Asian Lives Matter - the fire rises!

Channelling Tom Hardy here, but the dysfunction and civil rebellion that has started is not a million miles away from Bane and his merry crew...

It didn't take long for my previous post on an 84 year old blind Thai man being beaten to death for other incidents of young-black-on-elderly-Asian violence to happen. In fact, it's spreading:

• Mr Yahya Muslim of Oakland has been assaulting a series of elderly Asians in the city. He came to prominence after a security video caught someone with his description smashing a 91-year-old man to the ground from behind, on January 31
• Graffiti artists have tagged a Japanese immigrant memorial in San Jose's Japantown, making a clear statement about territory;
• and, unsurprisingly, Oakland's Asian community organizes patrols to combat the violence.

The single most telling sign for me is that Bay Area Big Tech companies are sending mails around about this phenomenon. I've had confirmation of three separate companies mailing their Asian employee clubs/groups about the attacks, expressing their shock and horror and offering emotional support. Mind you, they seem to be very careful not to talk about the perpetrators...

One claim I have seen recently, now that people are talking about it, is that it has been triggered by Donald J Trump talking about the "Kung Flu". Setting aside the miniscule likelihood that a 20 year old black thug in San Francisco has even listened to a Trump speech, let's remember Yik Oi Huang who was brutally beaten in SFO in January 2019, over a year before the pandemic - and suffered for a year before dying in early 2020. These are not Trump-driven anti-Chinese supremacists. These are callous racist thugs. Lay the blame for their behaviour at the feet of their parents - if they still care.

The most spectacular feet of mental agility I've seen, though, was from Los Angeles Times writer and Pulitzer Prize winner Viet T Nguyen:

Horrendous crimes against Asian Americans have happened recently, and it is right that Asian Americans have spoken out against them. But we can be against anti-Asian violence and not resort to knee-jerk calls for more policing, which is inextricable from the policing of Black

— Viet Thanh Nguyen (@viet_t_nguyen) February 12, 2021

and Brown communities. Asian Americans need to locate anti-Asian violence as part of a pattern of white supremacy [my emphasis] which also targets Black and Brown and Indigenous people. Even if perpetrators of violence are people of color, the solution is not to fallback on racist assumptions

— Viet Thanh Nguyen (@viet_t_nguyen) February 12, 2021

All I can say is that it must take a very expensive education to mess up one's brain that badly. Black people are beating up on the Asian elderly community, and your reflex - as a Vietnamese American - is to blame white supremacy?

I repeat my previous assertion. Unless these attacks are stopped - and it doesn't look like the police are able to stop them - the Asian community is going to turn to organizations which can make it happen. Asian shops are going to stop serving young black people, or make them feel so unwelcome that they leave, further increasing tensions. The almost-inevitable result is going to be a black 20-year old found lying in an alley in Chinatown with severe beating injuries, but it will turn out that no-one around saw anything. I thought we had got past this, but apparently history repeats.

Update: Feb 16th 2021 - a 30 year old was robbed of her expensive camera in Chinatown, Oakland. A liquor store owner saw what was happenening, ran out and fired his gun at the robber - and was promptly arrested and charged with felony assault with a firearm.

The [police] chief's message was that Oakland should come together as a community, but that people should not put one another in harm's way.

Sorry Chief, but there's a section of the black community which has already decided to put the Asian community in harm's way. And when you arrest a Chinese store owner for trying to stop a robbery - where the robber escapes - you send a very clear (unintentional) message to the Asian community about their ability to rely on the police to protect them.

NHS Track+Trace - what went wrong

By now, you've presumably seen how Public Health England screwed up spectacularly in their testing-to-identification pipeline, such that they dropped thousands of cases - because they hit an internal row limit in Excel.

Oops.

Still, how could anyone have predicted that Public Health England - who were founded in 2013 with responsibility for public health in England - could have screwed up so badly? Well, anyone with any experience of government IT in the past... 40 years, let's say. Or anyone who observed that the single most important job of a public health agency is to prepare for pandemics, which roll around every 10 years or so - remember SaRS 2003? H1N1? And that duty, as illustrated in their 2020 performance, is one that PHE could not have failed at any more badly if they'd put their best minds to it.

Simply, there's no incentive for them to be any good at what they do.

It's tempting to simply roll out the PHE leadership and have them hung from the nearest lamp post - or at least, claw back all they payments they received as a result of being associated with Public Health England. For reference, the latest page shows this list as:

• Duncan Selbie
• Prof Dr Julia Goodfellow
• Sir Derek Myers
• George Griffin
• Sian Griffiths
• Paul Cosford
• Yvonne Doyle
• Richard Gleave
• Donald Shepherd
• Rashmi Shukla

However, this misses the point; there's plenty more where they came from. Many of these people are actually smart, or at least cunning. None of them actively wanted tens of thousands of people in the UK to die, or the UK's coronavirus response to become an absolute laughing-stock. Yet, here we are.

When you set up a data processing pipeline like this, your working assumptions should be that:

1. The data you ingest is often crap in accuracy, completeness and even syntax;
2. At every stage of processing, you're going to lose some of it;
3. Your computations are probably incorrect in several infrequent but crucial circumstances; and
4. When you spit out your end result, the system you send it to will be frequently partially down, so drop or reject some or all of the (hopefully) valid data you're sending to it.

Given all these risks, one is tempted to give up managing data pipelines for a living and change to an easier mode of life such as a career civil servant in the Department for Education where nothing you do will have the slightest effect, yet you'll still get pay and pension. Still, there's a way forward for intrepid souls.

The insight you need is that you accept that your pipeline is going to be decrepit, leaky and contaminate your data. That's OK as long as you know when it's happening, and approximately how bad it is.

Let's look at the original problem. From the BBC article:

The issue was caused by the way the agency brought together logs produced by commercial firms paid to analyse swab tests of the public, to discover who has the virus. They filed their results in the form of text-based lists - known as CSV files - without issue.

We want to have a good estimate, for each agency, whether all the records have been received. Therefore we supplement the list of records with some of our own - which have characteristics which we expect to survive through processing. Assuming each record is a list of numerical values (say, number of virus particles per mL - IDK, I'm not a biologist) a simple way to do this is to make one or more fields in our artificial records have values that are 100x higher or lower than practically feasible. Then for a list of N records, you add one artifical record to the start, one at the end and one in the middle, so you ship N+3 records to central processing. For extra style, change the invalidity characteristic of each of these records - so e.g. you know that an excessively high viral load signals the start of a records list, and excessively low load signals the end.

The next stage:

PHE had set up an automatic process to pull this data together into Excel templates so that it could then be uploaded to a central system and made available to the NHS Test and Trace team, as well as other government computer dashboards.

First check: this is not a lot of data. Really, it isn't. Every record represents the test of a human, there's a very finite testing capacity (humans per day), and the amount of core data produced should easily fit in 1KB - 100 or more double-precision floating point numbers. It's not like they're uploading e.g. digital images of mammograms.

