Join our Mailing List

"As long as human rights are violated, there can be no foundation for peace. How can peace grow where speaking the truth is itself a crime?"

Cyber-skirmish at the top of the world

April 8, 2009

By Peter Lee
Asia Times
April 8, 2009

For the past decade or more, China has been
engaged in a game of whack-a-mole to control the
burgeoning channels of digital communication
between Tibetan dissidents inside Tibet and in
the Tibetan diaspora. Despite Beijing's resolve
to define the Tibetan issue as a solely internal
matter for the People's Republic of China,
Tibetan Internet issues have been quietly
internationalized, thanks to the efforts of
Western activists to provide cyber-security
services for Tibetan dissidents and emigres.

In March 2008, Canadian investigators achieved a
cyber-security triumph: the exposure of a
malicious data-gathering botnet, a large number
of compromised computers used to create and send
spam or viruses, targeting the Tibetan
international community. The botnet's exposure
could almost - but not quite - be construed as a
counter-intelligence operation against a hacker
network apparently operating out of China.

Domestically, China routinely monitors and blocks
websites, chat rooms and plain-text e-mail
nationwide on a host of sensitive subjects,
including Tibet, using thousands of real and
virtual cybercops and its US$700 million Golden
Shield infrastructure - derisively called "The
Great Firewall of China" (GFW). It also employs
the technical assistance of local service
providers (including the in-China operations of
multi-nationals like Yahoo!) to gather information on domestic dissidents.

Efforts in the sensitive Tibetan regions of China
are more direct and draconian, especially in the
context of heightened tensions following the unrest in March 2008.

Landline, cell and Internet services in Tibetan
areas were interrupted during the period of
unrest. When the Chinese government became aware
that Tibetan dissidents were using the
video-sharing website YouTube as a text-free
method to communicate, it shut it down. When
image-sharing website Flickr emerged as a
potential source of visual information, it was
blocked. Tibetan radio broadcasts by Voice of
America (VOA), Radio Free Asia (RFA) and Voice of
Tibet were jammed. A campaign against satellite
dishes was intensified to limit the audience of
VOA's direct-to-dish Tibet TV service. In order
to cut off cell-phone based talk, text, and
images, China reportedly limited service and tore down cell phone towers.

When confronting in cyberspace supporters of
Tibetan dissidents located outside of China, the
Chinese government is apparently abetted by a
group of hackers, acting either pro bono or with
government encouragement. The hackers disrupt
websites, harass activists and, it transpires,
organize extensive espionage operations against
targeted computers around the world.

China's efforts against the Tibetan independence
movement and Tibetan government-in-exile have
been countered by a variety of overseas
"hacktivists" - computer hackers with an activist
bent. Some of these derive a measure of support,
including some financial backing, from Western governments.

The hacktivist organization with the highest
profile and level of capability and
professionalism is probably Citizen Lab, run by
Professor Ron Deibert in the University of
Toronto's Munk Center for International Studies.

Citizen Lab was in the news recently when it
midwived a report [1] by Information Warfare
Monitor announcing the existence of a cyberspying
operation targeting computers belonging to the
Tibetan government-in-exile, Tibetan
non-governmental organizations (NGOs), and a host
of other governments and organizations around the world.

In 2008, at the request of the Office of the
Dalai Lama, Citizen Lab checked the computers of
the Tibetan government in exile offices in
Dharmsala in India and in various European cities
to determine if they were infected with malware.

Citizen Lab investigator Greg Walton collected
reams of suspicious code. By plugging a likely
bit into Google, he was able to locate the server
that the malware was communicating with. He lured
the server into establishing communication with a
"honeypot" - a computer set up to document and
trace cyber-intrusions - and finally penetrated it.

Walton discovered three other servers supporting
the malware, and obtained a list of almost 1,300
computers - many located in the offices of emigre
Tibetan government and NGOs around the world, but
also in numerous Taiwanese, European and Asian
governmental offices - from which they were collecting information.

