Talk:GhostNet

Infiltrated computers with malware
Why no mention that these 'computers' are almost always desktop machines running Microsoft Windows User:Emacsuseremacsuser (User talk:Emacsusertalk) 14:09, 29 March 2009 (UTC)


 * Because window is the most popular OS? --Special:Contributions/85.108.82.25485.108.82.254 (User talk:85.108.82.254talk) 14:31, 29 March 2009 (UTC)


 * If I'm not mistaken, Linux has surpassed Windows as the most popular enterprise OS, and the computers breached were most likely no smaller than a enterprise midrange and above. Thus it's very likely they were running Linux or some variation of Linux or another FOSS OS. I'm just guessing, of course, but my educated guess is based on information from CIO magazine. --No Such Business (talk) 21:28, 16 July 2009 (UTC)


 * Therefore, this would imply that it was likely a Linux-on-Linux attack, rather than a Linux-on-Windows attack. Thus it would be a lot harder to defend against these hackers if they went military and infiltrated their marks for destructive reasons. Given the fact that many government and military computers in the USA run on some distro of Linux or other FOSS OS, a Linux-on-Linux attack would be difficult to fend off unless the whole nation swiftly implemented a massive network of inescapable super-maximum security honeypots. I believe that is near impossible with the immense beareaucratic infrastructure within the government and the military. (That's one of the reasons why I am joining the Air Force next year after I graduate from college - to propose and help implement just such a network). But if we could do it, and we the USA can, we will do it, and I believe we will succeed at this project when we decide to do it (if we ever decide to do it) and the USA and its allies shall win any future iWar launched against us or which we launch on our own. (I'd also like to be the 'commander of the hacker nerds' some day)... Hopefully the world will choose peace, and no such war will ever come to fruition. Hopefully. Now you all know where I stand on war. --No Such Business (talk) 21:28, 16 July 2009 (UTC)


 * For the same reason it's not mentioned that they use electricity. Special:Contributions/67.240.138.10667.240.138.106 (User talk:67.240.138.106talk) 17:44, 29 March 2009 (UTC)


 * Neither of the above is correct: the correct reason is because that's an assumption, not a verifiable claim with a reliable source.


 * I just searched the IWF report, and it does not seem to mention Microsoft Windows at all, let alone give a breakdown of infections by OS. It's extremely likely that the infected computers all run Windows, but that's not good enough: the test here on Wikipedia is verifiability, not plausability. 87.194.117.80 (talk) 20:39, 30 March 2009 (UTC)


 * If you read the actual report it mentions 'a Trojan known as gh0st RAT' and 'malware infected email attachment' and 'EXP/Word.Dropper.Gen, Troj/MalDoc-Fam, Exploit.Word.Dropper.Gen' .. 'After infecting the target, the Trojan packed in the Word document performed a DNS look-up'


 * Otherwise please produce some verifiable third party evidence as to what other OS this malware runs on. All we have is a 'report' full of vague phraseology from some self styled 'Information Warfare Monitor'

Audio and video
this sounds very sensationalist: "The network possesses "Big Brother-style" capabilities, allowing it to turn on the camera and audio-recording functions of infected computers for in-room monitoring." If you infiltrate a computer, you can do anything you want with it, don't you? Open CD-Drive, print, and, yet yes, switch on cam and mike. To stress this fact for GhostNet sounds very much like disinformation to me. Jasy jatere (talk) 10:47, 29 March 2009 (UTC)


 * Well maybe the phrase "Big Brother" is sensationalist, but the fact that the PC can be used for covert audiovisual surveillance is important to note. —Preceding unsigned comment added by 86.42.185.96 (talk) 13:29, 29 March 2009 (UTC)


 * this is surely an interesting feature, which was first widely noted in the coverage of GhostNet. But in my view, this seems to be a change in reporting, not a fundamental difference between GhostNet and other mal/spyware. Jasy jatere (talk) 17:41, 29 March 2009 (UTC)


 * Jasy, you are correct, but I believe that no existing malware networks have implemented such functionality. For zombie networks being used for spam generation and the like, bugging the room the PC is in is irreleveant.  For an infiltration network being used to gather intelligence, bugging the room the PC is in is extraordinarily valuable.  As such, the fact this functionality is present provides information about the nature and use of the network.  Toby Douglass (talk) 22:16, 29 March 2009 (UTC)

