Apache Log4j bug: China’s industry ministry pulls support from Alibaba Cloud(scmp.com)
scmp.com
Apache Log4j bug: China’s industry ministry pulls support from Alibaba Cloud
https://www.scmp.com/tech/big-tech/article/3160670/apache-log4j-bug-chinas-industry-ministry-pulls-support-alibaba-cloud
151 comments
https://archive.md/Yvsca
I'm surprised HN is full of knee jerk assumption without first checking what the government required disclosure policy is.
Here it is: Verify. Report to 'vendor'. Immediately. Report to government including an analysis within 2 days.
Link to policy: http://www.gov.cn/gongbao/content/2021/content_5641351.htm
Link to past HN comment on this on another story on this topic: https://news.ycombinator.com/item?id=29653352
Here it is: Verify. Report to 'vendor'. Immediately. Report to government including an analysis within 2 days.
Link to policy: http://www.gov.cn/gongbao/content/2021/content_5641351.htm
Link to past HN comment on this on another story on this topic: https://news.ycombinator.com/item?id=29653352
I don't think there are any knee jerk assumptions happening; TFA details the differences, including the policy you're referencing.
(archived version of the article: https://archive.md/Yvsca)
From your linked policy (translated by Apple):
>Article 7 Network product providers shall fulfill the following security vulnerability management obligations
>(2) Relevant vulnerability information shall be submitted [...] within 2 days
In this case, an Alibaba researcher found a bug in an Apache product, so this policy wouldn't seem to apply as Alibaba is not the vendor of the product.
(archived version of the article: https://archive.md/Yvsca)
From your linked policy (translated by Apple):
>Article 7 Network product providers shall fulfill the following security vulnerability management obligations
>(2) Relevant vulnerability information shall be submitted [...] within 2 days
In this case, an Alibaba researcher found a bug in an Apache product, so this policy wouldn't seem to apply as Alibaba is not the vendor of the product.
Plainly the linked policy does not ask Alibaba to do what the article says it should do, ie, notify the government first, as per machine translation.
It seems to say that they should notify the vendor (ie, Apache) as soon as possible, and notify the government within 2 days (according to rfoo they are not at all required to disclose it to the government since it's not their product, but they are encouraged to do so), not that they should notify the government first and then wait for approval to notify Apache.
According to google translate:
(1) After discovering or learning about the security vulnerabilities in the provided network products, they should immediately take measures and organize verification of the security vulnerabilities to assess the degree of harm and the scope of the security vulnerabilities; for the security vulnerabilities in their upstream products or components, they should Notify the relevant product provider immediately.
(2) The relevant vulnerability information should be reported to the Ministry of Industry and Information Technology's cyber security threat and vulnerability information sharing platform within 2 days. The content of the submission shall include the product name, model, version, and the technical characteristics, harm, and scope of the vulnerability that have security loopholes in network products.
So according to machine translation, the article is incorrect, and they do not have to notify the CCP first, instead they should have notified Apache first, and then the government within 2 days.
It seems to say that they should notify the vendor (ie, Apache) as soon as possible, and notify the government within 2 days (according to rfoo they are not at all required to disclose it to the government since it's not their product, but they are encouraged to do so), not that they should notify the government first and then wait for approval to notify Apache.
According to google translate:
(1) After discovering or learning about the security vulnerabilities in the provided network products, they should immediately take measures and organize verification of the security vulnerabilities to assess the degree of harm and the scope of the security vulnerabilities; for the security vulnerabilities in their upstream products or components, they should Notify the relevant product provider immediately.
(2) The relevant vulnerability information should be reported to the Ministry of Industry and Information Technology's cyber security threat and vulnerability information sharing platform within 2 days. The content of the submission shall include the product name, model, version, and the technical characteristics, harm, and scope of the vulnerability that have security loopholes in network products.
So according to machine translation, the article is incorrect, and they do not have to notify the CCP first, instead they should have notified Apache first, and then the government within 2 days.
I think the central point of the article is that the Chinese government is deviating from their stated policy by punishing Alibaba with the 6 month freeze, thus making it newsworthy.
Does the article say that? The article says that the law encourages them to notify the government first, which it doesn't seem to.
At the same time, the article doesn't say that China is going to stop supporting Alibaba Cloud, just that that the MIIT is freezing cybersecurity cooperation, as far as I understand the article there is no legal punishment or serious financial punishment, and it's not even clear that the cooperation with the MIIT didn't have other terms. It's not clear either that they followed the 2-day period.
At the same time, the article doesn't say that China is going to stop supporting Alibaba Cloud, just that that the MIIT is freezing cybersecurity cooperation, as far as I understand the article there is no legal punishment or serious financial punishment, and it's not even clear that the cooperation with the MIIT didn't have other terms. It's not clear either that they followed the 2-day period.
