Delist all .cn domains then proactively authorise the ones that have a legitimate complaint. Extreme but effective.

does that also working if you surf using a mac? or is this directed strictly at PCs? i read on bbc newspage that they indexed also on yahoo. what about if you search on blackle (which is what i use anyway)?

Wondering if Yahoo! and others are similarly re-poisoned...

Yeah, why not. Punishing the majority for the sins of the minority works so well* that even our governments are doing it.

* There may be no evidence to support this whatsoever **

** Nothing to see here. Baaaa.

Standardized LART Form for poor computer security articles. Released under the GPL v2 for everyone to use. Please modify as needed. See http://www.gnu.org/

Check all that apply to this article. You may have to delete unchecked items to fit in the space alloted by the author's comment form.

======= Indices

Troll-O-Meter: (6 out of 10 for repeat performance) [X] 6. False prophet

Flame Meter / Threat Level: (1 out of 10) [X] 1. Firecracker

BS Meter: (6 out of 10) [X] 6. "We're here to protect you"

======= Conditions of exploitation

Your article assumes the victim:

[X] Uses Microsoft Windows [X] ...with Administrator access [X] ...and turns off User Account Control (Vista)

The problem described was addressed:

[X] More than a month ago by a patch [X] ...more than a year ago [X] ...more than five years ago [X] More than a month ago by a simple workaround [X] ...more than five years ago [X] By the current version of whatever has this problem [X] ...by the previous version

Reproducing and/or exploiting the problem requires:

[X] Clicking a malicious web link [X] ...while logged on as an Administrator [X] Jumping through more hoops than a dolphin at Sea World

Exploiting the problem also requires:

[X] Google [X] Blogspot / Blogger / other major blog site

======= Umbrella salesmen predicting bad weather

Your article cites:

[X] A computer security firm [X] ...twice in a row

The quoted person / firm / organization:

[X] Has a fix for the problem for a price [X] Claims they had known about and/or had fixed the problem [X] ...more than a month ago [X] Predicts the death of the Internet as a result [X] Has unearthed a diabolical conspiracy to destroy the Internet [X] ...or whatever

======= Celebrities

The author or quotee accuses the following celebrated entities of abusing the problem:

[X] China [X] Any other country on the list of Cyber-Enemies of the United States

======= Punishments

For crafting this article, you deserve:

[X] To be interviewed by... [X] ...Rick Mercer [X] ...John Leyden (go interview yourself)

Before writing another security article, you must:

[X] Ask one or more real security experts first [X] ...that don't work for computer security firms (Yes, they do exist.) [X] Ask a critic of whoever you're going to quote [X] Try reproducing the problem yourself [X] ...while logged on with a Limited (XP) or Standard (Vista) account [X] ...while leaving User Account Control (Vista) turned ON [X] Buy a copy of "Euthanize the Internet" by Rob Rosenberger [X] ...and actually listen to it for more than five minutes

I hate those fucking slashdot forms, I dont want to ever see one on the register.

Slashdot, is that where they're from? Should have known. Gave up reading comments there a loooong time ago

Yeah but scaremongering is ok sometimes because it is a problem that needs more attention drawn to it. no point in just taking the "im a geek so it wont effect me because im already aware of it" tone. its not you / me that need the wake-up call, but it is you / me/ etc who have to fix non-geeky peoples computers. so i think its helpful to draw attention to it. it also good to keep pulse on what the general trends are and stuff.

but yeah i take your point.

i was just going to write my response in the format...

[X] Was I going to write my response like this... [X] But do I expect everyone else also to do this ... [X] Can I really be bothered... [X] No im going to bed... [X] Or maybe to hunt for some decent google alternatives again

Personally, I think we should wall off China.. I don't know how many times a day my home network is probed, pinged or scanned by an IP address that originates from a .cn network. And from the statistics I've seen from firewalls at other organizations, my little network is barely a blip, compared to a corporate entity or government agency of any interest to the Chinese.

Call me a conspiracy theorist but I believe the PRC's military is behind a lot of it...

Customer of mine has an Arabic world business website. One fine day a couple of years back some assholes I traced to the group of IP addresses used by a major Saudi university attacked the site - so, I blocked the IP range (rather a wide range if I recall correctly).

A week or so later their IT head contacted me asking 'what was wrong' with the site. So I politely explained.

Two days later I received another communication, this time from the university head, explaining the issue was resolved and was unlikely to reoccur, should I see fit to restore their ability to connect.

So I did - no further problems.

What happened? Your guess is as good as mine, but this was Saudi Arabia... My favourite fantasy involves some form of public and typically barbaric punishment.

Ahh, if only it was THAT easy with your common or garden hacker!

Re. cn domains - yup, they are a sodding nuisance - and a waste of bandwidth!

John, I believe you mean *fake* anti-spyware program. "Rogue" would imply that it really is anti-spyware, but that it doesn't conform to some sort of rules.

And just for the record: *All* IP space controlled by China is considered "add to DENY Tables on sight" by anyone who has the vaguest idea of Internet security.

I'm also of the opinion that the Red Army is behind the majority of this stuff, along with the "poison toys." Once is an accident; twice i coincidence. Three times is enemy action. There have been far more than three such major incidents.

...can stop decent Chinese folk from reading about their government's human rights abuses, but it can't stop the deluge of dodgy traffic like this?

BBC radio has just broadcast a Chinese gov official who denies that any of this is happening. So thats alright then, you are imagining this and there is no need for any action.

If you are going to block China, you should also block Russia. Not domain, but IP block. And then probably few other countries as well ... or maybe just stop using Internet at all.

As an information security specialist based in Hong Kong, I recognise that many people around here communicate with .cn addresses on a regular basis, and "add to DENY Tables on sight" would not be an appropriate response. Also take a look at international trade statistics... a lot of other people, including, perhaps, your customers or employer, need to communicate with China.

Whether or not the Chinese military is hacking, I don't know, they don't tell me. However, broadband usage is growing in China, and millions of new users getting onto the internet means millions of poorly-secured machines to be turned into zombies. A lot of the non-Chinese spam I get comes from Chinese IP addresses. I guess that most of the malicious traffic from Chinese IP addresses is from botnets controlled from elsewhere. I would expect the Chinese military to bounce their attacks through non-Chinese addresses, to conceal the source.

I don't worry about the domain name, but when I see spam that gets psst my blocklists, I update my firewall. whois often indicates a arge (up to /11) range of IP address, and I simply block the lot against smpt and ssh. www I don't worry about, but it's just crossed my bind I should also take out imap.

No, blacklisting the entire chinanet from the civilized world is the right solution for EXACTLY the reasons you listed for not doing it. Those interests you mentioned that needs the blacklisting to drop can lean pretty heavily on chinanet to do something about the abuse. Unless chinanet can start behaving responsibly, this is going to isolate china. I have personally today added

218.13.0.0-218.18.255.255 to my distributed blacklist, and will keep the range blacklisted until I read on a reliable source that Chinanet has cleaned house. Thanks for participating. Goodbye.

//Svein