The operation, which the investigators named
"GhostNet", used a Trojan hidden in e-mail
attachments to compromise a computer's security
and download a piece of malware called gh0st RAT
(RAT standing for Remote Access Tool). Gh0st RAT
allowed a remote operator both to examine files
on the computer and to upload them to a gh0st RAT
server. Keystrokes could also be logged - a key
hacking tool for acquiring passwords - and,
purportedly, the computer's microphones and
webcam could be activated and the audio and video sent to the gh0st RAT server.

This was not Citizen Lab's first foray into the
world of China-related cyber-security. In fact,
Citizen Lab finds itself at the center of many
issues pertaining to China, Tibet and the Internet.

In October 2008, Citizen Lab issued a report
revealing that TOM-Skype, a joint venture by
Skype and an arm of Hong Kong tycoon Li
Ka-shing's empire offering encrypted voice and
text messaging services inside of China, saved
copies of text messages on a network of eight servers.

This was a big deal for three reasons.

First, though TOM-Skype admitted that
Chinese-mandated filtering software would knock
out messages with forbidden keywords, it had
previously claimed that the filtered messages
were discarded. Not true. The filtered messages
were stored on the eight servers.

Secondly, TOM-Skype is supposed to be a private,
encrypted service with encryption keys that were
the secret property of the service's users.
Nevertheless, it was revealed that, presumably at
the behest of the Chinese government, TOM-Skype
saved both the traffic and the keys needed to decrypt it.

Third, the servers were also apparently storing
traffic that did not contain banned keywords - an
indication that the Chinese government was
selecting individuals and accounts to monitor,
and dumping all their traffic on the servers for examination.

The TOM-Skype affair highlights the central role
played in the battle between the Chinese state
and those who wish to navigate the Internet
beyond its control by a unique technical feature
of Internet communication: 128-bit encryption.

In the 1990s, Phil Zimmerman, an American
political activist, developed an unbreakable open
source 128-bit encryption program employing
private and public keys that he called,
tongue-in-cheek, "Pretty Good Privacy" or PGP.
The US government, realizing that propagation of
PGP would put an end to the era in which the
National Security Agency (NSA) possessed the
technical means to monitor every form of
electronic communication from telegrams and faxes
to computer traffic, bitterly fought Zimmerman's efforts to publicize the code.

The government placed 128-bit encryption on a
list of munitions proscribed for export.
Zimmerman countered by printing the PGP source
code in book form and claimed his right to
protection under the First Amendment of the US
constitution. In 1996, realizing that
mathematicians and programmers overseas were
capable of developing equivalent programs, the US
government dropped its investigation of Zimmerman
and permitted the export of PGP.

Probably, if the Federal Bureau of Investigation
and NSA had succeeded in their efforts to keep
the 128-bit genie in the bottle until September
11, 2001, changing the security vs freedom
equation, we would be living in a world where
every government demanded a copy of everybody's encryption key.

As it is, today the open, distributed
international architecture of the Internet
demands encryption in order to protect both the
sensitive data that travels along it and the
network itself. All efforts to impose - and evade
- monitoring and control of digital information
take place in the shadow of 128-bit encryption.

Governments around the world, "free" as well as
totalitarian, have responded with a variety of
strategies to ensure that encrypted communications yield up their secrets.

Rights of privacy are extremely limited, if not
non-existent, when it comes to encryption.
Companies and individuals are expected to produce
keys at government demand in response to informal
requests, pointed demands, subpoenas, or
something called "rubber hose cryptoanalysis", a
euphemism for the extraction of cryptographic
secrets (eg the password to an encrypted file) from a person by coercion.

Governments, especially the United States, are
rumored to routinely seed computers, software and
even mathematical elements of the decryption
algorithm itself with backdoors that enable the
surreptitious acquisition of passwords and the precious keys.