US computers
presumably no evidence of infiltration was found for any countries not on the list of 103, why is the US mentioned? Nickmuddle (talk) 11:48, 29 March 2009 (UTC)
 * Probably because most readers are American and they'll need that bit of extra reassurance... -- can  dle &bull; wicke  13:21, 29 March 2009 (UTC)
 * Because it was taken from the New York Times article, verbatim. Also, many readers will probably be interested in knowing if American computers were affected, given the gravity of Sino-American relations. It's not a US-centric Wiki Cabal, jeez. ZeaLitY [ DREAM  -  REFLECT  ]  13:52, 29 March 2009 (UTC)
 * If it's taken verbatim from the NYT article then likely it's a copyvio. Incidentally, the version Nick was referring to was this where it was taken from Reuters Nil Einne (talk) 14:00, 29 March 2009 (UTC)
 * No evidence was found that U.S. or U.K. government offices were infiltrated ==>> Proof of USA and UK spying operation! M Haoran (talk) 14:47, 29 March 2009 (UTC)
 * M Haoran - you are a brand new user and your only contributions to the Wiki have been to this article and its discussion where in the space of about ten minutes you attempted, mainly by large deletions, to place a purely pro-Chinese view onto this article. Personally speaking, I cannot help but wonder if you are employed by whoever is responsible for Ghostnet. Toby Douglass (talk) 22:08, 29 March 2009 (UTC)
 * Firstly please WP:AGF. If M Haoran's actions are bad, explain to him why, there's no need to make accusations of sinister motives without any evidence of that. Especially, don't prescribe silly motives without evidence. There are a lot of people with pro-Chinese views on the internet, just as there are many with pro-Tibetian, pro American et al. To presume that every person who is pro Chinese works for the Chinese intelligence, is as dumb as presuming everyone who is pro-Tibetian works for the Dalai Lama or everyone who is pro-American works for the CIA. Many people with biased POVs of all types join wikipedia and start off poorly, some of them can be convinced to act properly, some of them still can't set aside their POVs and therefore fail to obey WP:NPOV etc and may eventually be banned. Some of them just never come back. We have no way of knowing which one M Haoran is going to be, but we should still respect him/her and WP:AGF that he/she is hear to improve wikipedia until he/she proves they're not worthy of respect Nil Einne (talk) 00:15, 30 March 2009 (UTC)
 * I have to agree with Nil Einne, the chances that M Haoran is employed by the people responsible for Ghostnet is infinitesimal. Let's try and and keep this from becoming the trainwreck of a talk page that is on the Beijing olympics. ƒingers on  Roids  01:18, 30 March 2009 (UTC)
 * I accept your points, both of you, about not jumping to conclusions. However, FingersOnRoids, on what basis do you assert that the chances of Haoran (or other accounts here) working directly or indirectly with or for or alongside Ghostnet are infinitesimal?  Toby Douglass (talk) 06:17, 30 March 2009 (UTC)
 * If M Haoran is somehow affiliated to the said "GhostNet", it only proves the fact that the "GhostNet" consists of a bunch of childish pranksters.Isnaciz (talk) 07:35, 30 March 2009 (UTC)

'''Wikipedia is not a forum. If you want to chat about conspiracy theories and secret agents, please do so on your individual talk pages (or on another site). Thank you. APK  thinks he's ready for his closeup'''  09:36, 30 March 2009 (UTC)

Connection with conficker possible?
Is it possible that this ghostnet is responsible for the conficker virus? 75.166.97.83 (talk) 17:37, 29 March 2009 (UTC)


 * Anything is possible but you must be very careful with how you consider such questions. The human mind has a specific bias towards associating events of similar magnitude, regardless of the evidence or lack of evidence for a connection.  The very fact two events are of a similar magnitude causes us to assume correlation.  Toby Douglass (talk) 22:10, 29 March 2009 (UTC)


 * No, it is not very likely. There are so many malware programmers. Conficker didn't really try to hide itself - I mean as it would be needed for surveillance (of course it tried to hide from Anti-virus software). The goals or at least the targets are also completely different. Conficker tries to infect as many systems as possible (which makes detection more likely) and therefore is suitable for spam, ddos, etc. GhostNet infects fewer, chosen systems and its goal is to steal data - we are not talking about things like website accounts or credit card numbers. --85.127.117.205 (talk) 16:57, 30 March 2009 (UTC)


 * while ghostnet may not relate to the conficker virus, the two share some similarities. conficker has also compromised "high value" targets like the military. i think it is appropriate to add a "see also". at the very least ghostnet is a botnet, so we can link it to the botnet article to demonstrate the underlying priciples of how it work. —Preceding unsigned comment added by 72.38.114.186 (talk) 17:22, 8 April 2009 (UTC)


