clock menu more-arrow no yes mobile

Filed under:

Everyone who cares about free speech should care about the attacks on Github

We don't know who is responsible for the attacks on Github, but the government of Chinese President Xi Jinping seems like the most likely culprit.
We don't know who is responsible for the attacks on Github, but the government of Chinese President Xi Jinping seems like the most likely culprit.
Lintao Zhang/Getty Images

If you're not a programmer, you've probably never heard of Github, a website programmers use to track and share software source code. But if you care about free speech, you should be paying attention to an attack on the site that's going on right now.

Last Thursday, someone launched a massive online assault against the Github website that is still ongoing. There's no proof that the Chinese government is behind the attacks, but circumstantial evidence strongly suggests it played a role. The attacks targeted Github projects that were dedicated to circumventing Chinese censorship of Western news media.

But so far, Github has refused to be intimidated. The company's engineers have been working around the clock to keep the site operational, but it won't be easy for Github to keep resisting the sophisticated attacks.

China can't block Github without hurting its own tech sector

The Great Wall of China. (Jasmin)

Github isn't a household name the way Google and Facebook are, but it plays a similarly central role in the software industry. If programmers have software they want to share — either inside the same company or with the general public — Github is the most popular way to do it. There are 9 million users on Github, contributing code for 21 million programming projects.

And while Github is focused on hosting computer code, the site can be used to host information of all kinds. For example, the anti-censorship project Greatfire.org takes news articles that have been censored by the Chinese government and uploads them to Github.

That has put the Chinese government in a bind. Two years ago, the Chinese authorities blocked Github from the Chinese internet. But the decision was reversed just two days later, after the government got an earful from Chinese engineers, who said they wouldn't be able to do their jobs effectively without access to the huge amount of useful computer code available on the Github site.

And because Github's site uses an industry-standard SSL encryption, the Chinese government can't censor Github selectively. That means the government has to choose between blocking the site altogether — which could damage the competitiveness of China's technology sector — or let its users access everything, including politically sensitive content.

Github says the attacks are an attempt at censorship

Github CEO Chris Wanstrath. (Dave Fayram)

On Thursday of last week, someone started flooding the Github website with traffic from a wide variety of different locations on the internet. This kind of attack, known as a distributed denial-of-service (DDoS) attack, is designed to overwhelm Github's servers and make the site inaccessible to legitimate users.

We don't know who is behind these attacks, but there are three big reasons to suspect it was the Chinese government or someone acting on its behalf. First, many of the attacks targeted two Github addresses — https://github.com/greatfire/ and https://github.com/cn-nytimes/ — that are associated with anti-censorship projects.

Second, one of the attack strategies suggests the attackers have control over some Chinese internet infrastructure. It worked like this: when anyone located outside of China visited the Chinese search engine Baidu, the site would include code that caused the user's computer to begin flooding Github with traffic. Baidu says it wasn't responsible for this malicious code, which either means Baidu was hacked (it says it wasn't) or someone was modifying Baidu pages as they traveled from Baidu to the user. Who's in the best position to tamper with websites as they travel over the Chinese internet? The Chinese government.

Finally, Github itself says the attacks are an attempt at intimidation. "We believe the intent of this attack is to convince us to remove a specific class of content," the company wrote in a terse blog post. They didn't say which "class of content" was being targeted, but it seems obvious that it's related to Chinese anti-censorship efforts.

The fight isn't over yet

To defend against denial-of-service attacks, website operators have to figure out which requests are legitimate and which are malicious. If all of these attacks are coming from the same corner of the internet, that's relatively easy — they can just block a range of internet addresses controlled by the attackers, while keeping the site available for everyone else.

But this attack uses sophisticated methods to thwart that kind of attack. That Baidu-hijacking attack I mentioned earlier is one example. People visit Baidu from locations all over the world, so by hijacking the computers of these international Baidu users, the attackers made it more difficult for Github to distinguish between malicious attacks and legitimate information requests.

It appears Github came up with a clever countermeasure: when it received a request from one of the URLs that had been targeted for attack, it responded with code that caused the victim's computer to display an alert with the message "WARNING: malicious javascript detected on this domain." This not only warned users that they were unknowingly participating in the attack, it also stopped that computer from attacking until the user acknowledged the alert, which is better than nothing.

But the attackers keep switching strategies:

This battle will go on until either Github or the attackers get exhausted. So far, Github has shown no sign that it's ready to surrender, and over time it may become more difficult for the attackers to come up with new tactics.

Still, defending against this kind of attack isn't cheap or easy. Github's continued defiance makes a statement about the company's commitment to freedom of expression.

Sign up for the newsletter Sign up for Vox Recommends

Get curated picks of the best Vox journalism to read, watch, and listen to every week, from our editors.