Commercial providers of encrypted e-mail
worldwide are apparently eager to cooperate with
the government and avoid being identified as a
provider of genuinely secure communications to
terrorists, criminals and any other suspect entity.

In the course of a criminal investigation of
steroid smuggling, one provider, Hushmail,
revealed [2] that it was able to turn over
decrypted traffic to the Canadian government
because it had a Java applet that could penetrate
its customers' computers to extract the supposedly sacrosanct private key.

And if a key really can't be provided, but plain
and encrypted versions of the same message are
available and can be attacked with adequate time,
skill and resources, the underlying code may be broken.

China has made the somewhat counterintuitive but
perhaps inevitable decision to join the family of
nations that tolerates but controls encrypted
communication - and engages in the never-ending,
no-holds-barred struggle to track and crack it.

China, after all, is anxious to reap the economic
rewards of being at the forefront of the digital
networking revolution. Since China is already
near the forefront of the hacking, cracking,
phishing (the use of a fake websites or e-mails
to obtain to gather confidential data), and
cybercrime revolution, it must also accept the
need of businesses and individuals to encrypt sensitive data.

China, like governments around the world, insists
that businesses offering encrypted communications
within their borders provide the means to
generate decrypted traffic at the demand of law enforcement.

As the TOM-Skype case shows, any commercial
participant in encrypted communication activities
will be expected to provide a backdoor and/or a
helping hand to Chinese security organizations.

The attention of dissidents - and the security
personnel who track them - must turn elsewhere for more private communications.

Secure, non-commercial e-mail encryption is still
available to those who have the ability and
desire to forego the commercial services and are
willing and able to engage in the rather
laborious process of maintaining their own
collection of encryption keys and coding and
decoding their traffic without relying on the web-based public key servers.

However, encryption does not encode the e-mail
header, which exposes information on the sender
and receiver, thereby providing security forces
with a point of entry to generate a social-web
map of senders and recipients that is, in itself,
a source of dangerous intelligence. Furthermore,
the very act of sending and receiving encrypted
e-mail possibly attracts unwelcome scrutiny, both
in China and around the world,

Beyond e-mail encryption, there are other options
for those inside China desiring untrammeled
access to the global Internet. They involve
exploiting https - the encrypted hypertext
transfer protocol designed for secure financial
transactions - to establish contact with
computers outside China that can be used as proxies.

Detailed online manuals provide instructions to
Tibetan dissidents, Falungong adherents, and
anybody else hoping to evade the prying eyes of
the Chinese security forces and safely surf the
web, communicate or blog internationally.

The most widely-used facilities are Dynaweb,
Garden and Ultra Surf. These services coordinate
their offerings through the Global Internet
Freedom Consortium (GIFC), a group that receives
some US government funding and is apparently run
by friends of Falungong, the outlawed and
extremely tech-savvy Chinese religious group-cum-political movement.

The three services gleefully run a never-ending
Spy vs Spy war with the Chinese cybercops,
continually flooding the zone with new Internet
Protocol (IP) addresses - a computer's
identification number on a network - that their
users (and the Chinese security organizations
that inevitably participate in the service) link
to with a "tunnel discovery agent" in order to
connect to proxy servers - a computer system or
application program that acts as a go-between --
before the Chinese government shuts them down.

They count VOA and RFA as their clients and
proudly state that the service has never been interrupted.

But, in the case of gh0st RAT, maybe score this
round to China. In its own analysis of the
computer security travails of the Tibetan

emigre community, "Snooping Dragon", the
University of Cambridge reported [3] that the
China hackers availed themselves of Dynaweb's facilities:

"However, after a while, we saw a number of
accesses through Dynaweb - a set of anonymization
proxy servers associated with the Falungong
religious movement, which is also detested by the
government of China. We are at a loss how to
explain this. Perhaps the Chinese detected the
start of our clean-up operation and decided to
hint that they had compromised Dynaweb - whether
to deter people from using it, or to deter the US
government from funding it? We just have no idea."

