Asia Time Online - Daily News
Asia Times Chinese
AT Chinese

    Greater China
     Apr 8, 2009
Page 1 of 2
Cyber-skirmish at the top of the world
By Peter Lee

For the past decade or more, China has been engaged in a game of whack-a-mole to control the burgeoning channels of digital communication between Tibetan dissidents inside Tibet and in the Tibetan diaspora. Despite Beijing's resolve to define the Tibetan issue as a solely internal matter for the People's Republic of China, Tibetan Internet issues have been quietly internationalized, thanks to the efforts of Western activists to provide cyber-security services for Tibetan dissidents and emigres.

In March 2008, Canadian investigators achieved a cyber-security triumph: the exposure of a malicious data-gathering botnet, a large number of compromised computers used to create and send spam or viruses, targeting the Tibetan international community. The botnet's exposure could almost - but not quite - be construed


as a counter-intelligence operation against a hacker network apparently operating out of China.

Domestically, China routinely monitors and blocks websites, chat rooms and plain-text e-mail nationwide on a host of sensitive subjects, including Tibet, using thousands of real and virtual cybercops and its US$700 million Golden Shield infrastructure - derisively called "The Great Firewall of China" (GFW). It also employs the technical assistance of local service providers (including the in-China operations of multi-nationals like Yahoo!) to gather information on domestic dissidents.

Efforts in the sensitive Tibetan regions of China are more direct and draconian, especially in the context of heightened tensions following the unrest in March 2008.

Landline, cell and Internet services in Tibetan areas were interrupted during the period of unrest. When the Chinese government became aware that Tibetan dissidents were using the video-sharing website YouTube as a text-free method to communicate, it shut it down. When image-sharing website Flickr emerged as a potential source of visual information, it was blocked. Tibetan radio broadcasts by Voice of America (VOA), Radio Free Asia (RFA) and Voice of Tibet were jammed. A campaign against satellite dishes was intensified to limit the audience of VOA's direct-to-dish Tibet TV service. In order to cut off cell-phone based talk, text, and images, China reportedly limited service and tore down cell phone towers.

When confronting in cyberspace supporters of Tibetan dissidents located outside of China, the Chinese government is apparently abetted by a group of hackers, acting either pro bono or with government encouragement. The hackers disrupt websites, harass activists and, it transpires, organize extensive espionage operations against targeted computers around the world.

China's efforts against the Tibetan independence movement and Tibetan government-in-exile have been countered by a variety of overseas "hacktivists" - computer hackers with an activist bent. Some of these derive a measure of support, including some financial backing, from Western governments.

The hacktivist organization with the highest profile and level of capability and professionalism is probably Citizen Lab, run by Professor Ron Deibert in the University of Toronto's Munk Center for International Studies.

Citizen Lab was in the news recently when it midwived a report [1] by Information Warfare Monitor announcing the existence of a cyberspying operation targeting computers belonging to the Tibetan government-in-exile, Tibetan non-governmental organizations (NGOs), and a host of other governments and organizations around the world.

In 2008, at the request of the Office of the Dalai Lama, Citizen Lab checked the computers of the Tibetan government in exile offices in Dharmsala in India and in various European cities to determine if they were infected with malware.

Citizen Lab investigator Greg Walton collected reams of suspicious code. By plugging a likely bit into Google, he was able to locate the server that the malware was communicating with. He lured the server into establishing communication with a "honeypot" - a computer set up to document and trace cyber-intrusions - and finally penetrated it.

Walton discovered three other servers supporting the malware, and obtained a list of almost 1,300 computers - many located in the offices of emigre Tibetan government and NGOs around the world, but also in numerous Taiwanese, European and Asian governmental offices - from which they were collecting information.
The operation, which the investigators named "GhostNet", used a Trojan hidden in e-mail attachments to compromise a computer's security and download a piece of malware called gh0st RAT (RAT standing for Remote Access Tool). Gh0st RAT allowed a remote operator both to examine files on the computer and to upload them to a gh0st RAT server. Keystrokes could also be logged - a key hacking tool for acquiring passwords - and, purportedly, the computer's microphones and webcam could be activated and the audio and video sent to the gh0st RAT server.

