China Attacks
by Ed Sawicki - July 9, 2020
In recent months, there have been news stories that relate to China and how they can't be trusted with our Internet-based privacy. It started early this year with the controversy surrounding Chinese company Huawei and their 5G products in Britain. This week, it's the story about the Chinese social media app called TikTok that the Trump administration is considering banning.
Many of us on the political left reflexively take the opposite view of anything Trumpian. You may be tempted to think that TikTok is a good thing because American teenagers used it to coordinate the ordering of tickets to Trump's rally in Tulsa in June and not showing up. We need to look beyond that and question whether TikTok is a serious threat.
The following section on honeypots describes my experiences with Chinese hackers who regularly attack computers on the Internet, attempting to gain access and control of these computers. I can't say that these hackers are an arm of the Chinese government or not or that they're a threat to the United States. But if you already have privacy concerns over U.S. Internet companies, you should be at least as concerned about China—and Russia.
Honeypots
I run three of my own servers, and I've always been concerned about security. Back in the 1980s, I had one of my servers broken into, and I vowed never to have it happen again. It hasn't. That comes from carefully choosing platforms that are robust and not a popular target for attackers. This means, among other things, no Microsoft Windows computers. It also means monitoring activity on the servers by reviewing the logs to see how the attackers are attempting to gain access to my systems.
To that end, I equip my servers with honeypots. These are programs of my own design that pretend to be genuine services but are fake. They record information about the attackers so I can make decisions about if and when to block their access to my servers. I recently redesigned the honeypot data collection to insert this information into a database so I can query the data in new ways—a rudimentry form of data mining.
The new honeypots have only been running for a week, but I've collected enough data to characterize the attacks against my servers. I average about 1,000 attacks each day. None of the attacks are successful, of course. On one of my servers, I block the IP addresses of all of these attempts, yet it doesn't reduce that 1,000 per day number. This tells me that the population of attackers is huge. It may be millions.
More than half of all attacks come from computers in Asia, and the bulk of that comes from China. Of the remainder, a significant portion comes from organizations that rent space on their servers to customers who can be anywhere in the world. These rental companies are located around the world. U.S. rental companies have servers located in foreign countries and vice-versa.
Chinese or Russian (or North Korean, etc.) hackers can be renting space on U.S.-based servers and launching their attacks from within the United States. My honeypots don't tell me which humans are attacking me and why, of course. So, I use the computer platforms that are least likely to be successfully attacked (when properly configured and managed), and that means Linux, for now.