 * The two share almost no similarities. GhostNet is by comparison of code and features a much more simplistic bit of software, and the main note of it is how it was used; targeted infection of government and private computers in a distinct pattern.  Conficker simply infects in the simplest of ways: everything that it can.  Government computers have been infected as a result of poor data security (USB drives, open networks, etc etc) but there is no evidence that these computers are any more deliberately targeted than the next.  So no, there is no visible connection between the two. --Human.v2.0 (talk) 21:40, 8 April 2009 (UTC)

How can you say the government is not involved?
How can you say the Chinese government is not involved when it was the Chinese government that acted on the stolen information, in the case of the Dalai Lama's emails??? Haiduc (talk) 17:40, 29 March 2009 (UTC)


 * The Wiki community isn't stating the Chinese government is not involved. We're simply reiterating what the New York Times and The BBC are speculating, and quoting the Chinese response. It's more than possible that the Chinese government is behind this program; but it's far from definite; and untill that information is conclusive, it's best to represent all sides without assumptions. 92.13.134.192 (talk) 17:55, 29 March 2009 (UTC)


 * The article reports merely what is written elsewhere. We do not offer opinions.  Personally speaking, I concur.  Unless they were perhaps selling that information to the Chinese Government, I can see no reason why a non-Government infiltration network would spend any time working on computers run by the Tibetien Government-in-exile.  Toby Douglass (talk) 22:12, 29 March 2009 (UTC)


 * Just want to point out that within Mainland China, given the amount of public outrage against 2008 Tibet protests, it is entirely plausiable that a private group of Chinese nationalistic zealots could've done this. Jim101 (talk) 04:32, 30 March 2009 (UTC)


 * If you read the report provided in the external links, the Cambridge group do believe the Chinese government is to blame. I think there is ample evidence to suggest the Chinese government is responsible: the fact that it occurred in their country, the fact that they used the information to their advantage, and the fact that they have a sincere motive to profit from it – the monitoring of pro-Tibetan autonomy movements.Laneb2005 (talk) 18:22, 29 March 2009 (UTC)


 * Indeed, it points to the likelihood; added with the fact that the majority of targeted systems are the property of Asian states, that China has direct or indirect interest in. However, since no conclusive evidence could be drawn by the teams investigating the breach, and the Chinese government have denied the operation; other eastern governments, civilians, corporations, or even foreign intelligence services trying to embarrass China; shouldn't be ruled out, for now. Nigholith (talk) 18:43, 29 March 2009 (UTC) (DY:92.13.134.192)


 * Seconded. We do not know the truth.  To assume it is an error.  Toby Douglass (talk) 22:13, 29 March 2009 (UTC)


 * Thirded. If you read the paper, the 'attack' itself is quite primitive (read: scriptkiddies could have done it). There is no attempt to hide that servers in china made connections and downloaded files. There is then later use of some proxies that the authors say is 'unexplained' (ie. it could have been anyone from anywhere).--Dacium (talk) 01:09, 30 March 2009 (UTC)


 * As Jim101 pointed out, there are many Chinese zealots who could probably have done this. Indeed I believe there have been past incidents of such Chinese zealots hacking in the name of patriotism. Another possibility is that a third government carried out the operation in an attempt to implicate China and turn world opinion against her. This is not at all unlikely - the CIA, for example, has carried out similar operations many times in history. 202.40.139.168 (talk) 06:23, 30 March 2009 (UTC)

Ohconfucius (talk) 06:31, 30 March 2009 (UTC)


 * One reason that I find this isn't likely to have a third party/government did this to implicate China is the lack of Japan as a target of hacking attempt. There is no reason to not target Japan especially if it's a politically motivated action against China. This is also another reason that I don't believe this is a work of zealots. They "always" target Japan whether there is a reason or not. That's like an Islamic clergy specifically excluding US when criticizing about "lack of moral standards in Western countries".--Revth (talk) 09:46, 30 March 2009 (UTC)


 * Excellent point. Also note that US/UK were not infiltrated.  However, this is now find interesting in another way - whether I was the Chinese Government or not, if I were running GhostNet, I would want to infiltrate all these countries.  They are all high value targets.  It is curious therefore that such infiltration has not been uncovered.  Either it was not found, or it was not done.  Perhaps the people running GhostNet started on targets assumed to be more vulnerable?  Toby Douglass (talk) 09:59, 30 March 2009 (UTC)