So the first step, if you're competent, is for Firm A to read-back the data from PHE:

• Firm A has records R1 ... R10. It computes a checksum for each record - a number which is a "summary" of the record, rather like feeding the record through a sausage machine and taking a picture of the sausage it produces.
• Firm A stores checksums C1, C2, ..., C10 corresponding to each record.
• Firm A sends records R1, R2, ..., R10 to PHE, tagged with origin 'Firm A' and date '2020-10-06'
• Firm A asks PHE to send it checksums of all records tagged 'Firm A', '2020-10-06'
• PHE reads its internal records, identifies 10 records, sends checksums D1, D2, ... D10
• Firm A checks that the number of checksums match, and each checksum is the same: if there's a discrepancy, it loudly flags this to a human.

This at least assures Firm A that its data has been received, is complete, and is safely stored.

If PHE wants to be really cunning then one time in 50 it will deliberately omit a checksum in its response, or change one bit of a checksum, and expect the firm to flag an error. If no error is raised, we know that Firm A isn't doing read-backs properly.

Now, PHE wants to aggregate its records. It has (say) 40 firms supplying data to it. So it does processing over all the records and for each record produces a result: one of "Y" (positive test), "N" (negative test), "E" (record invalid), "I" (record implausible). Because of our fake record injection, if 40 firms send 1000 records in total, we should expect zero "E" results, 120 "I" results, and the total of "Y" and "N" results should equal 880. If we calculate anything different, the system should complain loudly, and we send a human to figure out what went wrong.

The system isn't perfect - the aggregation function might accidentally skip 1 in 100 results, for instance, and through bad luck it might not skip an erroneous record. But it's still a good start.

I just pulled this process out of my posterior, and I guarantee it's more robust than what PHE had in place. So why are we paying the Test+Trace system £12 billion or more to implement a system that isn't even as good as a compsci grad would put in place in return for free home gigabit Ethernet, with an incentive scheme based around Xena tapes and Hot Pockets?

Nobody really cared if the system worked well. They just wanted to get it out of the door. No-one - at least, at the higher levels of project management - was going to be held accountable for even a failure such as this. "Lessons will be learned" platitudes will be trotted out, the company will find one or two individuals at the lower level and fire them for negligence, but any project manager not actually asleep on the job would have known this was coming. And they know it will happen again, and again, as long as the organisation implementing systems like this has no direct incentive for it to work. Indeed, the client (UK Government) probably didn't even define what "work" actually meant in terms of effective processing - and how they would measure it.

Active attack on an American website by China Unicom

I wondered what the next step in the ongoing war between Western content and Chinese censorship might be. Now we have our answer.

"Git" is a source code repository system which allows programmers around the world to collaborate on writing code: you can get a copy of a software project's source code onto your machine, play around with it to make changes, then send those changes back to Git for others to pick up. Github is a public website (for want of a more pedantic term) which provides a repository for all sorts of software and similar projects. The projects don't actually have to be source code: anything which looks like plain text would be fine. You could use Github to collaborate on writing a book, for instance, as long as you used mostly text for the chapters and not e.g. Microsoft Word's binary format that makes it hard for changes to be applied in sequence.

Two projects on Git are "greatfire" and "cn-nytimes" which are, respectively, a mirror for the Greatfire.org website focused on the Great Firewall of China, and a Chinese translation of the New York Times stories. These are, obviously, not something to which the Chinese government wants its citizenry to have unfettered access. However, Github has many other non-controversial software projects on it, and is actually very useful to many software developers in China. What to do?

Last week a massive Distributed Denial of Service (DDoS) attack hit Github:

The attack began around 2AM UTC on Thursday, March 26, and involves a wide combination of attack vectors. These include every vector we've seen in previous attacks as well as some sophisticated new techniques that use the web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic. Based on reports we've received, we believe the intent of this attack is to convince us to remove a specific class of content. [my italics]

Blocking Github at the Great Firewall - which is very easy to do - was presumably regarded as undesirable because of its impact on Chinese software businesses. So an attractive alternative was to present the Github team with a clear message that until they discontinued hosting these projects they would continue to be overwhelmed with traffic.

If this attack were just a regular DDoS by compromised PCs around the world it would be relatively trivial to stop: just block the Internet addresses (IPs) of the compromised PCs until traffic returns to normal levels. But this attack is much more clever. It intercepts legitimate requests from worldwide web browsers for a particular file hosted on China's Baidu search engine, and modifies the request to include code that commands repeated requests for pages from the two controversial projects on Github. There's a good analysis from NetreseC:

In short, this is how this Man-on-the-Side attack is carried out:
1. An innocent user is browsing the internet from outside China.
2. One website the user visits loads a JavaScript from a server in China, for example the Badiu Analytics script that often is used by web admins to track visitor statistics (much like Google Analytics).
3. The web browser's request for the Baidu JavaScript is detected by the Chinese passive infrastructure as it enters China.
4. A fake response is sent out from within China instead of the actual Baidu Analytics script. This fake response is a malicious JavaScript that tells the user's browser to continuously reload two specific pages on GitHub.com.

The interesting question is: where is this fake response happening? We're fairly sure that it's not at Baidu themselves, for reasons you can read in the above links. Now Errata Security has done a nice bit of analysis that points the finger at the Great Firewall implementation in ISP China Unicom:

By looking at the IP addresses in the traceroute, we can conclusive prove that the man-in-the-middle device is located on the backbone of China Unicom, a major service provider in China.

That existing Great Firewall implementors have added this new attack functionality fits with Occam's Razor. It's technically possible for China Unicom infrastructure to have been compromised by patriotically-minded independent hackers in China, but given the alternative that China Unicom have been leant on by the Chinese government to make this change, I know what I'd bet my money on.

This is also a major shift in Great Firewall operations: this is the first major case I'm aware of that has them focused on inbound traffic from non-Chinese citizens.

Github look like they've effectively blocked the attack, after a mad few days of scrambling, and kudos to them. Now we have to decide what the appropriate response is. It seems that any non-encrypted query to a China-hosted website would be potential fair game for this kind of attack. Even encrypted (https) requests could be compromised, but that would be a huge red arrow showing that the company owning the original destination (Baidu in this case) had been compromised by the attacker: this would make it 90%+ probable that the attacker had State-level influence.

If this kind of attack persists, any USA- or Europe-focused marketing effort by Chinese-hosted companies is going to be thoroughly torpedoed by the reasonable expectation that web traffic is going to be hijacked for government purposes. I wonder whether the Chinese government has just cut off its economic nose to spite its political face.

Failing to listen to the sounds of Chinese silence

I was moved by an interesting yet flawed piece by John Naughton in the Grauniad, analysing the kinds of censorship applied by the Chinese government:

So they [researchers] clicked on the URLs associated with a sample of posts and found that some – but not all – had vanished: the pages had disappeared from cyberspace.
The question then was: what was it about the "disappeared" posts that had led to them being censored? And at that point the experiment became very interesting indeed. First of all, it confirmed what other researchers had found, namely that, contrary to neoliberal fantasy, speech on the Chinese internet is remarkably free, vibrant and raucous. But this unruly discourse is watched by a veritable army (maybe as many as 250,000-strong) of censors. And what they are looking for is only certain kinds of free speech, specifically, speech that has the potential for engendering collective action – mobilising folks to do something together in the offline world.

