文中首先说Google、Yahoo、Symantec等公司遭受了来自中国黑客的攻击,并且获取了部分“人*权&人士”(就如达$赖、热!比^娅之流?)等的邮箱等信息,并且说中国长期赞助间谍活动……哪个国家不做信息收集?更何况是威胁国家安全的分子?我们知道当年美国和苏联间谍战才是发挥到了极致……
当然,里面有这样一段:
In a directly related point, consider the curious appearance of a new website called iiScan. This service (based in China) offers to scan your web application for vulnerabilities - for FREE. Just sign up and point their software to your website, and they will, ‘figure out’ how vulnerable to an attack you might be. After the scan is done, they will email you a PDF based report to your email account.
Wow. This service sounds like an overwhelmingly bad idea. It doesn’t take much to imagine all the things that could go wrong in this scenario, even if the Chinese government didn’t directly fund targeted attacks, IE didn’t have multiple zero-day exploits, and a proof of concept embedded malicious PDF exploit had not just been released. Can you say ‘Beijing Cocktail’?
It might very well turn out that NOSEC Technologies Co., Ltd. (the company behind iiScan) may be legitimate, or at least may have started out that way. Even if they are not actively attacking websites, it shouldn’t take long for them to become a high profile target for either private hackers, or for the Chinese government itself. What would be a better target than a database full of public websites and their known vulnerabilities? These sites, if not already compromised by iiScan, could be used as command and control drones, payload hosts, pieces of a distributed file-system, or merely SPAM relay channels.
文中提到了一个Internet Explorer的zero-day,但是貌似和HP一点关系都没有。
虽然我希望我使用的Google是完整版的,但是我更支持政府打击威胁国家安全的人和事,并且是毫无条件的支持。