 * Incorrect data. The US, UK and Japan were infiltrated.  Just not very much in the UK and Japan.  Lots in Taiwan.   Toby Douglass (talk) 11:41, 30 March 2009 (UTC)


 * Lacking Japan in its attack target doesn't mean it is not the work of private Chinese hackers. When NATO bombed Chinese embassy in Belgrade, Chinese hackers formed the Honker Union and attacked US government sites in return, without touching Japanese sites. And given Chinese outrage to the whole Tibet thing, it shouldn't be a suprise that a similar hacker group could've formed and targeted Tibetan-in-exiles specificly without paying much attention to Japan either. Jim101 (talk) 17:55, 30 March 2009 (UTC)
 * The Toronto report is clear on its reasoning in factoring in this possibility; see the foreword, p. 9, p.12 and elsewhere. 86.44.33.122 (talk) 18:42, 30 March 2009 (UTC)

A more reasonable question...
Do we have any sources that address the origin of the name "GhostNet"? Nyttend (talk) 21:42, 29 March 2009 (UTC)
 * Per the NYT, it's simply what the Canadian researchers decided to call what they detected. 86.44.33.122 (talk) 22:00, 29 March 2009 (UTC)


 * And the NYT article got the name from the title of the University of Toronto paper. Nigholith (talk) 22:19, 29 March 2009 (UTC)


 * Ah, actually they named it for a common Remote Administration Trojan called Gh0st RAT that was used in this. 86.44.33.122 (talk) 18:40, 30 March 2009 (UTC)

Spanish version
Can someone move the Spanish version (Ghostnet) of this article to "GhostNet" instead of "Ghostnet"? I noticed the interlanguage link was added, but it goes to an empty page. I've never edited es:wiki, so I can't move it. Gracias. APK  thinks he's ready for his closeup  01:31, 30 March 2009 (UTC)


 * Thanks Jondel. APK  thinks he's ready for his closeup  02:28, 30 March 2009 (UTC)

Chinese government
Without support of Chinese government, Chinese spynet wouldn't have became like this GhostNet, the article should mention about Chinese government involvement and why they are doing this.--Korsentry 03:15, 30 March 2009 (UTC) —Preceding unsigned comment added by KoreanSentry (talk • contribs)
 * Without support of Chinese government, Chinese spynet wouldn't have became like this GhostNet - Logical assumption, but no creditable source I find confirms this statement. It's one thing to say Chinese government knows the existance of GhostNet. It is a completely different level to say that they own and operate it. Where is the source of your claim that Chinese government owns and operates GhostNet besides the signs that Chinese Cyber-police let it slip under their nose?


 * Currently, there are three parties the could've create GhostNet: Chinese government, private hackers/criminals, and thrid countries. If you want to explain in the article on who created the GhostNet and why, you should include the other two parties besides the Chinese government to maintain NPOV, unless there are conclusive evidences that Chinese government indeed created GhostNet. Jim101 (talk) 04:02, 30 March 2009 (UTC)


 * Jim, those three parties covers everyone on the planet. Toby Douglass (talk) 06:21, 30 March 2009 (UTC)


 * That is my point. To be honest, the more I read into the GhostNet, the more it doesn't make sense. If it is the work of the Chinese Intellegence, a lot of vital target is not probed (why attack NATO when US Pacific Command is more important?). If it is the work of private zealots, then it shouldn't be this big, with no knowledge of the government and based purely in China. It is pretty much given that the Chinese government knows more about GhostNet than they tell us, given their powerful cyber-police force. But given the utter confusion of this entire matter, with anti-Tibetan indenpences/anti-US sentiment running all time high in China, plus the Chinese is just as good at hiding incompetence as hiding secrets, I urge caution on the matter unless we want this article to degrade into an edit war. Jim101 (talk) 14:44, 30 March 2009 (UTC)


 * This is beyond the scope of this article, but to be honest, this news of the existence of the so-called GhostNet leaves me with more questions than answers.
 * I believe completely that anything that Chinese hackers are capable of, their American, Russian, and Western European counterparts can do just as well, or even better. Does that mean hackers or governments in these other countries are also cyber spying on foreign governments?
 * Who funded this research to discover GhostNet?
 * How the heck did they conduct the research on secure government networks to discover that they've been spied on? These foreign embassies would either have to grant access to the research group (highly unlikely) or well, the research group was, itself, spying on these networks.
 * Hong Qi Gong (Talk - Contribs) 15:42, 30 March 2009 (UTC)