The study quoted is indeed interesting, and highlights one particular and significant aspect of Chinese censorship. Where Naughton fails, though, is in failing to note the unseen, and this is picked up by CiF commentator steviematt:

The Harvard research and Gary King's opinion are both flawed beyond belief.
It only factors the number of posts that were originally published and then disappeared over the course of weeks and months. It ignores the fact that most posts that are critical never have a chance of passing through the filters in the first place.

Indeed, Naughton fails to notice that many of the websites that the West takes for granted in being able to express their opinions are completely blocked in China. Within China, sites like Twitter and Facebook are essentially completely unavailable. YouTube: no chance. You can get to a limited set of Google sites (search and maps are on-and-off accessible in my experience), but it's very iffy. Blogger seems completely blocked. Bing search seems to work fine though. Why is that?

It's because if you are a western firm who wants to provide an Internet site within China, you have to partner with a Chinese company and accept the conditions of serving users within China - key in this is agreeing to provide identity information of your users (source IP addresses , times logged on etc.) at the "request" of the government. The case of Yahoo and the Chinese dissident Shi Tao is illuminating:

According to a letter Amnesty International received from Yahoo! (YHOO), and Yahoo!'s own later public admissions, Yahoo! China provided account-holder information, in compliance with a government request, that led to Shi Tao's sentencing.

Jerry Yang, then-CEO of Yahoo, got roasted by Congress for providing this information when this story came out. Truth be told, though, he really didn't have much choice - Yahoo had presumably agreed to these conditions when it started serving China-based users. If you don't want to play ball with those conditions, and it seems that Google, Twitter and Facebook don't, you're going to be serving outside China and prone to getting blocked by the Great Firewall.

So when Naughton comments "only some kinds of activities are blocked" it's actually in the context of "only some users are willing to discuss these kinds of activities on sites where they know the government has the right to waltz in and demand their details at any time" (before presumably visiting them at home and offering them an extended stay at a pleasant little camp out in the country, for a year or ten.)

Rumours suggest that Facebook might announce something aimed at Chinese users but it's not obvious how they're going to deal with the existing restrictions. Still, Zuckerberg's a smart guy and doesn't seem to be an obvious patsy for the Chinese regime, so it's possible he's got something clever up his sleeve. Stay tuned.

State-endorsed web browsers turn out to be bad news

Making the headlines in the tech world this week has been evidence of someone trying to man-in-the-middle Chinese iCloud users:

Unlike the recent attack on Google, this attack is nationwide and coincides with the launch today in China of the newest iPhone. While the attacks on Google and Yahoo enabled the authorities to snoop on what information Chinese were accessing on those two platforms, the Apple attack is different. If users ignored the security warning and clicked through to the Apple site and entered their username and password, this information has now been compromised by the Chinese authorities. Many Apple customers use iCloud to store their personal information, including iMessages, photos and contacts. This may also somehow be related again to images and videos of the Hong Kong protests being shared on the mainland.

MITM attacks are not a new phenomenon in China but this one is widespread, and clearly needs substantial resources and access to be effective. As such, it would require at least government complicity to organise and implement.

Of course, modern browsers are designed to avoid exactly this problem. This is why the Western world devotes so much effort to implementing and preserving the integrity of the "certificate chain" in SSL - you know you're connecting to your bank because the certificate is signed by your bank, and the bank's signature is signed by a certificate authority, and your browser already knows what the certificate authority's signature looks like. But it seems that in China a lot of people use Qihoo 360 web browser. It claims to provide anti-virus and malware protection, but for the past 18 months questions have been asked about its SSL implementation:

If your browser is either 360 Safe Browser or Internet Explorer 6, which together make up for about half of all browsers used in China, all you need to do is to click continue once. You will see no subsequent warnings. 360's so-called "Safe Browser" even shows a green check suggesting that the website is safe, once you’ve approved the initial warning message.

I should note, for the sake of clarity, that both the 2013 and the current MITM reports come from greatfire.org, whose owners leave little doubt that they have concerns about the current regime in China. A proper assessment of Qihoo's 360 browser would require it to be downloaded on a sacrificial PC and used to check out websites with known problems in their SSL certificates (e.g. self-signed, out of date, being MITM'd). For extra points you'd download it from a Chinese IP. I don't have the time or spare machine to test this thoroughly, but if anyone does then I'd be interested in the results.

Anyway, if the browser compromise checks out then I'm really not surprised at this development. In fact I'm surprised it hasn't happened earlier, and wonder if there have been parallel efforts at compromising IE/Firefox/Opera/Chrome downloads in China: it would take substantial resources to modify a browser installer to download and apply a binary patch to the downloaded binary which allowed an additional fake certificate authority (e.g. the Chinese government could pretend to be Apple), and more resources to keep up to date with browser releases so that you could auto-build the patch shortly after each new browser version release, but it's at least conceivable. But if you have lots of users of a browser developed by a firm within China, compromising that browser and its users is almost as good and much, much easier.

New clamping down on information in China

Spotted this on a net security research blog yesterday: someone is trying to snoop on the web traffic of Chinese students and researchers:

All evidence indicates that a MITM [man-in-the-middle] attack is being conducted against traffic between China’s nationwide education and research network CERNET and www.google.com. It looks as if the MITM is carried out on a network belonging to AS23911, which is the outer part of CERNET that peers with all external networks. This network is located in China, so we can conclude that the MITM was being done within the country.

To decipher this, readers should note that CERNET is the Chinese network for education and research - universities and the like. The regular Great Firewall of China blocking is fairly crude and makes it practically difficult for researchers to get access to the information they need, so CERNET users have mostly free access to the Internet at large - I'm sure their universities block access to dodgy sites, but to be fair so do Western universities. What's happening is that someone is intercepting - not just snooping on - their requests to go to www.google.com and is trying to pretend to be Google.

The reason the intercept is failing is because Google - like Facebook, Yahoo, Twitter and other sites - redirects plain HTTP requests to its homepage to a HTTPS address, so most people bookmark those sites with an HTTPS address. Therefore the users were requesting https://www.google.com/ and the attackers had to fake Google's SSL certificate. Because of of the way SSL is designed, this is quite hard; they couldn't get a reputable Certificate Authority to sign their certificate saying "sure, this is Google" so they signed it themselves, much like a schoolchild signing a note purportedly from their parent but with their own name. Modern browsers (Chrome, Firefox, modern versions of IE) warn you when this is happening, which is how the users noticed. The Netresec team's analysis showed that the timings of the steps of the connection indicated strongly that the interceptor was somewhere within China.

The attack doesn't seem to be very sophisticated, but it does require reasonable resources and access to networking systems - you've got to reprogram routers in the path of the traffic to redirect the traffic going to Google to come to your own server instead, so you either need to own the routers to start with or compromise the routers of an organisation like a university. Generally, the further you get from the user you're intercepting, the greater your resources need to be. It would be interesting to know what fraction of traffic is being intercepted - the more users you're intercepting, the more computing resource you need to perform the attack because you've got to intercept the connection, log it, and then connect to Google/Twitter/Yahoo yourself to get the results the user is asking for.

The attempted intercepts were originally reported on the Greatfire.org blog which observes that there were several reports from around CERNET of this happening. Was this a trial run? If so it has rather blown up in the faces of the attackers; now the word will circulate about the eavesdropping and CERNET users will be more cautious when faced with odd connection errors.

