Page 1 of 2 Cyber-skirmish at the top of the world By Peter Lee
For the past decade or more, China has been engaged in a game of whack-a-mole
to control the burgeoning channels of digital communication between Tibetan
dissidents inside Tibet and in the Tibetan diaspora. Despite Beijing's resolve
to define the Tibetan issue as a solely internal matter for the People's
Republic of China, Tibetan Internet issues have been quietly internationalized,
thanks to the efforts of Western activists to provide cyber-security services
for Tibetan dissidents and emigres.
In March 2008, Canadian investigators achieved a cyber-security triumph: the
exposure of a malicious data-gathering botnet, a large number of compromised
computers used to create and send spam or viruses, targeting the Tibetan
international community. The botnet's exposure could almost - but not quite -
be construed
as a counter-intelligence operation against a hacker network apparently
operating out of China.
Domestically, China routinely monitors and blocks websites, chat rooms and
plain-text e-mail nationwide on a host of sensitive subjects, including Tibet,
using thousands of real and virtual cybercops and its US$700 million Golden
Shield infrastructure - derisively called "The Great Firewall of China" (GFW).
It also employs the technical assistance of local service providers (including
the in-China operations of multi-nationals like Yahoo!) to gather information
on domestic dissidents.
Efforts in the sensitive Tibetan regions of China are more direct and
draconian, especially in the context of heightened tensions following the
unrest in March 2008.
Landline, cell and Internet services in Tibetan areas were interrupted during
the period of unrest. When the Chinese government became aware that Tibetan
dissidents were using the video-sharing website YouTube as a text-free method
to communicate, it shut it down. When image-sharing website Flickr emerged as a
potential source of visual information, it was blocked. Tibetan radio
broadcasts by Voice of America (VOA), Radio Free Asia (RFA) and Voice of Tibet
were jammed. A campaign against satellite dishes was intensified to limit the
audience of VOA's direct-to-dish Tibet TV service. In order to cut off
cell-phone based talk, text, and images, China reportedly limited service and
tore down cell phone towers.
When confronting in cyberspace supporters of Tibetan dissidents located outside
of China, the Chinese government is apparently abetted by a group of hackers,
acting either pro bono or with government encouragement. The hackers disrupt
websites, harass activists and, it transpires, organize extensive espionage
operations against targeted computers around the world.
China's efforts against the Tibetan independence movement and Tibetan
government-in-exile have been countered by a variety of overseas "hacktivists"
- computer hackers with an activist bent. Some of these derive a measure of
support, including some financial backing, from Western governments.
The hacktivist organization with the highest profile and level of capability
and professionalism is probably Citizen Lab, run by Professor Ron Deibert in
the University of Toronto's Munk Center for International Studies.
Citizen Lab was in the news recently when it midwived a report [1] by
Information Warfare Monitor announcing the existence of a cyberspying operation
targeting computers belonging to the Tibetan government-in-exile, Tibetan
non-governmental organizations (NGOs), and a host of other governments and
organizations around the world.
In 2008, at the request of the Office of the Dalai Lama, Citizen Lab checked
the computers of the Tibetan government in exile offices in Dharmsala in India
and in various European cities to determine if they were infected with malware.
Citizen Lab investigator Greg Walton collected reams of suspicious code. By
plugging a likely bit into Google, he was able to locate the server that the
malware was communicating with. He lured the server into establishing
communication with a "honeypot" - a computer set up to document and trace
cyber-intrusions - and finally penetrated it.
Walton discovered three other servers supporting the malware, and obtained a
list of almost 1,300 computers - many located in the offices of emigre Tibetan
government and NGOs around the world, but also in numerous Taiwanese, European
and Asian governmental offices - from which they were collecting information.
The operation, which the investigators named "GhostNet", used a Trojan hidden
in e-mail attachments to compromise a computer's security and download a piece
of malware called gh0st RAT (RAT standing for Remote Access Tool). Gh0st RAT
allowed a remote operator both to examine files on the computer and to upload
them to a gh0st RAT server. Keystrokes could also be logged - a key hacking
tool for acquiring passwords - and, purportedly, the computer's microphones and
webcam could be activated and the audio and video sent to the gh0st RAT server.
This was not Citizen Lab's first foray into the world of China-related
cyber-security. In fact, Citizen Lab finds itself at the center of many issues
pertaining to China, Tibet and the Internet.
In October 2008, Citizen Lab issued a report revealing that TOM-Skype, a joint
venture by Skype and an arm of Hong Kong tycoon Li Ka-shing's empire offering
encrypted voice and text messaging services inside of China, saved copies of
text messages on a network of eight servers.
This was a big deal for three reasons.
First, though TOM-Skype admitted that Chinese-mandated filtering software would
knock out messages with forbidden keywords, it had previously claimed that the
filtered messages were discarded. Not true. The filtered messages were stored
on the eight servers.
Secondly, TOM-Skype is supposed to be a private, encrypted service with
encryption keys that were the secret property of the service's users.
Nevertheless, it was revealed that, presumably at the behest of the Chinese
government, TOM-Skype saved both the traffic and the keys needed to decrypt it.
Third, the servers were also apparently storing traffic that did not contain
banned keywords - an indication that the Chinese government was selecting
individuals and accounts to monitor, and dumping all their traffic on the
servers for examination.
The TOM-Skype affair highlights the central role played in the battle between
the Chinese state and those who wish to navigate the Internet beyond its
control by a unique technical feature of Internet communication: 128-bit
encryption.