Speaking of conspiracy theories - the report could also be an attempt to frame the Chinese government of cyber spying. Credible source? No I don't have any... Hong Qi Gong (Talk - Contribs) 11:25, 30 March 2009 (UTC)


 * That is kinda the point. There are no suggestions that the CIA, Mossad, MI5 or whatever were behind it; there ARE suggestions from verifiable sources that the Chinese govt were (even if they turn out to be wrong). So we can report that, but we can't do WP:OR. SimonTrew (talk) 15:55, 30 March 2009 (UTC)


 * I agree. As long as we can seperate suggestions from facts on the matter, it is worth pointing out that Chinese knows more about GhostNet than they tell us. Jim101 (talk) 16:23, 30 March 2009 (UTC)

Beside it is illogical to assume that the CIA, Mossad or MI5 were behind it because it would be ten times harder to set up and conduct such operations in China than in their own countries. Further if they wanted to use another country as a smokescreen, there are far better choices than China with its crazy bandwidth restrictions and monitoring. Skeletor 0 (talk) 16:06, 30 March 2009 (UTC)
 * So essentially, this research group tells you that these attacks exist, and they are coming from China, and you believe it all on face value. Correct?  Hong Qi Gong (Talk - Contribs) 17:05, 30 March 2009 (UTC)


 * No, we *report* it on face value, from internationally verifiable sources. SimonTrew (talk) 18:55, 30 March 2009 (UTC)

Is there a way to remove "GhostNet?"
Is there a way to remove "GhostNet?" —Preceding unsigned comment added by 96.244.221.220 (talk) 04:45, 30 March 2009 (UTC)

That's funny, I just changed my IP address from the one the guy above has and yet when I looked up where he is, he's on the other side of the world from me. Ahh Windows thou art mysterious Skeletor 0 (talk) 16:42, 30 March 2009 (UTC)


 * reinstall Windows or buy a new computer —Preceding unsigned comment added by 115.75.27.131 (talk) 05:13, 30 March 2009 (UTC)


 * I imagine the anti-virus vendors will be updating their offerings soon enough. As it is, I'd just boot from a CD, figured out which files are involved and delete them.  Toby Douglass (talk) 06:22, 30 March 2009 (UTC)


 * If you read the Toronto report (linked on this page and in the article), you'll see that about a third of 30 or so widely available (and in some cases free) antivirus programs detect the trojan used here. The actual technological aspects of this are relatively unsophisticated. What is striking about it is what is called the "social engineering" aspect: targeting emails of those working in solidarity with tibetans-in-exile, procuring their emails from msg boards and websites, gaining control of those email accounts by having their owners open an attachment from an untrusted sender, or by simply brute-force cracking weak email passwords, and then using those accounts as trusted senders to spread the trojan via context-relevant attachments (like a genuine .doc file of some up-coming event, or translations of relevant literature, or what have you), each new account gained via this method becoming a potential new trusted sender to spread it further. All of which is well within the ability of teens all over the world, but quite sensibly they are more interested in porn and social networking sites and so on.


 * By the way, as the Cambridge report points out, what you don't do if you are running an operation like this is act on info gained in such a way that makes obvious that such an operation exists. That's n00b. It's what the Chinese authorities did in the one case cited as circumstantial evidence of their involvement; on the contrary, to me it smacks of their acting on info passed to them from a third party. 86.44.33.122 (talk) 17:33, 30 March 2009 (UTC)


 * Your point about acting in an obvious fashion is valid, but I don't think you can conclude it suggests the Chinese were acting on received information; because it is still true that acting obviously on that information acts to give the game away. You still don't do it.  Toby Douglass (talk) 08:25, 31 March 2009 (UTC)

Which OS
Was it Windows, MacOS or Linux? —Preceding unsigned comment added by 80.135.197.245 (talk) 09:44, 30 March 2009 (UTC)


 * Windows. Toby Douglass (talk) 11:39, 30 March 2009 (UTC)


 * Is it worth specifying what versions of Windows etc? I don't think maybe this necessarily belongs in a "current affairs" article... SimonTrew (talk) 15:12, 30 March 2009 (UTC)


 * It is a non-point. If there comes a time when it is released that this only effected "X OS" or didn't effect "Y OS" then that is another deal, but right now it is not relevant. --Human.v2.0 (talk) 00:40, 31 March 2009 (UTC)


 * I agree. I just thought it was worth making the point visible, since it is bound to be asked. SimonTrew (talk) 01:42, 31 March 2009 (UTC)