If the attackers want to press on, I'd expect the next step to be more sophisticated. One approach would be SSL stripping where the interceptor tries to downgrade the connection - the user requests https://www.twitter.com/ but the attacker rewrites that request to be http://www.twitter.com/. The user's browser sees a response for http instead of https and continues with an unencrypted connection. Luckily, with Twitter this will not work well. If you run "curl -I https://www.twitter.com/" from a command line, you'll see this:

HTTP/1.1 301 Moved Permanently
content-length: 0
date: Sat, 06 Sep 2014 17:23:21 UTC
location: https://twitter.com/
server: tsa_a
set-cookie: guest_id=XXXXXXXXXXXXXXXXX; Domain=.twitter.com; Path=/; Expires=Mon, 05-Sep-2016 17:23:21 UTC
strict-transport-security: max-age=631138519
x-connection-hash: aaaaaaaaaaaaaaaa

That "strict-transport-security" line tells the browser that future connections to this site for the next N seconds must use HTTPS, and the browser should not continue the connection if the site tries to use HTTP. This is HTTP Strict Transport Security (HSTS) and Twitter is one of the first big sites I've seen using it - Google and Facebook haven't adopted it yet, at least for their main sites.

Alternatively the interceptor may try to compromise a reputable certificate authority so it can forge SSL certificates that browsers will actually accept. This would be a really big investment, almost certainly requiring nation-state-level resources, and would probably not be done just to snoop on researchers - if you can do this, it's very valuable for all sorts of access. It also won't work for the major sites as browsers like Chrome and Firefox use certificate pinning - they know what the current version of those sites' SSL certs look like, and will complain loudly if they see something different.

The most effective approach, for what it's worth, is to put logging software on all the computers connected to CERNET, but that's probably logistically infeasible - it only works for targeting a small number of users.

So someone with significant resources in China is trying to find out what their researchers are searching for. Is the government getting nervous about what information is flowing into China via this route?

Microsoft angling to take on Internet searches in China?

An interesting tidbit reported in the Grauniad today; Microsoft seems to be serving PRC government-approved search results to Chinese language users in the USA:

A search on Bing in Chinese for Bo Xilai (薄熙来), the former high-flying Chinese government official now serving life imprisonment for corruption, shows equally different results. The top search result is again Baidu Baike. Wikipedia is the third entry. There are no western reports on the politician on the front page. In English the search is topped by Wikipedia, then by stories from the New York Times, BBC and Financial Times.

I should hasten to point out that it's possible (though not particularly likely) for this ordering of search results to arise from users, not Microsoft company decisions; one significant signal in search engine ranking is the choices of users when presented with a search results page. If 100 users searching for "dancing cats" are presented with the same top ten list of search results on Bing, Bing can gather good relevance data by seeing which of these search results users tend to click on first; better yet, if users click on result #1 and then shortly afterwards result #2, but don't tend to click on result #3, this may indicate that result #1 doesn't work for them but result #2 does, so maybe Bing should serve result #2 first for this search term.

Bing uses a lot of different data for its ranking such as user location, language and previous search behaviour; famously, for "long tail" search results it appears to use the choices of Internet Explorer users searching through Google as one signal. However, this particular case strongly suggests that something more is going on. Chinese users in the USA aren't particularly likely to follow the PRC government line on what results are "relevant"; if anything, I'd expect them to slant towards freedom of information since they tend to be richer than the average American and more likely to work in the tech sector. So if they aren't choosing PRC government approved sites for their search results, who is? The simplest answer is "Microsoft".

The motivation is suggested in the article's final paragraph:

Bing accounts for a small percentage of search in China but has been building up its web services in the country. Microsoft is in the middle of hiring 1,000 new employees to build up its services in China.

Search in China is dominated by the home-grown service Baidu ; Yahoo is big in Japan but not the PRC, especially after Jerry Yang's experience yielding user details to the Chinese government, and Google has repeatedly butted heads with PRC censors in the past after refusing to play the government's censorship game, such as highlighting to Chinese users search terms that might result in the Great Firewall dropping their connection. Bing is a pretty decent search engine with a big corpus of docs from the non-Chinese part of the world, and could probably (with a following wind) do much better than Baidu on Chinese search results if it can build up a good model of Chinese language searching; the Chinese-speaking population of America and Europe is probably a great place to test out result. Of course, if Bing wants to tune its algorithms here then it has to present Western users with the same kind of results that Chinese users would see - hence the apparent censorship.

I don't think any reader of my past blogs has much doubt where I stand on Chinese internet censorship, but I have to commend Microsoft for its commercial sense in taking this approach. If you don't care about whether you're doing the right thing for free speech, it's a perfectly reasonable path towards an income stream of yuan from the hundreds of millions of Chinese users. I do wonder though whether they've thought through how it's going to look in the USA when (not if) they are forced to knuckle under the PRC government's agenda.

Update: Microsoft responds who? not us guv'nor, totally a mistake:

"Bing does not apply China’s legal requirements to searches conducted outside of China," Bing senior director Stefan Weitz said in a statement provided to The Reg.
"Due to an error in our system, we triggered an incorrect results removal notification for some searches noted in the report but the results themselves are and were unaltered outside of China."

Oopsie. I'd be more prepared to give them the benefit of the doubt here if I didn't believe they'd sell their employees' organs to kept their Office monopoly going...

Caveat emptor

The Chinese are sternly warning the Americans not to default on their debt:

Mr Zhu said that China and the US are "inseparable". Beijing is a huge investor in US Treasury bonds.
"The executive branch of the US government has to take decisive and credible steps to avoid a default on its Treasury bonds," he said.

Google found me the major foreign holders of US debt as of July 2013:

1. China: $1.3 trillion
2. Japan: $1.2 trillion
3. Caribbean banking centers: $300 billion
4. Oil exporters: $260 billion
5. Brazil: $260 billion

I'm reminded of the maxim: "Borrow $1000 and the bank owns you; borrow $1 million and you own the bank." China's GDP is about $8 trillion, so US debt that it owns is about 12% of GDP. Japan's GDP is about $6 trillion so US debt that it owns is 20% of its GDP. Is China seriously concerned that the US might default on its debt? If Japan is similarly concerned, it seems to be keeping very quiet.

I expect that the problem arises from the Chinese banks relentlessly trying to get out of yuan before the Chinese economic bubble starts to pop. There are huge flows of money out of China to buy dollar-denominated assets; million-dollar houses all over Silicon Valley are being bought up for cash by Chinese buyers. As a data point, friends of mine who just put a $800K townhouse on the market in the South Bay were almost immediately given a cash offer by a Chinese couple wanting to buy a house for their daughter to live in when she goes to college in late 2014. If the US were to even threaten default, the dollar would drop significantly in value - in the past three months alone, the pound has risen from $1.50 to $1.60 due to the concern about the US political situation. If Chinese banks have leveraged investments in dollar-denominated assets, the shockwaves from even a technical US default could land them in very hot water.