From my understanding, Chinese government didn't punish Alibaba according to the regulation discussed above.
Given that the punishment is rather obscure and really weak (okay, your country's CERT felt pissed off and won't talk to you for 6 months, but for megacorps like Alibaba, would they really care?), I don't think they are willing to break the rule, at least for now.
Given that the punishment is rather obscure and really weak (okay, your country's CERT felt pissed off and won't talk to you for 6 months, but for megacorps like Alibaba, would they really care?), I don't think they are willing to break the rule, at least for now.
> and then the government within 2 days.
That's wrong. According to the text Alibaba is not required to report the bug to government at all. The 2 days term apply to "domestic network product provider" which would be ASF/log4j maintainers in this case. But they are not domestic so this does not apply.
That's wrong. According to the text Alibaba is not required to report the bug to government at all. The 2 days term apply to "domestic network product provider" which would be ASF/log4j maintainers in this case. But they are not domestic so this does not apply.
Alibaba Cloud, like the other big clouds, has many Java-based products. They’re certainly the vendor of their own vulnerable Java-based products. Whether some other party wrote the code in question doesn’t change that.
Thanks, you're right that they certainly are the vendor of their own vulnerable Java-based products.
AFAIK when the bug became popular on Dec 9, there are still many Java-based services running by Alibaba Cloud remain unfixed, and it caused chaos and panic among their "SRE"s.
However reading the regulation text again, now I'm not sure in this case what Alibaba should report:
> (二)应当在2日内向工业和信息化部网络安全威胁和漏洞信息共享平台报送相关漏洞信息。报送内容应当包括存在网络产品安全漏洞的产品名称、型号、版本以及漏洞的技术特点、危害和影响范围等。
It said they should report "the name, type and version of the product with the vulnerability, the 'technical characteristics' of the vulnerability and the impact". Does this mean, Alibaba should report, for example:
"Alibaba Cloud hosted Apache Flink stream computing service (whatever brand name they use) contains a pre-auth critical RCE vulnerability due to insecure processing of user input in version a.b.c till x.y.z"?
I'm not seeing how could the government know what the bug really is if "the product" means Alibaba Cloud's own product.
AFAIK when the bug became popular on Dec 9, there are still many Java-based services running by Alibaba Cloud remain unfixed, and it caused chaos and panic among their "SRE"s.
However reading the regulation text again, now I'm not sure in this case what Alibaba should report:
> (二)应当在2日内向工业和信息化部网络安全威胁和漏洞信息共享平台报送相关漏洞信息。报送内容应当包括存在网络产品安全漏洞的产品名称、型号、版本以及漏洞的技术特点、危害和影响范围等。
It said they should report "the name, type and version of the product with the vulnerability, the 'technical characteristics' of the vulnerability and the impact". Does this mean, Alibaba should report, for example:
"Alibaba Cloud hosted Apache Flink stream computing service (whatever brand name they use) contains a pre-auth critical RCE vulnerability due to insecure processing of user input in version a.b.c till x.y.z"?
I'm not seeing how could the government know what the bug really is if "the product" means Alibaba Cloud's own product.
Thanks for the correction. I am not convinced however, if Alibaba ships a single product with Log4J it would be their own product too.
See my sibling comment, if "the product" != log4j, Alibaba is then not required to report that log4j had a vulnerability.
Do you mean by redistributing log4j they became a "network product provider" of log4j?
Do you mean by redistributing log4j they became a "network product provider" of log4j?
Either that, or that one of their own products is vulnerable because of the Log4J vulnerability.
[deleted]
[deleted]
Sure, Alibaba broke the law. But there is no rule of law in China. If laws were truly enforced the entire system would collapse.
This was using the law as a weapon to keep companies in check. If this had been another company firmly in the pocket of the CCP, this would have been overlooked and never made public.
This was using the law as a weapon to keep companies in check. If this had been another company firmly in the pocket of the CCP, this would have been overlooked and never made public.
> But there is no rule of law in China.
Shit HN says. Can we avoid making such blanket statements, please and thank you.
Shit HN says. Can we avoid making such blanket statements, please and thank you.
Define rule of laws? Most people don't consider a system where judge, jury and executioner are a single political party that cannot be criticised. If this is rule of law then it's the lowest bar possible
randomly hating 20% of the worlds population for being born in the WRONG country? seems reasonable!
You can dislike the actions of a government without hating the people governed by that government.
What's this comment made in reference to?
[deleted]
TIL Chinese government consists of 20% of world’s population. I thought my country’s administration was overblown and inefficient
Typical communist inefficiency
what are you referring to?