The report mentions Microsoft Word as an attack vector:


 * 1) p 18: “. . . with an attached infected Word document . . .”
 * 2) p 21, caption: “Attached to the message was a Microsoft Word document . . . that exploits a vulnerability in Word to install malware on the target's computer system.”
 * 3) p 22: “After infecting the target, the Trojan packed in the Word document performed a DNS look-up to find its control server and then connected to that server”

Cute how in no. 2 they refer to the Word document itself as if it were malware. Protect yourself: don't use Word to open Word documents! —Michael Z. 2009-04-02 00:27 z 

Discovery clarification
I think we should clarify that it was not members of University of Toronto's Munk Centre for International Studies and the University of Cambridge's Computer Laboratory, but the Information Warfare Monitor (IWM) that discovered GhostNet. IWM is a joint project between Toronto's Munk Centre for International Studies and an Ottawa-based think-tank called the SecDev Group. (SecDev provided the funding for the research by the way, Hong Qi Gong, and yes they were spying on the Chinese networks or else they would not have found GhostNet.)Skeletor 0 (talk) 16:21, 30 March 2009 (UTC)


 * Clarify the discovery if you want, but saying X spy Y to find proof that Y spy X is off-topic. States spy on States, big deal. That is what citizens pay them to do. Heck, even Vatican has its own spy agency. Jim101 (talk) —Preceding undated comment added 16:29, 30 March 2009 (UTC).


 * I don't doubt it. But all I saying is that we should probably give credit to the right source.  I don't care what this proves I just want wiki to be accurate.  Skeletor 0 (talk) 16:33, 30 March 2009 (UTC)


 * It was the researchers based at the Munk Centre that discovered GhostNet. IWM is just one of the *publications* where those researchers published the findings. The Cambridge duo collaborated with the Toronto team on the part of the investigation that dealt with Tibet. The NYTimes article is very clear about this (there's no mention of SecDev anywhere). Credit should go to the lead researchers at Munk Centre (where the project is based), and jointly between Toronto and Cambridge on the Tibet portion of the investigation. —Preceding unsigned comment added by 209.195.107.176 (talk) 23:54, 30 March 2009 (UTC)


 * The research was done by the information warfare Monitor, which is a joint project of the Citizen Lab and SecDev.  the field research in India was carried out by Secdev,  and the methodology of the information worker monitor, which blends  local level research, with large-scale data analysis, is what was responsible for the discovery of Ghostnet.  The media focuses on human interest stories, and rightly Nart Villeneuve's  role in that respect is quite significant, as he parsed through the data set and was able to discover the open interface onto the command and control server.  But the study as a whole, as well as the research, was a joint venture.  That is  clear from the forward, and acknowledgments in the report itself.  We should strive for accuracy here go to the original source --  which in this case is the report itself and not media accounts.Shirley-BK (talk)  —Preceding undated comment added 14:57, 31 March 2009 (UTC).


 * The Infowar Monitor is only where the findings were published, that doesn't mean it's where the research was conducted. The Munk Centre conducted the research. The New York Times states that very clearly. If I publish something in Newsweek or whatever it doesn't mean Newsweek did the research. And there's zero mention of this SecDev thing anywhere in NYT or BBC, both strongly reliable sources whose reporting is widely fact-checked. Maybe someone from SecDev also worked in a Munk Centre assignment, as is common with any large-scale research, but the research is still clearly based at Munk Centre as reported. That doesn't make it a "joint-venture". —Preceding unsigned comment added by 209.50.91.70 (talk) 15:18, 31 March 2009 (UTC)


 * It just seems suspicious that someone is obsessed with this "SecDev" group, which doesn't even have a Wikipedia article, and trying to give it way too much weight. If SecDev's contribution is significant enough that it qualifies as a "joint venture" equal to the Munk Centre, I don't see any way a respected source like NYT or BBC wouldn't even mention it once. More likely it was one of many other contributors to the work at the university. —Preceding unsigned comment added by 209.50.91.70 (talk) 15:30, 31 March 2009 (UTC)


 * Secdev is mentioned by the BBC  a co-author., and the  Times of London  Also,  please read the forward to the actual study,  in the acknowledgments.  Also take a look at the cover.Shirley-BK (talk)  —Preceding undated comment added 15:57, 31 March 2009 (UTC).