In the 1990s, Phil Zimmerman, an American political activist, developed an
unbreakable open source 128-bit encryption program employing private and public
keys that he called, tongue-in-cheek, "Pretty Good Privacy" or PGP. The US
government, realizing that propagation of PGP would put an end to the era in
which the National Security Agency (NSA) possessed the technical means to
monitor every form of electronic communication from telegrams and faxes to
computer traffic, bitterly fought Zimmerman's efforts to publicize the code.
The government placed 128-bit encryption on a list of munitions proscribed for
export. Zimmerman countered by printing the PGP source code in book form and
claimed his right to protection under the First Amendment of the US
constitution. In 1996, realizing that mathematicians and programmers overseas
were capable of developing equivalent programs, the US government dropped its
investigation of Zimmerman and permitted the export of PGP.
Probably, if the Federal Bureau of Investigation and NSA had succeeded in their
efforts to keep the 128-bit genie in the bottle until September 11, 2001,
changing the security vs freedom equation, we would be living in a world where
every government demanded a copy of everybody's encryption key.
As it is, today the open, distributed international architecture of the
Internet demands encryption in order to protect both the sensitive data that
travels along it and the network itself. All efforts to impose - and evade -
monitoring and control of digital information take place in the shadow of
128-bit encryption.
Governments around the world, "free" as well as totalitarian, have responded
with a variety of strategies to ensure that encrypted communications yield up
their secrets.
Rights of privacy are extremely limited, if not non-existent, when it comes to
encryption. Companies and individuals are expected to produce keys at
government demand in response to informal requests, pointed demands, subpoenas,
or something called "rubber hose cryptoanalysis", a euphemism for the
extraction of cryptographic secrets (eg the password to an encrypted file) from
a person by coercion.
Governments, especially the United States, are rumored to routinely seed
computers, software and even mathematical elements of the decryption algorithm
itself with backdoors that enable the surreptitious acquisition of passwords
and the precious keys.
Commercial providers of encrypted e-mail worldwide are apparently eager to
cooperate with the government and avoid being identified as a provider of
genuinely secure communications to terrorists, criminals and any other suspect
entity.
In the course of a criminal investigation of steroid smuggling, one provider,
Hushmail, revealed [2] that it was able to turn over decrypted traffic to the
Canadian government because it had a Java applet that could penetrate its
customers' computers to extract the supposedly sacrosanct private key.
And if a key really can't be provided, but plain and encrypted versions of the
same message are available and can be attacked with adequate time, skill and
resources, the underlying code may be broken.
China has made the somewhat counterintuitive but perhaps inevitable decision to
join the family of nations that tolerates but controls encrypted communication
- and engages in the never-ending, no-holds-barred struggle to track and crack
it.
China, after all, is anxious to reap the economic rewards of being at the
forefront of the digital networking revolution. Since China is already near the
forefront of the hacking, cracking, phishing (the use of a fake websites or
e-mails to obtain to gather confidential data), and cybercrime revolution, it
must also accept the need of businesses and individuals to encrypt sensitive
data.
China, like governments around the world, insists that businesses offering
encrypted communications within their borders provide the means to generate
decrypted traffic at the demand of law enforcement.
As the TOM-Skype case shows, any commercial participant in encrypted
communication activities will be expected to provide a backdoor and/or a
helping hand to Chinese security organizations.
The attention of dissidents - and the security personnel who track them - must
turn elsewhere for more private communications.
Secure, non-commercial e-mail encryption is still available to those who have
the ability and desire to forego the commercial services and are willing and
able to engage in the rather laborious process of maintaining their own
collection of encryption keys and coding and decoding their traffic without
relying on the web-based public key servers.
However, encryption does not encode the e-mail header, which exposes
information on the sender and receiver, thereby providing security forces with
a point of entry to generate a social-web map of senders and recipients that
is, in itself, a source of dangerous intelligence. Furthermore, the very act of
sending and receiving encrypted e-mail possibly attracts unwelcome scrutiny,
both in China and around the world,
Beyond e-mail encryption, there are other options for those inside China
desiring untrammeled access to the global Internet. They involve exploiting
https - the encrypted hypertext transfer protocol designed for secure financial
transactions - to establish contact with computers outside China that can be
used as proxies.
Detailed online manuals provide instructions to Tibetan dissidents, Falungong
adherents, and anybody else hoping to evade the prying eyes of the Chinese
security forces and safely surf the web, communicate or blog internationally.
The most widely-used facilities are Dynaweb, Garden and Ultra Surf. These
services coordinate their offerings through the Global Internet Freedom
Consortium (GIFC), a group that receives some US government funding and is
apparently run by friends of Falungong, the outlawed and extremely tech-savvy
Chinese religious group-cum-political movement.
The three services gleefully run a never-ending Spy vs Spy war with the
Chinese cybercops, continually flooding the zone with new Internet Protocol
(IP) addresses - a computer's identification number on a network - that their
users (and the Chinese security organizations that inevitably participate in
the service) link to with a "tunnel discovery agent" in order to connect to
proxy servers - a computer system or application program that acts as a
go-between - before the Chinese government shuts them down.
They count VOA and RFA as their clients and proudly state that the service has
never been interrupted.
But, in the case of gh0st RAT, maybe score this round to China. In its own
analysis of the computer security travails of the Tibetan
Head
Office: Unit B, 16/F, Li Dong Building, No. 9 Li Yuen Street East,
Central, Hong Kong Thailand Bureau:
11/13 Petchkasem Road, Hua Hin, Prachuab Kirikhan, Thailand 77110
