Google: We're ready for a dialogue with China

This afternoon, just hours following Microsoft's stunningly fast response to a critical Internet Explorer vulnerability made stunningly public by Google last week, a Google spokesperson told Betanews today that it expects to engage in a dialogue with the government of China within the next few weeks. The subject will be the status of its business relationship with that country, following Google's allegations that a recent attack on its servers originated in China.

Whether Google will take the next step -- specifically, discussing the substance of these talks with the US government -- is something the company may not yet have considered, judging from the response to our question from Google's spokesperson today.

Google's relative silence about its business dealings with China dates back to early 2007, when it joined Microsoft, Cisco, and Yahoo in declining to appear before the US Congressional Human Rights Caucus, citing its right to privacy regarding business affairs. In order to confer with the US State Dept. earlier this month about the recent attacks, Google had to break that silence.

Talks with China -- assuming they occur as Google believes they will -- may not be all one-sided, with Google talking and China listening. This morning, in a move that some analysts speculated may be retaliation for Google's threatened pullout, leading Chinese search engine Baidu stated this morning it has sued New York-based Web registrar Register.com, claiming it is responsible for its domain having been hijacked for a brief time last week.

As Baidu told Reuters this morning, "As a result of the gross negligence of Register.com Inc., the domain name resolution of www.baidu.com was unlawfully and maliciously altered." Register.com was apparently sued in US District Court for the district where the company is based (New York City). The text of Baidu's lawsuit had yet to be posted by that Court as of late Wednesday afternoon, Eastern Time. Register.com has yet to make a public statement in response.

But Baidu's allegations could make those talks into something of an arms race, complete with unsubstantiated allegations and mutually-assured destruction. Using the same degree of logic that Google used in claiming China attacked it, the government there could argue, China could claim the US was behind the rerouting of Baidu.

The Baidu attack, which may or may not be Iranian

On January 11, the day before Google made its stunning announcement to the world, access to Baidu was temporarily rerouted to a site featuring graphics claiming to have originated from the "Iranian Cyber Army." Those graphics had also been used in an attack the previous month against Twitter. Knowledgeable sources have expressed skepticism that this group necessarily originates in Iran, that it has anything whatsoever to do with Iranian politics, or that it even may be a "group" at all.

The profile of the Baidu attack does not resemble that of the Google attack. In effect, Register.com appears to have been the direct target of a DNS rerouting. According to security services firm Praetorian Group, which monitored the attack at the time, for at least three hours, calls to Baidu's IP address were rerouted to a site hosted by Houston-based ISP ThePlanet.com. Praetorian traced the domain names of the e-mail contacts listed on the hacked page not to Iran, but to two leading North American ISPs: Netfirms in Markham, Ontario; and Yahoo in Sunnyvale, California.

Praetorian's analysts, who specialize in incident response for global-scale threats, are not convinced the Baidu attack had clear political motives. At the time of that event, they noted that China is not the key impediment to Iran's recent gambles towards acquiring functional nuclear weapons.

"Businesses in China have served as intermediaries for products imported from Iran that are then shipped to US firms, in violation of US economic sanctions against Iran," the company wrote last week. "For these reasons, it is unclear how attacking a Chinese search engine fits into the strategy of this hacktivist pro-Iranian government group. It may have just been that baidu.com was an opportunity to spread their message on a high profile Web site."

The Google attack, which may or may not be Chinese

By contrast, Google continues to claim its attacks originated in China, through a server that successfully used an undisclosed social trick to implant a Trojan program onto computers -- which some say may have included US-based command and control systems -- running Microsoft Internet Explorer 6.

Since the day of Google's announcement, there has been a significant degree of mystery about two intriguing aspects of the Google attack's profile: 1) why the attacker specifically chose IE6 as the "attack surface," rather than a newer browser such as IE8; 2) why Google concluded the attacks on its systems were of Chinese origin. Given only the current evidence in front of us, it would appear to be feasible that China-based IP addresses, and perhaps other resources, may have been commandeered by proxy by "hacktivists" originating in any other country.

A Google spokesperson told Betanews this afternoon that the company is not aware of any specific evidence that would explain why IE6 was chosen as the attack vector. Google is aware of the evidence that suggests that IE6 was chosen intentionally, not by accident on the part of some amateur hacker. However, the spokesperson said, Google is also aware of evidence that it says cannot be inferred from the information presently made public, that unequivocally points to China as the geographic source of the attacks against its servers.

What Google will not address at this point in time, however, is the question of what makes this attack specifically Chinese, as opposed to merely China-based.
The official entry of Baidu into the fracas has triggered discussion, including last night on BBC World Service radio, about the possibility that Baidu's travails and Google's may be interrelated. The BBC's discussion with analysts centered upon two possibilities:

1. Just as Google perceives itself as a victim of Chinese attack, Baidu perceives itself as a victim of either US attack or US negligence, with both suspicions providing motivation for one another.
2. Despite the differences in the threat pattern, both attacks may theoretically originate from the same source, with the purpose of agitating US/China relations or simply to make news headlines.

With those possibilities on the table, Betanews asked researchers at Praetorian yesterday, how could Google have come to the conclusion so quickly that China or Chinese interests were to blame for its attacks?

"Neither Google, nor the security companies working with them, have stated how they determined this," responded Daniel Kennedy, who leads the risk assessment and global policy management initiatives for the security partnership. "They identified an IP address in Taiwan, but have not disclosed how they further linked that back to China. That tracing was likely done by identifying the target address of the SSL connections being made out of their environment back to this server."

Kennedy went on to point out the work of SecureWorks researcher Joe Stewart, whose work two years ago on diagnosing the "Pushdo" Trojan architecture brought him well-deserved acclaim. In a New York Times story published yesterday, Stewart told reporter John Markoff that in diagnosing the IE6 exploit, which was recently made public, he recalled having seen its curious encryption algorithm once before: specifically, in a Chinese-language technical paper published on a Chinese Web site. While Markoff noted that this discovery in itself does not pin the Google attack on China specifically, Stewart invoked Occam's Razor in suggesting that this made China the simplest, and thus most likely, suspect.

Betanews has sought further comment from Stewart on the subject, which may be forthcoming. In the meantime, Praetorian's Kennedy admits that Stewart's discovery remains "somewhat circumstantial."

"Assuming all connections go through some perimeter device, [a server admin] would see the target of the outgoing SSL connection Google identified as the communication channel in their environment," Kennedy told Betanews. "The attack itself initially would look like normal user browsing...Discovering the back door communicating out of their environment was likely how Google figured out what was going on."

Next: "This whole thing has strange written all over it..."