Why does the Chinese Government need to be told _at all_? You're saying that doesn't seem strange to you? The government busy silently exterminating a people and who employ mass surveillance and other obvious human rights violations, that they ask for cyber vulnerabilities to be specifically delivered to them doesn't register a reaction with you at all?
To be fair... CERT has affiliations with the US government.
https://en.wikipedia.org/wiki/CERT_Coordination_Center
> The CERT Coordination Center (CERT/CC) is the coordination center of the computer emergency response team (CERT) for the Software Engineering Institute (SEI), a non-profit United States federally funded research and development center.
https://en.wikipedia.org/wiki/CERT_Coordination_Center
> The CERT Coordination Center (CERT/CC) is the coordination center of the computer emergency response team (CERT) for the Software Engineering Institute (SEI), a non-profit United States federally funded research and development center.
Let's cut the BS. The fact was that Ali Cloud failed to report the issue to MIIT (required by law, it has to be report cyber security incidents to MIIT immediately) weeks after notifying Apache(a foreign entity).
I'm not sure if such behaviors would be desirable in any country.
I'm not sure if such behaviors would be desirable in any country.
[deleted]
Classic HN. you're getting downvoted by fools. I made your point independently, before finding this comment.
It really is worrying how little pause a factually correct comment gave the people reading the thread. We really live in a post-truth world.
Well, it's a pity that doesn't matter how hard we try, it's just impossible to make some ppl understand the fact.
Why?
Did they want to protect themselves before alerting anyone?
Did they want to use this to infiltrate others?
Did they want to protect themselves before alerting anyone?
Did they want to use this to infiltrate others?
There is a rule that requires cloud providers like Alibaba Cloud to report vulnerabilities within 2 days. Alibaba violated this rule.
Note that the article is misleading as the rule doesn't require the disclosure must be made to the government first.
Note that the article is misleading as the rule doesn't require the disclosure must be made to the government first.
Your info is accurrate. But I doubt anyone cares about it.
Would you mind citing the rule? A similar-sounding policy linked elsewhere doesn't seem to apply to this situation.
This is the law that is mentioned in the article, as a link says that this is application of the MIIT ruling that came into effect September 1st:
http://www.gov.cn/gongbao/content/2021/content_5641351.htm
Here is a machine translation of the relevant section that seems to agree with the GP:
>Article 7 Network product providers shall perform the following network product security vulnerabilities management obligations, ensure that their product security vulnerabilities are repaired in a timely manner and reasonably released, and guide and support product users to take preventive measures:
>(1) After discovering or learning about the security vulnerabilities in the provided network products, they should immediately take measures and organize verification of the security vulnerabilities to assess the degree of harm and the scope of the security vulnerabilities; for the security vulnerabilities in their upstream products or components, they should Notify the relevant product provider immediately.
>(2) The relevant vulnerability information should be reported to the Ministry of Industry and Information Technology's cyber security threat and vulnerability information sharing platform within 2 days. The content of the submission shall include the product name, model, version, and the technical characteristics, harm, and scope of the vulnerability that have security loopholes in network products.
>(3) Remediation of network product security vulnerabilities should be organized in a timely manner. For product users (including downstream manufacturers) that need to take measures such as software and firmware upgrades, network product security vulnerabilities and repair methods should be promptly informed of the product users who may be affected , And provide the necessary technical support.
http://www.gov.cn/gongbao/content/2021/content_5641351.htm
Here is a machine translation of the relevant section that seems to agree with the GP:
>Article 7 Network product providers shall perform the following network product security vulnerabilities management obligations, ensure that their product security vulnerabilities are repaired in a timely manner and reasonably released, and guide and support product users to take preventive measures:
>(1) After discovering or learning about the security vulnerabilities in the provided network products, they should immediately take measures and organize verification of the security vulnerabilities to assess the degree of harm and the scope of the security vulnerabilities; for the security vulnerabilities in their upstream products or components, they should Notify the relevant product provider immediately.
>(2) The relevant vulnerability information should be reported to the Ministry of Industry and Information Technology's cyber security threat and vulnerability information sharing platform within 2 days. The content of the submission shall include the product name, model, version, and the technical characteristics, harm, and scope of the vulnerability that have security loopholes in network products.
>(3) Remediation of network product security vulnerabilities should be organized in a timely manner. For product users (including downstream manufacturers) that need to take measures such as software and firmware upgrades, network product security vulnerabilities and repair methods should be promptly informed of the product users who may be affected , And provide the necessary technical support.
If this is actually true, this article seems like borderline propoganda.
> Did they want to protect themselves before alerting anyone?
Probably yes.