 * Can we clarify also where the embassies were? Were they in the RoC? SimonTrew (talk) 03:22, 31 March 2009 (UTC)

Looks like Cambridge's part in this was supported by the US Department of Homeland Security. Check page two of this file -. Hong Qi Gong (Talk - Contribs) 13:31, 31 March 2009 (UTC)


 * Looks like someone is trying to mislead. One author according to page 11 was supported by the I3P consortium, which has 27 members of which the DHS is only one. 76.116.246.104 (talk) 20:03, 2 April 2009 (UTC)


 * Very interesting. The source I linked to originally had stated that the research was supported by DHS.  But it doesn't say that just now when I accessed it.  Google's HTML render of the PDF file, however, still mentions the DHS.  Take a look:    Hong Qi Gong (Talk - Contribs) 20:52, 2 April 2009 (UTC)


 * I smell something funny here...how come the later verison of the report removed the preface?
 * To HongQiGong: Save a copy of the earlier report and make few inquires, something's up. Jim101 (talk) 21:01, 2 April 2009 (UTC)


 * Never mind, Google just blank out page 2 as well, to late for anything. Jim101 (talk) 21:08, 2 April 2009 (UTC)


 * This is the missing text I manage to grab off the original report before it was updated. Missing text highlighted:


 * Page 2 text: "This material is based in part upon work supported by the U.S. Department of Homeland Security under Grant Award Number 2006-CS-001-000001, under the auspices of the Institute for Information Infrastructure Protection (I3P) research program. The I3P is managed by Dartmouth College. The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the ofﬁcial policies, either expressed or implied, of the U.S. Department of Homeland Security, the I3P, or Dartmouth College. Technical reports published by the University of Cambridge Computer Laboratory are freely available via the Internet: http://www.cl.cam.ac.uk/techreports/ ISSN 1476-2986"


 * Compare this with the current page 2 on the report. Jim101 (talk) 21:31, 2 April 2009 (UTC)

Split the section "government involvement" between "government involvement" and "origin"
I propose this because the current "government involvement" section did not deal exclusively with how the Chinese government is involved, it also contained an examination on who could've created GhostNet besides the Chinese government.

I suggest keep the first paragraph under the header "government involvement", but put the second paragraph under a new section "Origin" Jim101 (talk) 04:52, 31 March 2009 (UTC)


 * Agree. I notice the NYC article does actually mention the CIA (as speculation from one of the chaps at Munk), so my previous comment that it has not been mentioned is not entirely correct. I could not find it in the other articles. SimonTrew (talk) 06:25, 31 March 2009 (UTC)

Inaccuracies
"and the Dalai Lama's Tibetan exile centers in India, Brussels, London and New York City were compromised." -- Only the OHHDL in Dharamsala was compromised by GhostNet. There were infections at other OOT's (London and New York City) by different instances of malware.

"carried at the instigation of the Tibetan government in exile," -- It was the OHHDL (the representative in Geneva) that requested the security review.

"while a report from researchers at the University of Cambridge says they believe that the Chinese government is behind the intrusions." -- The Cambridge report is not about GhostNet per se but is specific to Tibetan-related targets (and focuses largely on separate (non-GhostNet) attacks). The Cambridge report does not analyze GhostNet and therefore does not claim that the Chinese government is behind GhostNet but rather that the Chinese government is behind the non-GhostNet, Tibet-specific attacks they analyze.

"or created by intelligence agencies from other countries such as Russia or the United States." -- [Edit] It is in the NYT article, but not in the report itself.

"pointed out that besides the Chinese government, the Chinese hacker group Red Hacker Alliance could also be responsible for the creation of 'Ghost Rat'." This is incorrect. Greg Walton was pointing out that the Red Hacker Alliance may be behind the attacks he was analyzing in which GhostRAT was one of 8 trojans used. I don't think the authorship of GhostRAT is in dispute, it was created by C. Rufus Security Team (www.wolfexp.net) and is widely available.

"had managed to trace one of the GhostNet operators to" -- This was the CGI network (that Scott Henderson is now calling "CasperNet"), not the GhostNet.

"Despite the lack of evidence to pinpoint Chinese government in the operation of 'GhostNet', researchers have found actions taken by Chinese government officials that corresponded with the information obtained via the 'GhostNet'. One such incident involved a diplomat who was pressured by Beijing after receiving an email invitation to a visit with the Dalai Lama from his representatives.[12] Another incident was about a Tibetan woman who was interrogated by Chinese intelligence officers and was shown transcripts of her online conversations.[" -- This is very misleading. The diplomat story is rightly sourced to the Cambridge paper but is not in the GhostNet paper, the interrogation story is an anecdote in the GhostNet report and is about the NGO Drewla at which an infection was found, but not a GhostNet infection, rather it was to the CGI/CapsperNet family of malware. In both cases there are a variety of other plausible explanations and in neither case is there any direct connection to GhostNet.

