China, rated as the eighth most censored country in the world, in a report released by CPJ today, has long had a strong line of defense against free speech online. ItsGolden Shield Project, launched by the Ministry of Public Security in 1998, relies on a combination of technology and personnel to control what can be expressed and accessed behind the Great Firewall of China.
To strike at its enemies the accusation, very often made by victims of an attack, has been that China uses a mix of official and unofficial teams of computer adepts (read: hackers) to stifle overseas sites the government feels pose a threat. China has always denied the accusations. Google "China denies hacking" for a seemingly unending list of accusations and denials.
But an April 10 report from Citizen Lab said a new strategy, and the software to support it, had recently come into use. Large-scale distributed denial of service (DDoS) attacks on at least two Web pages hosted outside China were "carried out by a separate offensive system, with different capabilities and design, that we term the 'Great Cannon'," the report said. For CPJ, Citizen Lab, based at the University of Toronto, is a go-to source on digital issues--we first started relying on their expertise in 2009.
Citizen Lab's report on the Great Cannon was certainly an attention getter: This month news outlets including The New York Times, Guardian, and Fortunemagazine ran headlines on Citizen Lab's claim that there had been a leap in technology or tactics that upped China's ability to cause harm outside its borders. We've been reporting on the increasingly harsh anti-media tactics of President Xi Jinping's government soon after he came to power in March 2012, but this Great Cannon seemed like something well beyond that.
Sufficiently alarmed, CPJ's Asia program asked our staff technologist, Tom Lowenthal, the resident expert in operational security and surveillance self-defense, to explain what the Great Cannon is.
Can you explain what's going on in layman's terms? Do the headlines warning China has "weaponized the Internet" and turned users into "weapons of cyberwar" match the reality?
TL: China's newly revealed capabilities are apparently pretty far-reaching. The Great Cannon is a tool that works with the Great Firewall. Although the Great Firewall looks at every connection crossing the Chinese border, it's not fast enough to edit them on the fly. And it doesn't directly block connections. When the Firewall sees a connection it wants to censor, it sends out fake "this conversation is over" messages--called TCP RST packets for those in the know. That tricks computers at both ends of the conversation into giving up. It is a very efficient, if abrupt, approach to censorship. A user knows when they've been cut off.
The Cannon is more technically complex and subtle. It has the ability not just to eavesdrop and inject new messages, but to completely rewrite a connection. If you send me one thing, and it goes through the Cannon, I might receive something different, without knowing it wasn't your real message. It seems to be as good as the American NSA QUANTUM system that tracks messaging across the world, which was disclosed in Edward Snowden's leak of NSA material.
For China and the U.S. (and who knows which other countries) it's a classic, widely used man-in-the-middle (MiM) system. But unlike the Firewall's relatively heavy handed censorship, the Cannon's changes are difficult to detect, even for tech-savvy researchers. The Firewall can currently censor the whole of China at once. But it's important to note that the Cannon can only do its work on messages that move in and out of China.
Those recent DDoS attacks you mentioned demonstrate just one way the Cannon can be used. According to Citizen Lab research, the Cannon used its rewriting capability on just under 2 percent of connections made to the advertising systems of Baidu --a popular Chinese website that doesn't use HTTPS--from outside China. When Baidu's systems sent advertising-related JavaScript messages to readers' computers, the Cannon was able to read those messages and replace that JavaScript--basic coding language used widely on the Internet--with a malicious version. That "bad" JavaScript co-opted readers' computers to repeatedly connect to what is reported to have been the Cannon's real targets: code-sharing site GitHub and anti-censorship site GreatFire.org. Between them, those affected computers acted like a launch platform to carry out a DDoS attack.
Read the full interview at the Committe to Protect Journalists website.