> Did they want to use this to infiltrate others?
Also probably yes.
The NSA does the same thing. They stockpile security vulnerabilities and selectively tell the software vendors about some of them. They like to keep the "high value" vulnerabilities to themselves for use in exploits.
The WannaCry ransomware (see https://en.wikipedia.org/wiki/WannaCry_ransomware_attack and https://en.wikipedia.org/wiki/EternalBlue) did worldwide economic damage and was built on an NSA developed exploit. The NSA knew about this vulnerability in Windows for years and never told Microsoft.
Unfortunately all intelligence agencies everywhere will continue to take this cowboy approach. Until we can get these bad actors under control, their constant undermining of internet infrastructure will continue to hinder efforts to improve internet security.
Probably yes.
> Did they want to use this to infiltrate others?
Also probably yes.
The NSA does the same thing. They stockpile security vulnerabilities and selectively tell the software vendors about some of them. They like to keep the "high value" vulnerabilities to themselves for use in exploits.
The WannaCry ransomware (see https://en.wikipedia.org/wiki/WannaCry_ransomware_attack and https://en.wikipedia.org/wiki/EternalBlue) did worldwide economic damage and was built on an NSA developed exploit. The NSA knew about this vulnerability in Windows for years and never told Microsoft.
Unfortunately all intelligence agencies everywhere will continue to take this cowboy approach. Until we can get these bad actors under control, their constant undermining of internet infrastructure will continue to hinder efforts to improve internet security.
This gave me a good chuckle.
* Google Project Zero researcher: "we found a bug!"
* NSA (internally): "Damnit, scratch that one off the list boys.."
* Google Project Zero researcher: "we found a bug!"
* NSA (internally): "Damnit, scratch that one off the list boys.."
It's not the same thing to develop and keep an exploit for yourself, as it is to require the public companies in your country to report the important bugs they find while effectively also under a temporary gag order. They are super different things.
The super result is super the same: more vulnerabilities exploited for longer.
Surely you can see there's some difference in magnitude here, right? Which one does it more?
And even if the end result has some overlap, there's a bit of an ethical difference between:
* developing an exploit that you keep quiet
* preventing others from talking about exploits they discover
And even if the end result has some overlap, there's a bit of an ethical difference between:
* developing an exploit that you keep quiet
* preventing others from talking about exploits they discover
Surely you can see that they're all bad actors, undermining the software and infrastructure that we all use, putting our systems and our data at risk through their grubby actions and even their grubby inaction, right?
I don't care which bunch of spies does it more. I don't want spies doing it at all.
I don't care which bunch of spies does it more. I don't want spies doing it at all.
> and even their grubby inaction, right?
Yah, I guess by not searching for new exploits tonight for public disclosure, I'm putting the entire software world marginally more at risk by "grubby inaction."
> I don't care which bunch of spies does it more. I don't want spies doing it at all.
I care: some bad actors in my government vs. forcing an entire massive economy to participate in bad actions will have massively different magnitudes of effect.
There's always going to be bad actors, but preventing 15% of the world's population from being good actors surely is a pretty significant thing.
Yah, I guess by not searching for new exploits tonight for public disclosure, I'm putting the entire software world marginally more at risk by "grubby inaction."
> I don't care which bunch of spies does it more. I don't want spies doing it at all.
I care: some bad actors in my government vs. forcing an entire massive economy to participate in bad actions will have massively different magnitudes of effect.
There's always going to be bad actors, but preventing 15% of the world's population from being good actors surely is a pretty significant thing.
Ethically, it’s not the same.
There's nothing ethical about leaving your nation's infrastructure vulnerable to attack just because you want to indulge in the boy's own adventure of attacking the infrastructure of other nations.
It's not ethical. It's not professional. It's school boy stuff.
It's not ethical. It's not professional. It's school boy stuff.
Whoa, I think we're on the same team. I was saying it's not ethical to tell only your gov't about the exploit, and not your customers.
Probably both? It may not even be so much about this particular vulnerability, but rather just setting the law that any future vulnerabilities must first be reported to the party which can then decide to either defend from it or weaponize it.
I would be surprised, even disappointed a bit, if NSA didn't use it for infiltration for a good few months already.
They do use this to infiltrate others: https://www.wsj.com/articles/cyber-daily-hackers-backed-by-c...
well, if the US does, why wouldn't other governments?
I guess everyone has forgotten wikileaks and Snowden already.
I guess everyone has forgotten wikileaks and Snowden already.
Do people really think AWS did not report to the federal agencies about potential risks?
If AWS didn't then their contract for service is deficient. If they had risks which affected their stock price they had obligations to other agencies too. The department of commerce, the federal communications agency, the US Cert, you name it.