Dancing around the Great Firewall of China

It seems a little unfair to give Apple heat over its China policies, given how much employment it creates in China, but apparently Apple have censored a Chinese firewall avoiding-app:

Chinese web users have criticised Apple after the company pulled an iPhone app which enabled users to bypass firewalls and access restricted internet sites. The developers of the free app, OpenDoor, reportedly wrote to Apple protesting against the move. [...] Apple asks iPhone app developers to ensure that their apps "comply with all legal requirements in any location where they are made available to users".

Aha. But the problem here is: China does not acknowledge the existence of the Great Firewall of China (GFW). In fact, any mention of it in a blog post or other social media is enough to get that posting censored. China certainly has strong legal requirements about being able to identify the real person behind an Internet identity on a China-hosted service and foreign firms having to "partner" with a local firm for Internet "compliance", and it freely blocks traffic going outside China (via the GFW) which could retrieve user-generated content relating to sensitive topics, but from a legal perspective the GFW itself cannot be the subject of a legal violation since the GFW does not officially exist because you can't talk about it (and the GFW will censor your traffic if you try to do this across the border). Is your head hurting yet?

This, by the way, is perfectly pragmatic behaviour from Apple. They like being able to do business in China, so it's not enough to satisfy the letter of the law - they want to keep the Chinese government happy. As such, dropping GFW-circumventing apps from the App Store makes perfect business sense. It is, however, particularly weasel-like for them to hide behind "legal requirements", or avoid the topic all together. If they want to play ball with the Chinese government for commercial reasons - and it's their fiduciary duty to improve their commercial prospects - why can't they just say so? (Yes, this is a rhetorical question.)

The OpenDoor app developers purport to be bemused:

"It is unclear to us how a simple browser app could include illegal contents, since it's the user's own choosing of what websites to view," the email says.
"Using the same definition, wouldn't all browser apps, including Apple's own Safari and Google's Chrome, include illegal contents?"

Yes they could, in theory. But browsers use well-known protocols: HTTP, which is clear text, and which the GFW can scan for illegal content like "T1ANANM3N []"; HTTPS, which is secure but can be blocked either based on destination IP or just universally. OpenDoor probably (I haven't looked) does something sneaky to make its traffic look like regular HTTP with innocuous content. The GFW could, with some work, drop OpenDoor traffic based on its characteristics and/or destinations, but they would always be playing catch-up. Instead, Apple "voluntarily" (we don't know if any Chinese government pressure was formally applied) drops it from the App Store in China. Everyone's happy! No-one gets any distressing news about human rights abuses in China, and gatherings of subversives are prevented.

Apple are bending over to help the Chinese government, and that's perfectly acceptable in a capitalist society - let's just be clear that it's voluntary, and in search of profits.

A free market in censorship

Readers of this blog will be aware of my feelings towards the current Chinese government and their attitude towards suppression of free speech. I do, however, have to give them credit; they have created quite the free market in online censorship tools:

King's dabble in Internet entrepreneurialism has shown that Chinese censorship relies more heavily than was known on automatic filtering that holds posts back for human review before they appear online. The researchers also uncovered evidence that China’s vast censorship system is underpinned by a surprisingly vibrant, capitalistic market where companies compete to offer better censorship technology and services.

If you're running an online business in China, especially if you intend to offer per-user accounts, you have no option but to co-operate with one of the approved businesses which will help you conform to the requirements of the Chinese government in censoring posts, providing information on user identity on demand etc. An object lesson in this came from ex-head of Yahoo!, Jerry Yang when he testified to Congress in 2007 regarding the arrest of journalist Shi Tao following Yahoo! turning over Tao's identity to Chinese officials:

In February, 2006, Yahoo's Callahan had testified that Yahoo did not know why Chinese officials wanted information on Tao. But several months later, a U.S. advocacy group for religious and political prisoners in China published translations of documents sent to Yahoo from Chinese officials stating that Tao was suspected of divulging state secrets. "What those documents say is that, at the very least, Yahoo's Beijing office knew what crimes were being investigated when they were approached by law enforcement in China," says Joshua Rosenzweig

You have to feel at least a little sorry for Yang, who was carried along on a wave on enthusiasm about investment in China without, presumably, being informed of what Yahoo! would be obliged to do for the Chinese government in return. Of course, poor Shi Tao is the one who really got it in the shorts.

But back to modern online business in China. If (heaven forbid) this censorship system was implemented in the UK I can imagine a new body, say the "Online Identity Check Executive", issuing reams of degrees about how censorship should be conducted, appropriate regulations, "best practice" advice and an "Approved Code of Practice" booklet issued annually and consuming several inches of shelf space. The instinct for bureaucrats is to control finer and finer details in order to increase the need for their organization. That makes it all the more remarkable that in China how you satisfy the government is really up to you, and there's an enthusiastic market in tools, systems and people to help you maximise your bang per yuan in your censorship systems:

Companies are free to run their censorship operations mostly as they wish, as long as they don’t allow the wrong kind of speech to flourish. That creates an incentive to find ways to censor more effectively so as to minimize the impact on profitability.

Interestingly, "the wrong kind of speech" seems to focus more on collective action than on isolated "the system sucks" speech. The Chinese government are clearly terrified of an organized rebellion, along the lines of 1989's Tiananmen Square action but more coherent and better planned. The article also notes the censorship rate: about 2 censors per 50,000 users seems to be the minimum for effective censorship assuming the use of reasonably effective tools to pre-screen posts for censor review.

So a certain grudging admiration for the Chinese government in making a blatantly capitalistic approach to maximising the effect of their censorship. Of course, the companies actually providing these tools are enabling the censorship in the first place, but even then they could argue that they are maximising the ability of Chinese citizens to engage online, censoring the minimum number of their posts - after all, manual censor review costs money, so the fewer posts selected for review the better.

Emergent evil detection

For machine learning aficionados, a surprising tale of how anti-fraud measures discovered a Chinese car fraud racket that no-one was looking for:

Had they trained AdWords into anti-car prejudice? Was the model simply broken?
The answer turned out to be even stranger. They were real cars, but they weren't really for sale. Scammers were taking pictures of cars on the street, and when a hapless customer showed up a few days later offering money, they'd steal the car and hand it over.
[...]
Baker and his team weren’t looking for cars or car thieves. But the algorithm saw a pattern of quick buys from new accounts, tied together with larger and more subtle patterns, and deduced something was up.

The patterns of fraud in the areas that the model was trained to look at (counterfeit goods and phishing) turned out to be very similar to fraud in other areas like car-theft-serving-innocuous-order. Scammers and thieves tend to operate very similar models in a wide range of marketplaces, and the machine learning model was able to generalise sufficiently to detect fraud in an area where no-one was really looking for it.

Buried in the main story, but to my mind equally significant, is the reason why frauds are so prevalent in China:

According to Li, the larger problem is the Chinese financial system, which requires every bank-to-bank transaction to be routed through the central government’s banking authority. As a result, anti-fraud measures are usually slower than criminals. Stopping a payment could take as long as three days, by which time the money is usually unrecoverable.

Turns out that centralisation of bank transactions really slows things down - heck, why is this surprising? The Chinese government has no real interest in speeding up its inspection of transactions; thus, scammers can rely (indeed, base their fraud model) on slow bank transactions. It's harder to do this in the West because banks have been competing to speed up transactions, giving the scammers a smaller window in which to conduct their frauds.