This was not Citizen Lab's first foray into the world of China-related cyber-security. In fact, Citizen Lab finds itself at the center of many issues pertaining to China, Tibet and the Internet.

In October 2008, Citizen Lab issued a report revealing that TOM-Skype, a joint venture by Skype and an arm of Hong Kong tycoon Li Ka-shing's empire offering encrypted voice and text messaging services inside of China, saved copies of text messages on a network of eight servers.

This was a big deal for three reasons.

First, though TOM-Skype admitted that Chinese-mandated filtering software would knock out messages with forbidden keywords, it had previously claimed that the filtered messages were discarded. Not true. The filtered messages were stored on the eight servers.

Secondly, TOM-Skype is supposed to be a private, encrypted service with encryption keys that were the secret property of the service's users. Nevertheless, it was revealed that, presumably at the behest of the Chinese government, TOM-Skype saved both the traffic and the keys needed to decrypt it.

Third, the servers were also apparently storing traffic that did not contain banned keywords - an indication that the Chinese government was selecting individuals and accounts to monitor, and dumping all their traffic on the servers for examination.

The TOM-Skype affair highlights the central role played in the battle between the Chinese state and those who wish to navigate the Internet beyond its control by a unique technical feature of Internet communication: 128-bit encryption.

In the 1990s, Phil Zimmerman, an American political activist, developed an unbreakable open source 128-bit encryption program employing private and public keys that he called, tongue-in-cheek, "Pretty Good Privacy" or PGP. The US government, realizing that propagation of PGP would put an end to the era in which the National Security Agency (NSA) possessed the technical means to monitor every form of electronic communication from telegrams and faxes to computer traffic, bitterly fought Zimmerman's efforts to publicize the code.

The government placed 128-bit encryption on a list of munitions proscribed for export. Zimmerman countered by printing the PGP source code in book form and claimed his right to protection under the First Amendment of the US constitution. In 1996, realizing that mathematicians and programmers overseas were capable of developing equivalent programs, the US government dropped its investigation of Zimmerman and permitted the export of PGP.

Probably, if the Federal Bureau of Investigation and NSA had succeeded in their efforts to keep the 128-bit genie in the bottle until September 11, 2001, changing the security vs freedom equation, we would be living in a world where every government demanded a copy of everybody's encryption key.

As it is, today the open, distributed international architecture of the Internet demands encryption in order to protect both the sensitive data that travels along it and the network itself. All efforts to impose - and evade - monitoring and control of digital information take place in the shadow of 128-bit encryption.

Governments around the world, "free" as well as totalitarian, have responded with a variety of strategies to ensure that encrypted communications yield up their secrets.

Rights of privacy are extremely limited, if not non-existent, when it comes to encryption. Companies and individuals are expected to produce keys at government demand in response to informal requests, pointed demands, subpoenas, or something called "rubber hose cryptoanalysis", a euphemism for the extraction of cryptographic secrets (eg the password to an encrypted file) from a person by coercion.

Governments, especially the United States, are rumored to routinely seed computers, software and even mathematical elements of the decryption algorithm itself with backdoors that enable the surreptitious acquisition of passwords and the precious keys.

Commercial providers of encrypted e-mail worldwide are apparently eager to cooperate with the government and avoid being identified as a provider of genuinely secure communications to terrorists, criminals and any other suspect entity.

In the course of a criminal investigation of steroid smuggling, one provider, Hushmail, revealed [2] that it was able to turn over decrypted traffic to the Canadian government because it had a Java applet that could penetrate its customers' computers to extract the supposedly sacrosanct private key.