Please, no accusations of whataboutery: I am trying to point out that if you are big enough to have economically relevant importance, OR if you supply goods and services to the state, any state, you have obligations in that state relationship.
if I was in government in China and ali baba cloud didn't check in, I might be witholding business too.
If AWS didn't then their contract for service is deficient. If they had risks which affected their stock price they had obligations to other agencies too. The department of commerce, the federal communications agency, the US Cert, you name it.
Please, no accusations of whataboutery: I am trying to point out that if you are big enough to have economically relevant importance, OR if you supply goods and services to the state, any state, you have obligations in that state relationship.
if I was in government in China and ali baba cloud didn't check in, I might be witholding business too.
>And since so many people are now a threat to him, his selection criteria for people to lead different parts of the party and government has to be based entirely on loyalty rather than competence.
>Which almost guarantees a lot of counter productive incompetence.
This applies to every goverment and public institution regardless of its democratic roots
>Which almost guarantees a lot of counter productive incompetence.
This applies to every goverment and public institution regardless of its democratic roots
Would love to know whether their Specialized military network warfare forces and PLA - authorized forces knew about the flaw beforehand.
Absolutely shameless. I’m glad that they’re doing this in the complete open instead of painting themselves as the good guys (unlike, ahem, other western countries)
My deepest thanks for whoever did that decision in Alibaba.
I hope the price Alibaba has to pay for it won't be too high.
Through I expect Alibaba to now fall-in-line wrt. Future decisions of this kind, it's not that they have much choice.
I hope the price Alibaba has to pay for it won't be too high.
Through I expect Alibaba to now fall-in-line wrt. Future decisions of this kind, it's not that they have much choice.
I worry more about the price of the he individuals who made that call.
Curious what “saving face” will look like in practice here.
Very speculative:
It probably gets labeled as a procedural error, i.e. the one(s) who report it to the log4j project thought it is already reported to the government, and the ones on the other side say they thought the first team would report it to the government. Then they "fall-in-line" by implementing a security report system where you can't make the mistake, which automatically reports to the government and you need to get "clearance" to report to the project authors.
Which, might have been what actually happened if I think about it.
It probably gets labeled as a procedural error, i.e. the one(s) who report it to the log4j project thought it is already reported to the government, and the ones on the other side say they thought the first team would report it to the government. Then they "fall-in-line" by implementing a security report system where you can't make the mistake, which automatically reports to the government and you need to get "clearance" to report to the project authors.
Which, might have been what actually happened if I think about it.
"China’s internet security regulator has disciplined Alibaba Group Holding’s cloud computing services unit for failing to first report to the government a critical vulnerability in Apache’s Log4j software that has alarmed the cybersecurity community, Chinese media reported on Wednesday.
The Ministry of Industry and Information Technology (MIIT) is suspending work with Alibaba Cloud as a cybersecurity threat intelligence partner for six months because the company did not immediately report a severe bug in the widely used logging software to the government agency, the 21st Century Business Herald reported. The ministry also said it would reassess whether to resume the partnership at that time, based on measures Alibaba has taken to correct the problem.
Losing the support of the agency could affect business prospects for the cloud computing unit of Alibaba, the owner of the South China Morning Post. However, specific losses for the country’s largest cloud business are hard to determine.
The MIIT launched a cybersecurity threat intelligence sharing platform in December 2019 to serve as a state-led alliance in dealing with security threats. Membership in the platform is government recognition of the member’s capabilities in spotting and managing threats.
The MIIT did not publish a public statement about its decision, and Alibaba did not respond to a request for comment.
The Log4j vulnerability has been described as a “nightmare” and “catastrophic”, with some experts saying it is the most severe cybersecurity threat ever by number of devices affected. The simple piece of Java-based software can be found in countless internet-connected devices, from Internet-of-Things products like televisions and cameras to the servers running cloud operations for tech giants like Amazon, Google and Microsoft.
The flaw first received widespread attention when it was publicly disclosed on December 9, after Alibaba Cloud Security Team engineer Chen Zhoujun discovered the flaw. Chen notified the Apache Software Foundation, the non-profit corporation that develops the open-source Log4j tool, by email on November 24.
According to a regulation passed this year, Chinese companies are obliged to report vulnerabilities in their own software to the MIIT through its National Vulnerability Database website. However, the Internet Product Security Loophole Management Regulation, which went into effect in September, only “encourages” companies to report bugs found in others’ software.
The MIIT cybersecurity management bureau released a statement on December 9 saying it was notified about the vulnerability by “relevant” cybersecurity institutions. The ministry summoned Alibaba Cloud and other cybersecurity firms to discuss the situation, it said. It also urged companies and the public to monitor for updates to patch their systems.
