Page 2 of 2 Cyber-skirmish at the top of the world By Peter Lee
emigre community, "Snooping Dragon", the University of Cambridge reported [3]
that the China hackers availed themselves of Dynaweb's facilities:
However,
after a while, we saw a number of accesses through Dynaweb - a set of
anonymization proxy servers associated with the Falungong religious movement,
which is also detested by the government of China. We are at a loss how to
explain this. Perhaps the Chinese detected the start of our clean-up operation
and decided to hint that they had compromised Dynaweb - whether to deter people
from using it, or to deter the US government from funding it? We just have no
idea.
As a public service that aggressively markets its
product in a strategy to overwhelm China's security apparatus, the GIFC's
partners are vulnerable in turn to the most diabolical weapon in China's
arsenal - porn.
Porn is the bugbear of censorship circumvention service providers.
Ironically, it has pushed the service providers themselves to assume the role
of censors. In a white paper [4] entitled Defeat Internet Censorship, The GIFC
interrupted its triumphalist recitation of its omnipotent software capabilities
to note:
With limited resource and bandwidth, an anti-censorship system
with unrestricted access will soon be consumed by pornography, gambling and
drug-related information and become useless to users in the most-needed
regions. Therefore, it is critical and beneficial for an anti-censorship system
to have some built-in mechanisms to control content access. At least, it should
have the ability to block some high-profile pornography portals in order to
save the bandwidth for better uses. It should also provide tools for law
enforcing authorities in the free world to monitor the information flow when
needed to avoid the encryption channels being exploited for terrorist
communications.
In a demonstration that irony is, if not dead,
on hiatus at GIFC, the writers of the white paper also proposed that, once
China's surfers emerge from the Great Firewall rabbit hole, they be directed
toward more wholesome browsing courtesy of GIFC in its role as portal manager
and content provider:
To better protect and serve users who have
overcome the blocking and reached the other side of [the] GFW, it is highly
beneficial to provide them with an uncensored, trustworthy portal site in their
own native languages, which provides services such as search engines,
directories, bulletin boards, e-mails and chat rooms. These services are better
protected when they are tightly integrated with the anti-censorship tools they
use. More importantly, such a portal site can shield users from those overseas
websites set up by the Chinese regime or communist regime-backed entities.
Their websites serve as a trap to collect users' information as well as serve
their exported propaganda machinery.
But legitimate
porn-surfing by frustrated citizens, dedicated freedom activists and fanatical
cultists to whom GIFC caters is probably just the tip of the iceberg.
Beneath the high-minded concern for the morals, safety and education of Chinese
web surfers is perhaps the concern that the service could not survive a
concerted attack by malicious Chinese government users logging on
simultaneously to download a lifetime's supply of porn and bootlegged Jackie
Chan movies - and the GIFC might need a Great Firewall of its own to protect
itself.
An alternative to a high-profile, high-intensity professional circumvention
service under continual attack by the Chinese government is an "anonymizer"
program called TOR (The Onion Router).
TOR performs a multiple-layer encryption of requests for web pages and relies
on a network of computers supplied by volunteers to strip the address layers
(like an onion) until the last server - the TOR exit node - connects to the
destination using its own IP address. Each computer only knows the previous
link; if the message is intercepted, it cannot be traced back to the
originator.
Traffic analysis can reportedly compromise the anonymity of the TOR network,
but its true vulnerability is highlighted by a post from the UK entitled "Why
You Need Balls of Steel to Operate a TOR Exit Node" [5]:
[After
providing service as a TOR exit node for about one year] I was visited by the
police in November 2008 because my IP address had turned up in the server logs
of a site offering, or perhaps trading in (I was not told the details of the
offence) indecent images of children … It was what is known as a "dawn raid"
and, amazingly enough, my children were still asleep when it occurred. Thank
God … I was overwhelmed by horror to be implicated in such a thing. I was
desperately worried about my family. One of the officers had told my wife that
Social Services would be informed as a matter of course and there was a
possibility that my children would be taken into care …
After
an agonizing four-month investigation, the police dropped the case. But the
writer concludes: "I think, in retrospect, I was desperately naive to run a TOR
exit server on a home computer."
So, it doesn't take much to degrade the TOR system. Just a collection of
malicious hackers going on the system masquerading as legitimate users, hogging
bandwidth, downloading child porn, or visiting sites flagged by the police as
terrorist/criminal-related. If a genuine cyberwar erupts, one would expect that
the TOR network will grind to a halt in a matter of minutes.
The latest iteration in the struggle between the Chinese government and
dissidents over Internet communication is brought to us by none other than
Citizen Lab.
In 2007, Citizen Lab developed and spun off a "censorship circumvention
software" it called Psiphon, which establishes an encrypted link from inside a
country that limits Internet browsing to a computer in another country that
allows free browsing.