Note: It is better to rely on the original GhostNet report than random news media articles, as the latter often contain inaccuracies which are then duplicated in this Wikipedia article. —Preceding unsigned comment added by 217.41.41.172 (talk) 12:57, 21 April 2009 (UTC)

Name
The lead should clearly state who coined the name (mass media? researchers?). --Piotr Konieczny aka Prokonsul Piotrus 20:32, 28 April 2009 (UTC)

The name was coined by the researchers.

Inanities
The "no conclusive evidence" line that opens the piece is misleading. It would be better phrased as "There are strong indications that the Chinese government was involved in Ghostnet." Ghostnet is consistent with Chinese political concerns over Tibet, Chinese espionage practices, and Chinese internet surveillance policies. There are no other governments beside China who care about interfering with Tibetan activists and in tracking their contacts with other countries. A private group of hackers could not operate in China on issues related to Tibet, given the high degree of surveillance, without the cognizance and tacit permission of the Chinese government. There are linkages between Ghostnet and the actions of Chinese officials. It is inane to expect a service as skilled as China's to leave big messy footprints leading back to Beijing, and the absence of such 'footprints' is in no way conclusive proof that China is not involved. Reasonable evidentiary standards point to China as responsible and no other explanation is as plausible.Gaintes (talk) 17:01, 3 June 2009 (UTC)
 * "No conclusive evidence" is what the researchers said in their original reports about GhostNet. Misleading or not, it is fact.
 * The researchers also said in their report that statement like "There are strong indications that the Chinese government was involved in Ghostnet" should be used with caution unless conclusive evidence is found.
 * "A private group of hackers could not operate in China on issues related to Tibet" is dead wrong. I suggest you do some research on Chinese hacker underground before come up with a claim like this. Suffice to say, typical Chinese hackers operate as groups of freelancers.
 * Finally, the GhostNet is an extremely simple software, with its operator stupid enough to list the GhostNet server on Google. It just lack the professionalism of an intelligence gig.
 * Please do your research on the topic before jumping to conclusions.
 * Jim101 (talk) 17:50, 3 June 2009 (UTC)


 * It doesn't matter what is "reasonable" or "true" (in your opinion); that is not the way Wikipedia works at all. It's all about reliable sources. If it's not from a reliable source, it isn't supposed to be here. I would suggest a review of some of the Wikipedia policy documentation; Five Pillars to start with, then verifiability, reliable sources, and neutral point of view (NPOV). This is an area where there are likely a variety of opinions and the NPOV policy discusses how this is handled, see section undue weight, which begins "Neutrality requires that the article should fairly represent all significant viewpoints that have been published by a reliable source, and should do so in proportion to the prominence of each". Studerby (talk) 21:12, 3 June 2009 (UTC)

Firewall?
If China has this "Great Firewall", why don't they just block access so the trojan can't communicate with the controllers located in China? That argues that "they" are indeed behind it or at least are not enforcing their own laws against cypercrime. Why hasn't this point been brought up before? If it's discussed in quality citable sources, I hope someone adds to this article. Długosz (talk) 21:41, 22 January 2010 (UTC)
 * That's not how GFW works, and anyone in China can pay $1 per month to bypass it. Jim101 (talk) 22:01, 22 January 2010 (UTC)

Drelwa needs to be wikified or explained inline
"Drelwa uses QQ and other instant messengers" -- Dandv (talk) 10:29, 29 January 2010 (UTC)

External links modified
Hello fellow Wikipedians,

I have just added archive links to 1 one external link on GhostNet. Please take a moment to review my edit. If necessary, add after the link to keep me from modifying it. Alternatively, you can add to keep me off the page altogether. I made the following changes:
 * Added archive https://web.archive.org/20090331165041/http://www.thestar.com:80/article/610071 to http://www.thestar.com/article/610071

When you have finished reviewing my changes, please set the checked parameter below to true to let others know.

Cheers.—cyberbot II  Talk to my owner :Online 15:02, 27 January 2016 (UTC)

== External links modified

small changes
see my recent edits.

in previous version-- "monitors perform surveillance?" -- computer monitors or attackers?

"drop a Trojan horse on to the system"? -- that one computer system, or the entire network? how exactly does it the email attachment penetrate the larger network of a target org?

skakEL 12:36, 4 July 2020 (UTC)