Cybersecurity industry norms encourage notifying vendors of security flaws first, giving them ample time to address the problem, before disclosing the issue to the public. Apache released a patch for the Log4j bug on December 6, three days before public disclosure.
Still, the effect of the bug’s discovery is expected to be wide-ranging because of Log4j’s ubiquity. Many people may not even be aware that their systems are compromised.
The exploit, known as Log4Shell, allows hackers to remotely execute code by getting it logged by the software. This became a problem in the Java edition of Microsoft’s game Minecraft, for example, allowing players’ to compromise others’ systems by sending malicious code through chat messages.
Cybersecurity experts on Twitter have commended the Alibaba Cloud engineer for responsibly disclosing the vulnerability directly to the tool’s developers.
Since the bug’s public disclosure, cybersecurity experts have warned of an increase in activity scanning for Log4j on vulnerable systems. Microsoft said on December 11 that it found that state actors connected with China, Iran, North Korea and Turkey have been both experimenting and exploiting the vulnerability."
The Ministry of Industry and Information Technology (MIIT) is suspending work with Alibaba Cloud as a cybersecurity threat intelligence partner for six months because the company did not immediately report a severe bug in the widely used logging software to the government agency, the 21st Century Business Herald reported. The ministry also said it would reassess whether to resume the partnership at that time, based on measures Alibaba has taken to correct the problem.
Losing the support of the agency could affect business prospects for the cloud computing unit of Alibaba, the owner of the South China Morning Post. However, specific losses for the country’s largest cloud business are hard to determine.
The MIIT launched a cybersecurity threat intelligence sharing platform in December 2019 to serve as a state-led alliance in dealing with security threats. Membership in the platform is government recognition of the member’s capabilities in spotting and managing threats.
The MIIT did not publish a public statement about its decision, and Alibaba did not respond to a request for comment.
The Log4j vulnerability has been described as a “nightmare” and “catastrophic”, with some experts saying it is the most severe cybersecurity threat ever by number of devices affected. The simple piece of Java-based software can be found in countless internet-connected devices, from Internet-of-Things products like televisions and cameras to the servers running cloud operations for tech giants like Amazon, Google and Microsoft.
The flaw first received widespread attention when it was publicly disclosed on December 9, after Alibaba Cloud Security Team engineer Chen Zhoujun discovered the flaw. Chen notified the Apache Software Foundation, the non-profit corporation that develops the open-source Log4j tool, by email on November 24.
According to a regulation passed this year, Chinese companies are obliged to report vulnerabilities in their own software to the MIIT through its National Vulnerability Database website. However, the Internet Product Security Loophole Management Regulation, which went into effect in September, only “encourages” companies to report bugs found in others’ software.
The MIIT cybersecurity management bureau released a statement on December 9 saying it was notified about the vulnerability by “relevant” cybersecurity institutions. The ministry summoned Alibaba Cloud and other cybersecurity firms to discuss the situation, it said. It also urged companies and the public to monitor for updates to patch their systems.
Cybersecurity industry norms encourage notifying vendors of security flaws first, giving them ample time to address the problem, before disclosing the issue to the public. Apache released a patch for the Log4j bug on December 6, three days before public disclosure.
Still, the effect of the bug’s discovery is expected to be wide-ranging because of Log4j’s ubiquity. Many people may not even be aware that their systems are compromised.
The exploit, known as Log4Shell, allows hackers to remotely execute code by getting it logged by the software. This became a problem in the Java edition of Microsoft’s game Minecraft, for example, allowing players’ to compromise others’ systems by sending malicious code through chat messages.
Cybersecurity experts on Twitter have commended the Alibaba Cloud engineer for responsibly disclosing the vulnerability directly to the tool’s developers.
Since the bug’s public disclosure, cybersecurity experts have warned of an increase in activity scanning for Log4j on vulnerable systems. Microsoft said on December 11 that it found that state actors connected with China, Iran, North Korea and Turkey have been both experimenting and exploiting the vulnerability."
Silver lining: The more audacious the CCP gets, the faster their rule will collapse.
Fast for history, but not for people. Just look at North Korea. They've still got plenty of runway for more audacity. For CCP it's like infinity ahead.
Without the CCP it seems rather unlikely North Korea would continue to exist in its current way for long. The only remaining factor standing in the way of their fall then would be western nations not wishing to accept the sudden flood of North Korean refugees that would immediately emigrate from the country when they are no longer held there.
Unlike North Korea, China doesn't have a China to prop them up as a buffer state.
Then again, the CCP under Mao was a lot worse, without any hint of collapse.
People’s expectations were also lower. And there wasn’t any incentive for other countries to be involved.