A lesson in political evolution from South Africa

Archbishop Desmond Tutu has penned a very thoughtful, balanced and personally honest article arguing that South African politics has a number of very real problems:

The ANC was very good at leading us in the struggle to be free from oppression. They were a good freedom-fighting unit. But it doesn't seem to me now that a freedom-fighting unit can ­easily make the transition to becoming a political party.
And, unfortunately, we do have a weakness in our Constitution. It was important for our transition that we had proportional representation, so people were voting not for a particular candidate but for a party. We still have that system. The party that wins decides who will be its representatives, so everybody wants to get on to the party list.
You do not want to jeopardise your chances by being what you ought to be as a Member of Parliament – someone who ensures that the executive is accountable to the legislature.

Note, Lib Dems, that he's rejecting PR in favour of something more like a first-past-the-post system. Definitely go read the whole thing. I have a lot of time for Desmond Tutu, and am encouraged that he's pushing South Africans to consider fixing some of the problems their society has.

I also find it interesting that he addresses directly the Chinese influence in Africa:

China has brought a lot of benefits to Africa, with the investments it has made and the building of infrastructure, but it has come at a cost. In South Africa, a lot of people in the textile industry have been thrown out of work because the country has been flooded with cheap Chinese goods. But what has been even more distressing for me is how our country has seemed to kowtow to Beijing.
A glaring example is what they did with the Dalai Lama, when the South African government dilly-dallied with his visa so that he couldn't come to my birthday.

I remember that occasion - Tutu and the Dalai Lama ended up on a video conference because the Chinese government pressured the South African government not to grant the Dalai Lama a visa. It was amusing to see how terrified the Chinese government must be of the Dalai Lama, and doubly so because a meeting of limited news interest became a major news event. Talk about an own goal...

I have been wondering just what effects the widespread Chinese economic and political investments in Africa are intended to bring. Access to mineral resources is obvious, but they seem to be taking an unhealthy interest in ensuring African governments bend to their whims. It seems unhealthy.

Self determination for all but the whites

Veteran clown Seumas Milne "argues" in the Guardian that the recent 1514 to 3 vote in favour of continued British rule of the Falkland islands is a North Korean-style ballot:

No doubt 1,514 island residents really did vote in favour of continued British rule. The only surprise was that three islanders dared to spoil the rousing choruses of Land of Hope and Glory by voting against.
It's that the poll was a foregone conclusion and designed to miss the entire point of Britain's dispute with Argentina over the islands – which began 180 years ago when one of Lord Palmerston's gunboats seized them and expelled the Argentine administration.

Astonishingly, Milne appears unaware of the fate of previous Guardian columnists (Flavia Dzodan, Sean Penn, ambassador Alicia Castro) putting forward their ideas on Argentina taking over the "Malvinas". He gets swiftly set straight in the comments:

The islands might be 8,000 miles from the UK (something that doesn't trouble other countries of the world with THEIR islands) but they are 400 from Argentina.
If distance is the issue, then it is still an issue with the Argentine claim. As would be the usual bollocks about "continental shelf."
There are numerous disputes - ones of a more serious nature - such as the islands disputed between the Japanese and Chinese, between North and South Korea, etc etc. I suggest that the Guardian gets stuck in there. Maybe send a journalist to stir up shit in China and Japan, North and South Korea.

It used to stagger me that a flagship journal for human rights and democracy, such as the Guardian styles itself, would support the military annexation of land and populations based on a flimsy-as-paper argument about a Huguenot, Luis Vernet, making a commercial settlement in 1828 under a joint Argentina-UK pact where Argentina refused to provide any warship to back his claim. Sadly, it appears that Seumas is happy to pursue any argument, no matter how absurd, as long as it is contrary to the policy of the UK government, even if that means backing the increasingly dictatorial and distasteful Argentine regime.

As the above commenter notes, there are plenty of more unsavory regimes casting their island claims far beyond their shores. That Seumas does not see fit to remark upon these makes one wonder what it is about the Falklands that he finds so exceptional.

Seumas is sadly not immune from the occasional inconsistency in his argument:

[...] most of whom weren't born there but are subsidised to the tune of £44,856 a head to keep them in the Rhodesian retro style to which they are accustomed?

I like the precision of that "44,856". The sly allusion to the racist imperialist rule in Rhodesia is also a nice touch. But what's this?

A generation on, the discovery of potentially large oil and gas deposits around the islands, development of fisheries and growing importance of the Antarctic sea lanes have changed the picture.

Well, Seumas, either the Falklanders are financial dependents, or they're not. Which is it?

Lasy word to commenter Chrispytl:

So Milne wishes to now simply ignore the wishes of virtually the whole of the residents of the Falkland Islands?
The man must really hate democracy.
He must love the EU though.

Seumas, I think you've met your match. Time for a piece on a less challenging topic.

Time to start announcing hack attacks

After the revelation a few days ago that Chinese crackers have been targeting the email accounts of New York Times journalists since October, it now seems that they were doing the same thing at the Washington Post in 2011:

Post company officials confirmed the broad outlines of the infiltration, which was discovered in 2011 and first reported by an independent cybersecurity blog on Friday. But they did not elaborate on the circumstances, the duration of the intrusion or its apparent origin.

These attacks are disturbing in what they appeared to be looking for. This was not commercially valuable information; the attackers were sifting through email looking for information and reports pertaining to Chinese politics and politicians, plus activism around China. These are not bored American teenagers looking around NASA computers for evidence of UFOs, nor even Russian groups aiming to grow and farm botnets for hard cash. These attacks are unmistakably directed to benefit the Chinese government and its security services:

China's cyber-espionage assists the government's broader efforts to quell internal dissent by identifying activists and dissidents and tracking them through their e-mail.

Make no mistake, these guys are at least being paid by the Chinese government, if not formally employed by them. Given the control exercised by the Great Firewall of China, they'll be able to see a concerted series of attacks against Western news agencies from inside China; if they're in the clear then the keyword monitoring will flag up the connections, and if they're SSH then normally they'd be shut down. If those attacks are being allowed through, it's because they're on a whitelist.

Famously, Google announced in 2011 that that China seemed to be conducting an organised campaign of information theft:

...we recently uncovered a campaign to collect user passwords, likely through phishing. This campaign, which appears to originate from Jinan, China, affected what seem to be the personal Gmail accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.
The goal of this effort seems to have been to monitor the contents of these users' emails, with the perpetrators apparently using stolen passwords to change peoples' forwarding and delegation settings.

These guys have a lot of form for this kind of activity.

So now we know that this is going on, what are we going to do about it? Ah, that's the 64 million yuan ($10.2m) question:

"If every company reported when it was hacked and who it was hacked by, it would be harder [for China] to get away with it," said one industry official, speaking on condition of anonymity because he was not authorized by his company to speak on the record.

I'm not so sure that's the case, although I would certain applaud wider reporting of China-originating attacks. It used to be that companies refused to report successful cyber attacks in order to avoid embarrassment. Today, I would claim that there is no shame in being targeted by Chinese attacks; Google and Intel have publicly reported attacks, so that's illustrious company to be in. (I suspect Intel was more a case of commercial espionage, for the record). We should certainly get a better idea of where China is attacking and what they want. But how to stop it? Short of trade sanctions - and that's a Pandora's Box if ever I saw one - what can we do to make the Chinese government care enough to stop these attacks?