Citizen Lab's Ron Deibert undoubtedly did not endear himself to the Chinese
government by publicizing the Psiphon service in the aftermath of the unrest in
Tibet last year as a way for activists inside China to get the word out to the
West. Psiphon also advertised its commercial service to foreigners as a
safeguard against Chinese cybersnooping during the 2008 Beijing Summer Olympic
Games; apparently the BBC and the US State Department signed up for the service
as a way to secure their communications from Beijing.
Psiphon uses the "small is beautiful" strategy, but avoids the problems of TOR
by eschewing the "anonymizer" route. Instead, the network's integrity is
protected because the owners of the computers in the free-browsing countries -
called "psiphonodes" in the company jargon - only invite users of the service,
"psiphonsites", that they personally know and trust.
The owners provide a distinct URL or web address (generated by Psiphon)
pointing to their computer, and a unique password for each user, that enables
the user to connect to the page using the https protocol; once logged in the
owner's computer, the user can surf to his or her heart's content.
Well over 150,000 owners have signed up to become Psiphonodes. It is unclear
how many users link to these nodes.
User traffic can be monitored by the psiphonodes and apparently some of the
operators have been knocked out of their Birkenstocks by the insatiable demand
for porn of some of their trusted users - and the legal risk that serving as
the connecting node to the offending site exposes them.
Psiphon, as a diffuse set of mini-networks each closely controlled by its own
node, is proof against a massive, malicious use attack that threatens the GIFC
and TOR services.
Its vulnerability seems to exist not in the world of cyberspace, but in the
realm of the system's human users and operators.
A Psiphon system can apparently be compromised if the node or site computer is
penetrated through operator carelessness in response to something called
"social engineering": the deployment of phishing e-mail that exploits the human
target's natural curiosity and desire to engage and communicate, and enables
the installation of malware - like the gh0st RAT program that bedeviled the
Tibetan government in exile.
For the record, Citizen Lab denied that its investigation of gh0st RAT was
related to any vulnerabilities in Psiphon and did not confirm that any of the
targeted computers were running as Psiphon nodes serving inside China.
Indeed, the penetration of computers in Dharmsala - one monk reported watching
Outlook Express open by itself and send an e-mail off with a document attached
- was a pressing issue in itself, and enough to justify the extensive
investigation.
However, what happened to the Tibetan computers brings to mind weaknesses that
might be exploited at Psiphon node or site on a PC platform: non-professional
operators with an uncertain grasp of security working on vulnerable machines,
unwittingly downloading malware that enables remote observers to read files,
keylog passwords and extract keys.
On a psiphonsite, malware could extract details of the log-in and disable
and/or imperil its psiphonode by logging in for a malicious, bandwidth-hogging
session. If a psiphonode is identified and penetrated, apparently details of
the psiphonsite(s) it is serving - and the pages they have visited - can be
extracted.
Balancing Psiphon's reliance on a "network of trust" versus the willingness of
the Chinese government (or their bespoke hackers) to pour resources in the
cyber struggle with the Tibetan emigre movement, this skirmish in cyberspace
might turn out to be a draw.
Interestingly, Citizen Lab seems to be interested in dialing down the rhetoric
in the wake of its cybersecurity coup against "GhostNet".
Despite a preponderance of circumstantial evidence - such as the nature of the
targets and the existence of three out of four of the gh0st RAT control servers
inside China - its report went out of its way to caveat assumptions of Chinese
government involvement in the attack and stress that Citizen Lab researchers
had not broken any laws in the investigation.
Certainly, Citizen Lab did not wish to find itself - or the Canadian government
- characterized as a provider of counter-intelligence services to the Tibetan
government in exile in its battle with incessant Chinese cyber-intrusions.
Citizen Lab's restraint may have also reflected Professor Deibert's publicized
dismay at the West's growing interest in militarizing the Internet -
illustrated by a bipartisan proposal that the Barack Obama administration
appoint a "Cybersecurity National Adviser" with the power to disconnect the
government and "critical" civilian networks from the Internet in case of
national emergency - largely in response to China's perceived intentions and
capabilities in cyberwarfare.
On a more strategic level, Deibert's caution may also reflect an awareness that
the censorship-circumvention infrastructure may be adequate for low-level
skirmishing with malicious Chinese hacker-patriots and the drudges running
day-to-day Internet interdiction for China, but perhaps would not be able to
withstand a concerted assault by China's cyberwarfare specialists - or cope
with an Internet fragmented into Chinese and Western cybersecurity fortresses.
The Internet seems destined to frustrate both hopes of China for national
security, and those of dissidents for an irresistible truth weapon.
One of the most famous observations concerning the Internet is by John Gilmore,
founder of the Electronic Freedom Foundation: "The Internet treats censorship
as a defect and routes around it."
Perhaps the Internet has the same response to censorship's doppelgangers -
secrecy, encryption and the user's desire for privacy: it rejects them and
finds a way around.
Those bits and bytes just want to be free. And we have to find a way to live
with that.
Head
Office: Unit B, 16/F, Li Dong Building, No. 9 Li Yuen Street East,
Central, Hong Kong Thailand Bureau:
11/13 Petchkasem Road, Hua Hin, Prachuab Kirikhan, Thailand 77110