Both those factors have changed. The Chinese people are not gonna tolerate an extended reduction in their quality of life. Anything short of rapid quality of life growth may be catastrophic for the people in power.
And on the other side, other countries have a lot of incentive to further make things difficult for China and it’s leadership.
Both those factors have changed. The Chinese people are not gonna tolerate an extended reduction in their quality of life. Anything short of rapid quality of life growth may be catastrophic for the people in power.
And on the other side, other countries have a lot of incentive to further make things difficult for China and it’s leadership.
The tang ping moment to some degree validates that quality of life has at least plateaued for many, or that the effort involved to further improve QOL isn't worth it. However, that problem doesn't seem unique to China, and other countries are starting at a higher baseline standard of living.
China's already sitting on a ticking time bomb thanks to the one child policy. I'm willing to bet that that's equally likely to set about a collapse.
That's not the case anymore. From [0]
>As recently as 31 May 2021, China's government has relaxed restrictions even more allowing women up to three children.
[0] https://en.wikipedia.org/wiki/One-child_policy#Abolition
>As recently as 31 May 2021, China's government has relaxed restrictions even more allowing women up to three children.
[0] https://en.wikipedia.org/wiki/One-child_policy#Abolition
Just to augment/explain what others are saying:
* Liberalizing birth restrictions can't have any effect on the number of workers until ~20 years later, and in practice much later than that.
* Once the population pyramid has begun to invert, you have fewer people of childbearing age. Reversing the policy cannot replace the children who were not born a few years ago to families who are now beyond the point of seriously considering more children.
* In practice, once having fewer children is socially normalized, it's difficult to have a larger family going forward, and...
* Once you have a severely inverted population pyramid, the cost of supporting elders increases and the economic situation of those of working age deteriorates, which tends to further suppress births.
It takes a long time for these trends to reverse.
* Liberalizing birth restrictions can't have any effect on the number of workers until ~20 years later, and in practice much later than that.
* Once the population pyramid has begun to invert, you have fewer people of childbearing age. Reversing the policy cannot replace the children who were not born a few years ago to families who are now beyond the point of seriously considering more children.
* In practice, once having fewer children is socially normalized, it's difficult to have a larger family going forward, and...
* Once you have a severely inverted population pyramid, the cost of supporting elders increases and the economic situation of those of working age deteriorates, which tends to further suppress births.
It takes a long time for these trends to reverse.
The ticking time bomb refers to the aftermath of the one-child policy. Demographically, there won't be enough adult children to support the parents of the one-child generation as they age.
Too little too late. The inverted demographic pyramid and the huge skewed gender ratio are baked in at this point.
Yeah, China's currently sitting at 1.3 children born per woman -- just like Italy or Spain, which are often cited as the EU "crisis" numbers.
This number is even worse than it appears though, since there are so many more men than women to begin with, thanks to the history of sex-selective abortion in the country. 12 million Chinese women were never born because their parents wanted a son instead of a daughter, and that's an extra 1.3 x 12 = 16 million children that will be missing from the next generation.
China's population is actually predicted to start shrinking in about 5 years.
This number is even worse than it appears though, since there are so many more men than women to begin with, thanks to the history of sex-selective abortion in the country. 12 million Chinese women were never born because their parents wanted a son instead of a daughter, and that's an extra 1.3 x 12 = 16 million children that will be missing from the next generation.
China's population is actually predicted to start shrinking in about 5 years.
> China's population is actually predicted to start shrinking in about 5 years.
A little overall population contraction isn't necessarily dire. The concerning thing is a decreasing fraction of the population being working age.
Ultimately, the most dire predictions have China's population halving over the next lifetime, and a sustained, big drop in youth. That's a pretty damning trend.
A little overall population contraction isn't necessarily dire. The concerning thing is a decreasing fraction of the population being working age.
Ultimately, the most dire predictions have China's population halving over the next lifetime, and a sustained, big drop in youth. That's a pretty damning trend.
Maybe this is how we get robots faster? China starts panicking?
That's great, but 2021 projected birth rates are even lower than the previous years'
That's just closing the barn doors after the horses have left. Much too little, much too late.
The policy has changed but generations of population demographics haven't.
Maybe, but what will they do when the collapse comes?
Like there are many cases where governments tried to avoid an internal collapse by applying external pressure in form of starting a war.
Like there are many cases where governments tried to avoid an internal collapse by applying external pressure in form of starting a war.
I wish but I think they are well enough entrenched so that only a major economic collapse could threaten their rule.
Wishful thinking. Nothing guarantees that.
Optimistic, sure. But historical examples abound.
[deleted]
Glad to live in a free country where we don't praise dictatorships and authoritarianism. The world should just boycott fucking China.