The only approach I can think of which might work is sufficient publicity to shame and embarrass the Chinese government. Shine the spotlight on China's human rights abuses and the infrastructure such as the Great Firewall of China and the Ministry of State Security which facilitates them. Google chairman Eric Schmidt has a new book that makes clear what a danger he sees in modern China:

The disparity between American and Chinese firms and their tactics will put both the government and the companies of the United States as a distinct disadvantage [...] the United States will not take the same path of digital corporate espionage, as its laws are much stricter (and better enforced) and because illicit competition violates the American sense of fair play.

Could it be time to start blocking Chinese telecoms firms from bidding on providing services or equipment to major US companies and the US government, on security grounds?

Caterpillars wise to avoid China

I enjoyed reading the entertaining tale of how Caterpillar bought into Chinese firm ERA Mining Machinery in June last year but has just discovered - oops! - that subsidiary Siwei is worth, in essence, nothing. They are taking a $580m write-off from a $653m total investment. That's got to sting. It seems that Siwei's actual inventory and presented accounts may not have been in complete agreement.

Of course, it's easy to be wise after the event. However the story from Caterpillar makes one wonder how hard it would have been to be wise before the event too:

A member of the Caterpillar board during the course of the Siwei deal told Reuters the board was distracted at the time by a larger transaction and paid relatively little attention to the Siwei acquisition.

I'm not making this up. So a $650m acquisition didn't warrant actual attention to the company being acquired. Wow. I wish I had that much money to burn on a whim. Caterpillar's 2012 Q3 results show a quarterly profit of $1.7bn on revenues of $16bn, so the write-off could be a little under 10% of annual profit - not company-ending, but surely nothing to sneeze at.

Whenever I see a major Western industrial nation blowing its trumpet about a big investment in China, I have to wonder when the other shoe is going to drop. Looks like it didn't take long in the case of Caterpillar.

Outsourcing strategies

I'm torn between horror and admiration at this story: the software developer who outsourced his job to China.

As it turns out, Bob had simply outsourced his own job to a Chinese consulting firm. Bob spent less that one fifth of his six-figure salary for a Chinese firm to do his job for him. Authentication was no problem, he physically FedExed his RSA token to China so that the third-party contractor could log-in under his credentials during the workday. It would appear that he was working an average 9 to 5 work day. Investigators checked his web browsing history, and that told the whole story.

OMG. Words do not suffice.

On the one hand, this is useful information for his employer; instead of paying Bob $200K+ and providing physical office space for him, they could just pay the Chinese $50K and have them deliver their work electronically. On the other hand, can you imagine the attraction for the Chinese Ministry of State Security of having full access to the network of a major "U.S. critical infrastructure company"?

Had I been the boss of this company, I would have called Bob into my office and congratulated him on his entrepreneurial spirit. I would then have clubbed him over the head, fed his body to pigs, pulled the plug on my entire network, rebuilt it from the ground up with new hardware and software, and given the CIA, NSA and FBI full access to the original network to do with what they wanted. I would also have given my HR department and Bob's management chain 48 hours to respond to the accusation that they were completely ineffectual in assessing and supervising the performance of personnel, and fired anyone unable to produce a reasonable excuse.

This just goes to show that your security is only as good as your least trustworthy and most ingenious employee.

Chinese export forgery - cui bono?

It seems that the Chinese export figures may not be entirely congruent to reality:

UBS economists led by Hong Kong-based Wang Tao pointed to a "quite obvious discrepancy" in the growth of China's exports to Taiwan and South Korea and those economies' reported imports from China in recent months, even as historically they have tracked each other well.

But to what end? Why would China exaggerate its export figures? Whom are they trying to fool?

It appears that there is an active trade in fake-exporting goods in order to benefit internal economy participants:

Shenzhen Global offers customs clearing and other freight services including a "one-day tour," Lin Yongtai, a manager with the company in the city bordering Hong Kong, said in a telephone interview.
For a fee of 1,000 yuan ($161) per vehicle per day, the company will drive trucks into warehouses in bonded zones, where cargo must clear customs, so that businesses can obtain a refund of value-added tax on the "export" of their products or boost sale prices for goods that carry the cachet of being imported.

Note that this doesn't seem to be economic fraud perpetrated at the level of the State; rather, the skewed export figures appear to be at least partially generated by many small-scale fraudulent not-really-export activities. Businesses are paying intermediaries to gain an "export" credential for their goods, which in turn gives them some economic benefit in terms of tax relief or misleading origin of goods. This reminds me strongly of the UK VAT carousel fraud that was so profitable a few years ago.

What's worrying is the scale of this fraud, being able to move Chinese export figures sufficiently to make the figures obviously wrong. One has to wonder whether the Chinese government can actually exert any meaningful control over the economy they have encouraged; they can certainly arrest, try and jail/execute a few sacrifical goats, but if the government's stability is predicated on control of the economy then the only question is how long the government can keep all the plates spinning on their poles.

2012 predictions evaluated

Looking back at my predictions for 2012, how did I do?

Eurozone: Eurozone governments engage in a sequence of progressively more desperate kicking-the-can-down-the-road exercises. A replacement source of funding fails to appear. The tension between the Germans resisting inflation and the rest of the Eurozone demanding economic relief. The ECB is inexorably pushed towards turning on the printing presses. Greece, Ireland and Portugal turn on the screws demanding more help with the threat of default. French and German banks turn out to be shockingly undercapitalised, to the surprise of no-one who was paying any attention.

6/10: there's certainly been nothing in the way of solutions here, and Greece has been leading the screw-turning.

North Korea: Kim Jong Un has an attack of common sense that may or may not result from being hung from a lamp post by a length of rope. North Korea opens the shambles of its nuclear enrichment program to international inspection in exchange for desperately needed aid. The humanitarian crisis turns out to be even worse than expected, with deaths of tens of thousands from cold and famine before the West and South Korea can organise aid shipments. China is less than helpful.

1/10: talk about hopeless optimism. China, at least, has been less than helpful.

UK economy: Growth peters out to practically nothing, perhaps dipping in and out of negative territory. Huhne gets squeezed by popular pressure resulting from ever-rising energy bills as the Conservatives keep him in the firing line. More effort is finally made on new gas plants, probably some more test drills for shale gas, and the planning permission and local challenges for nuclear plant additions grind on. Inflation stays above the 2% target as groceries in general and goods from China in particular rise in price.

9/10: UK economy barely grown over 2 years, inflation stayed above 2%. Grumbling about energy bills but no action yet, Huhne is still around. We are dashing for gas and building new plant.

UK politics: Con-Lib coalition effectively falls apart on several issues (e.g. energy). Labour fails to capitalise on this. Grumbling in the Labour party about Miliband and some early manoeuvering by potential challengers.

5/10: Coalition having problems, but gay marriage appears to be one of the key issues. Not much grumbling about Miliband, perhaps they've forgotten he exists.