And if a key really can't be provided, but plain and encrypted versions of the same message are available and can be attacked with adequate time, skill and resources, the underlying code may be broken.

China has made the somewhat counterintuitive but perhaps inevitable decision to join the family of nations that tolerates but controls encrypted communication - and engages in the never-ending, no-holds-barred struggle to track and crack it.

China, after all, is anxious to reap the economic rewards of being at the forefront of the digital networking revolution. Since China is already near the forefront of the hacking, cracking, phishing (the use of a fake websites or e-mails to obtain to gather confidential data), and cybercrime revolution, it must also accept the need of businesses and individuals to encrypt sensitive data.

China, like governments around the world, insists that businesses offering encrypted communications within their borders provide the means to generate decrypted traffic at the demand of law enforcement.

As the TOM-Skype case shows, any commercial participant in encrypted communication activities will be expected to provide a backdoor and/or a helping hand to Chinese security organizations.
The attention of dissidents - and the security personnel who track them - must turn elsewhere for more private communications.

Secure, non-commercial e-mail encryption is still available to those who have the ability and desire to forego the commercial services and are willing and able to engage in the rather laborious process of maintaining their own collection of encryption keys and coding and decoding their traffic without relying on the web-based public key servers.

However, encryption does not encode the e-mail header, which exposes information on the sender and receiver, thereby providing security forces with a point of entry to generate a social-web map of senders and recipients that is, in itself, a source of dangerous intelligence. Furthermore, the very act of sending and receiving encrypted e-mail possibly attracts unwelcome scrutiny, both in China and around the world,

Beyond e-mail encryption, there are other options for those inside China desiring untrammeled access to the global Internet. They involve exploiting https - the encrypted hypertext transfer protocol designed for secure financial transactions - to establish contact with computers outside China that can be used as proxies.

Detailed online manuals provide instructions to Tibetan dissidents, Falungong adherents, and anybody else hoping to evade the prying eyes of the Chinese security forces and safely surf the web, communicate or blog internationally.

The most widely-used facilities are Dynaweb, Garden and Ultra Surf. These services coordinate their offerings through the Global Internet Freedom Consortium (GIFC), a group that receives some US government funding and is apparently run by friends of Falungong, the outlawed and extremely tech-savvy Chinese religious group-cum-political movement.

The three services gleefully run a never-ending Spy vs Spy war with the Chinese cybercops, continually flooding the zone with new Internet Protocol (IP) addresses - a computer's identification number on a network - that their users (and the Chinese security organizations that inevitably participate in the service) link to with a "tunnel discovery agent" in order to connect to proxy servers - a computer system or application program that acts as a go-between - before the Chinese government shuts them down.

They count VOA and RFA as their clients and proudly state that the service has never been interrupted.

But, in the case of gh0st RAT, maybe score this round to China. In its own analysis of the computer security travails of the Tibetan 

Continued 1 2  

China's cyber-activists spin a risky web
(Mar 11,'09)

An opening in cyberspace closes
(Feb 26,'09)

China's cyber-warriors challenge India (Nov 26,'08)

Cracking China's Great Firewall
(Jul 10,'07)

A missile launch for dummies

2. All roads lead to Pakistan

3. Geithner's dirty little secret

4. Signs emerge of global crime wave

5. China gets assertive as US ties grow

6. Manhunt is on for Mekong Robin Hood

7. Australia's new and powerful friend

8. Hidden deficit horrors

9. Russian phosphate shake-out ahead

10. Guess what, they're not coming

(24 hours to 11:59pm ET, Apr 6, 2009)


All material on this website is copyright and may not be republished in any form without written permission.
© Copyright 1999 - 2009 Asia Times Online (Holdings), Ltd.
Head Office: Unit B, 16/F, Li Dong Building, No. 9 Li Yuen Street East, Central, Hong Kong
Thailand Bureau: 11/13 Petchkasem Road, Hua Hin, Prachuab Kirikhan, Thailand 77110