Nationalistic flamewar will get you banned here. No more of this, please.
No, that's not because we're secretly in cahoots with communists—it's because we don't want a site that consists of lame flamewars and then turns itself into scorched earth and then heat death. We want thoughtful, curious conversation. If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.
Edit: your previous two comments were egregiously breaking the rules here as well—even worse actually. That's seriously not ok. Please review https://news.ycombinator.com/newsguidelines.html and stop posting like that, regardless of how strongly you feel about $country, and regardless of how legitimate your reasons are (which I'm sure they are). I don't want to ban you but we can't have accounts carrying on like that here.
No, that's not because we're secretly in cahoots with communists—it's because we don't want a site that consists of lame flamewars and then turns itself into scorched earth and then heat death. We want thoughtful, curious conversation. If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.
Edit: your previous two comments were egregiously breaking the rules here as well—even worse actually. That's seriously not ok. Please review https://news.ycombinator.com/newsguidelines.html and stop posting like that, regardless of how strongly you feel about $country, and regardless of how legitimate your reasons are (which I'm sure they are). I don't want to ban you but we can't have accounts carrying on like that here.
Agreed.
Watching ADV China really helped me understand how bad the government is over there: https://youtube.com/c/ADVChina
Watching ADV China really helped me understand how bad the government is over there: https://youtube.com/c/ADVChina
Don't take this to mean I support china or think everything is roses over there, but that channel is simply propaganda. Genorously 40% of it is valid criticism, but if someone in china stubs a toe they will make a 30 minute video about the unsafe furniture epidemic.
I don’t watch that channel but have seen a couple of videos from laowhy86 before he left China, so would be curious to know what is not true on their channel.
Here's a two of his videos where he claims that COVID-19 emerged from a lab:
https://www.youtube.com/watch?v=bpQFCcSI0pU
https://www.youtube.com/watch?v=a-GVcfP1zrg
And here's a pretty thorough analysis of the flaws with this theory: https://www.youtube.com/watch?v=ab-r0capbzk
https://www.youtube.com/watch?v=bpQFCcSI0pU
https://www.youtube.com/watch?v=a-GVcfP1zrg
And here's a pretty thorough analysis of the flaws with this theory: https://www.youtube.com/watch?v=ab-r0capbzk
I'm unsure how he claims to have found the source. The theory begain at the beginning of Jan 2020 but he posted in April 2020.
Just watching the 'thorough' analysis video, he talks about some person who posted a paper about the source, and in the screenshot it shows Feb 2020. And says the source of the paper was from laowhy86's video, which is published April 2020.
I stopped watching there because it already makes no sense.
Just watching the 'thorough' analysis video, he talks about some person who posted a paper about the source, and in the screenshot it shows Feb 2020. And says the source of the paper was from laowhy86's video, which is published April 2020.
I stopped watching there because it already makes no sense.
I believe you misunderstood his analysis.
At timestamp 6:36 of his video [1], laowhy86 analyzes a copy of the draft "The possible origins of 2019-nCoV coronavirus" to conclude that the virus must have come from the lab. This preprint has been shown to be false by future scholarship (see the citations of the draft at [2] for some examples).
Potholer then analyzes the veracity of the claims within that preprint in his video [3], starting with an excerpt of [1] starting at 2:02.
So the timeline should be:
Feb. 2020 - Preprint published
->
Apr. 2020 - laowhy's video
->
May 2020 - potholer's rebuttal
[1] https://www.youtube.com/watch?v=bpQFCcSI0pU
[2] https://scholar.google.com/scholar?cites=1699435143784344899...
[3] https://www.youtube.com/watch?v=ab-r0capbzk
At timestamp 6:36 of his video [1], laowhy86 analyzes a copy of the draft "The possible origins of 2019-nCoV coronavirus" to conclude that the virus must have come from the lab. This preprint has been shown to be false by future scholarship (see the citations of the draft at [2] for some examples).
Potholer then analyzes the veracity of the claims within that preprint in his video [3], starting with an excerpt of [1] starting at 2:02.
So the timeline should be:
Feb. 2020 - Preprint published
->
Apr. 2020 - laowhy's video
->
May 2020 - potholer's rebuttal
[1] https://www.youtube.com/watch?v=bpQFCcSI0pU
[2] https://scholar.google.com/scholar?cites=1699435143784344899...
[3] https://www.youtube.com/watch?v=ab-r0capbzk
> Glad to live in a free country
what country is that?
what country is that?
We did skip a COVID variant Greek letter to appease the dictator though
[deleted]
sniperjzp(2)
yesbut(2)
chenzhekl(2)
sydthrowaway(1)