Olympics: Substantially poorer showing for the UK than 2008, except in sailing and cycling. Boris makes at least four major gaffes during the Games, making him the only real entertainment. Fewer visitors than expected results in a significant financial loss for the UK.

2/10: Glad to be proven wrong in most of this. We still ate a pretty solid financial loss though.

USA: SOPA passes albeit in a modified and mostly annoying rather than harmful form. Congress and the Senate continue to be bought and sold. Obama starts feeling the pressure from within the Democratic party but just edges the election against a Romney/Bachmann ticket.

6/10: SOPA died, unexpectedly but thankfully. Plenty of buying and selling in politics persisted. Obama had an easier ride than I expected, and Romney's running mate was Ryan rather than Bachman.

China: A slow-motion implosion, rising popular anger at financial losses mostly held in check by increasingly brutal actions from the PLA. China makes an increasing effort to diversify out of US Treasury holdings but is stymied by lack of a reasonable alternative given events in Europe.

4/10: financial problems are clearly bubbling under the lid, but the PLA and Party are keeping the lid on; their continuing actions to tighten Internet access show what they're really worried about. Looks like Africa is one of the areas China is trying to expand into.

Middle East: Iran continues to posture, Iraq's new government breaks apart and reforms a couple of times. Afghanistan is still a mess, Pakistan becomes an even more dangerous snake pit.

7/10: generally nailed, apart from Iraq government breakage. If anything, I understated the problems in Pakistan.

Climate: 2012 weather proves to be a combination of too hot, too cold, too windy, too wet and too dry. Much like 2011.

7/10: drought up to April, unseasonably warm March, then a deluge for the next 8 months.

Random: Britney's engagement doesn't last 2012. It may barely survive 2011.

3/10: Despite persistent rumours about a breakup it looks like Britney and Jason will end 2012 together. Whodathunk?

50/100 overall, slightly better than the UK Met Office. Wonder what 2013 will bring?

The value of protecting the supply chain

Malaria kills 600,000+ people in Africa each year, and has attracted attention from some very well-funded and determined organisations aiming to wipe out malaria. But where there's money, there's opportunity for fraud, and this area is no exception.

It seems that the modern effectiveness of anti-malaria medication such as artemisinin derivatives is somewhat undermined by large-scale imports of fake medication into Africa:

That even doctors are unable tell real malaria drugs from fake is testament to just how complex the situation has become in Tanzania and Uganda, which together accounted for 20m of the 94m malaria cases reported globally in 2010.
Estimates vary, but some recent studies suggest that as many as a third of malaria drugs in the two countries are fake or substandard, and most are believed to have originated in China.

Let's review what happens here. Someone operating a pharmaceutical factory in China spends time and effort duplicating packaging and form of existing medications, to the point where even doctors can't be sure which package is fake and which is real. They insert it into the supply chain, presumably mixing it with legitimate shipments to muddy the source, and a doctor in Tanzania or Uganda spends time and effort treating a malarial child with no effect for several weeks until they realise that the medication is no good.

There's no comeback to the counterfeiters, as far as I can see. Tracking down where the fake medications got inserted into the supply chain would be near-impossible; the poor state of documentation and widespread bribery in Africa means that you can't trust any documentation or verbal assurance. The only approach I can see is some form of tamper-proofed boxes from the manufacturers: say, a small electronic lock with a serial number that the doctor can SMS to the manufacturer, then the manufacturer can SMS back an unlock code - and the unlock is one-time. This will obviously cost money, both in development and manufacture but at least it reduces the 30%+ ineffective rate of medicine which is only going to go up. I can't see the Chinese government cracking down on these factories.

The claims are backed up by commentator Chinagirl88:

I live and work in China in the medical profession and despite as some people have pointed out, the lack of hard evidence, the suspicion that the fake drugs originate from China is unfortunately all too believable. Despite nearly every week bringing some story of "crackdowns" on gangs making counterfeit goods of every description (since I've lived in China there has been a crackdown on fake drugs nearly every few months) this seems to provide little deterrent to the people wanting to get rich quick no matter what the cost to other humans.

The next time someone tells you how disgusting capitalism is, remind them of this example of what state-backed cronyism combined with a poor legal infrastructure does to sick and poor people.

Is China more legitimate than the West?

A provocative title for sure, as Sinophile Martin Jacques argues that the Chinese government may enjoy greater legitimacy than Western governments:

Now let me shock you: the Chinese state enjoys greater legitimacy than any Western state. How come?
In China's case the source of the state's legitimacy lies entirely outside the history or experience of Western societies.

He argues that China is all about Chinese "civilisation", an entity outside any one particular government or leader, a multi-thousand year cultural epiphenomenon. A government holding together such a huge area and spread of cultures can only be achieved with strong central control and repeated pushback on any behaviour that may undermine that central control in any way.

Where Jacques' true colours come out is when he attempts to tackle the issue of Chinese censorship and oppression:

If the Chinese state enjoys such support, then why does it display such signs of paranoia? The controls on the press and the internet, the periodic arrest of dissidents, and the rest of it. Good point. Actually, all Chinese governments have displayed these same symptoms. Why?
Because the country is huge and governance is extremely difficult. They are always anxious, always fearing the unforeseen. Anticipating sources of instability has long been regarded as a fundamental attribute of good governance.

For "anticipating sources of instability", I assume he includes:

• the 1989 Tianamen Square massacre (or should that be "re-education"?)
• the deaths of millions from starvation and abuse during the "Great Leap Forward" ("economic restructuring"?)
• deaths, organ harvesting from and imprisonment of Falun Gong practitioners in China ("religious consolidation"?)
• extensive suppression of information and interaction on the Internet, coupled with denial that this ever takes place ("preserving the population's modesty"?)

and so on.

I was a little confused about why he would argue all this until I read Martin Jacques' biography:

He was editor of the [Communist Party of Great Britain]'s journal, Marxism Today from 1977 until its closure in 1991 [...] a visiting professor at Renmin University in Beijing [...]

Suddenly it all becomes clear why Jacques is an apologist for mass-murdering censoring oppressing control freaks - it's his profession! I particularly enjoyed a hagiography on Jacques on Graham Stevenson's "Communist Biogs":

Despite having clearly been at odds with the basic approach of the Communist Party for, at the very least, ten to fifteen years (some might wonder if it had been all along, and how that worked!) Jacques finally left the party in 1991, citing his horror at the level of financial subsidy provided to the British Communist Party by the [Communist Party of the Soviet Union].

Perhaps he thought they ought to have taken Chinese yuan rather than Russian roubles? I note that 1991 was when European Communism was effectively dead and buried, with German reunification in full swing. I guess he wanted to jump to a communist allegiance with more of a future. There's also an interesting note about think tank Demos:

He, and others with roots in what would become New Labour launched "Demos", seen as a cross-party think-tank, which soon gained offices and funds. He had planned Demos from at least a year or so before the final dissolution of the rump CPGB.

So for anyone wondering why Demos pieces can lean so far left and verge on the totalitarian, it's because the founders had some considerable form in that area.

It amuses me that the BBC sees fit to publish this piece, but I can't imagine them publishing a similar piece e.g. by Nikolaos Michaloliakos of Golden Dawn arguing that national fascism is essentially more democratic than the European Parliament. Can you?