. But really, unless you hacked into that server and did a lot more digging, this really means jack. That machine could easily be just another compromised bot machine.

    This is certainly possible. But as the articles link showed, when you have a chain of machines that have been compromised to carry out other’s attack, people should look for the command center, not the chain of machines to attribute blame – unless, it appears, when one of the chain happen to be affiliated with China – either registered or physically located in China – then the command center no longer is important, when China is involved. Even when it is a victim, it becomes the culprit.

  6. @Charles Liu
    Thanks for sharing more details pertaining to Lanxiang Vocational School.

    John Markoff is not interested in the truth. The best we can do is what you are doing – let people know despite facts we bloggers find for these ‘journalist,’ they continue to ignore and offer an narrative they want people to believe.

    The paper’s credibility deserves to be flushed down the toilet whenever warrants.

  7. @jxie
    I re-read what Mary Landesman said, and I think is still consistent with your idea that the click-through destination is a PC running in the 163.com domain. And as you said, the software on that PC receiving the click may be another malware planted by someone else.

    I agree that the click-through destination IP is slightly more ‘important’ than the originating email – because people presume that’s where the secrets leak to. If you don’t trust SMTP header info, which can be spoofed, you assume the destination is where the email originates.

    The Western media expects their audience to be braindead. Indeed, it would be like the CIA doing phishing attacks on foreign computers and leaving a clean 1-hop trail back to CIA headquarters. Nevermind the fact that Lanxiang is a vocational school training hairdressers and motorcycle mechanics.

  8. Using phishing to steal passwords, lacks skills and clandestineness, compared to the recent hackings of RSA SecurID and Citibank, which were sleek, effective and covert. I expect the hacking if done by the Chinese state to have the sophistication of Stuxnet, which many believe was created by the American government, the Israeli government or both. Nowadays China is quite advanced technologically — when the Germans needed to sequence the DNA of the recently headlines-grabbing strand of E. Coli, they sent to China — equally there are many Internet security experts in China.

    If Google was able to prove that the specific phishing attempt was only limited to those few hundred people that China might be interested in peeking into their Internet activities, I might be convinced the phishing attempt probably came from China, though quite likely by some underground sophomoric hacking enthusiasts. However, I didn’t see if Google scanned a wider range of recipients with either the checksum of the email HTML body, or the phishing URL imbedded in it. If those few hundred were only a small subnet among a large number of recipients, the whole allegation is quite retarded.

    Google is increasingly being linked to Lanxiang in the Chinese cyberspace, not in a good way. A typical Internet joke runs like this: Lanxiang’s TV commercial — Lanxiang, where we educate cooks, beauticians, drivers, and take down Google. Even if the Chinese government leaves Google alone, Google is done in China.

    Google’s keyword searching business albeit insanely profitable is peaking fast. Its latest push of revenue growth is selling its cloud services, including hosted email & office productivity software, to the commercial, educational, and governmental spaces — especially the governmental space. Maybe this flimsy allegation by Google actually makes great business sense. Google is losing the Chinese market anyway, it may well leverage that to help it getting the US government agencies to convert to their cloud services.

Leave a Reply