As a public service that aggressively markets its
product in a strategy to overwhelm China's
security apparatus, the GIFC's partners are
vulnerable in turn to the most diabolical weapon in China's arsenal - porn.

Porn is the bugbear of censorship circumvention service providers.

Ironically, it has pushed the service providers
themselves to assume the role of censors. In a
white paper [4] entitled Defeat Internet
Censorship, The GIFC interrupted its triumphalist
recitation of its omnipotent software capabilities to note:

"With limited resource and bandwidth, an
anti-censorship system with unrestricted access
will soon be consumed by pornography, gambling
and drug-related information and become useless
to users in the most-needed regions. Therefore,
it is critical and beneficial for an
anti-censorship system to have some built-in
mechanisms to control content access. At least,
it should have the ability to block some
high-profile pornography portals in order to save
the bandwidth for better uses. It should also
provide tools for law enforcing authorities in
the free world to monitor the information flow
when needed to avoid the encryption channels
being exploited for terrorist communications."

In a demonstration that irony is, if not dead, on
hiatus at GIFC, the writers of the white paper
also proposed that, once China's surfers emerge
from the Great Firewall rabbit hole, they be
directed toward more wholesome browsing courtesy
of GIFC in its role as portal manager and content provider:

"To better protect and serve users who have
overcome the blocking and reached the other side
of [the] GFW, it is highly beneficial to provide
them with an uncensored, trustworthy portal site
in their own native languages, which provides
services such as search engines, directories,
bulletin boards, e-mails and chat rooms. These
services are better protected when they are
tightly integrated with the anti-censorship tools
they use. More importantly, such a portal site
can shield users from those overseas websites set
up by the Chinese regime or communist
regime-backed entities. Their websites serve as a
trap to collect users' information as well as
serve their exported propaganda machinery."

But legitimate porn-surfing by frustrated
citizens, dedicated freedom activists and
fanatical cultists to whom GIFC caters is probably just the tip of the iceberg.

Beneath the high-minded concern for the morals,
safety and education of Chinese web surfers is
perhaps the concern that the service could not
survive a concerted attack by malicious Chinese
government users logging on simultaneously to
download a lifetime's supply of porn and
bootlegged Jackie Chan movies - and the GIFC
might need a Great Firewall of its own to protect itself.

An alternative to a high-profile, high-intensity
professional circumvention service under
continual attack by the Chinese government is an
"anonymizer" program called TOR (The Onion Router).

TOR performs a multiple-layer encryption of
requests for web pages and relies on a network of
computers supplied by volunteers to strip the
address layers (like an onion) until the last
server - the TOR exit node - connects to the
destination using its own IP address. Each
computer only knows the previous link; if the
message is intercepted, it cannot be traced back to the originator.

Traffic analysis can reportedly compromise the
anonymity of the TOR network, but its true
vulnerability is highlighted by a post from the
UK entitled "Why You Need Balls of Steel to Operate a TOR Exit Node" [5]:

"[After providing service as a TOR exit node for
about one year] I was visited by the police in
November 2008 because my IP address had turned up
in the server logs of a site offering, or perhaps
trading in (I was not told the details of the
offence) indecent images of children … It was
what is known as a "dawn raid" and, amazingly
enough, my children were still asleep when it
occurred. Thank God … I was overwhelmed by horror
to be implicated in such a thing. I was
desperately worried about my family. One of the
officers had told my wife that Social Services
would be informed as a matter of course and there
was a possibility that my children would be taken into care"

After an agonizing four-month investigation, the
police dropped the case. But the writer
concludes: "I think, in retrospect, I was
desperately naive to run a TOR exit server on a home computer."

So, it doesn't take much to degrade the TOR
system. Just a collection of malicious hackers
going on the system masquerading as legitimate
users, hogging bandwidth, downloading child porn,
or visiting sites flagged by the police as
terrorist/criminal-related. If a genuine cyberwar
erupts, one would expect that the TOR network
will grind to a halt in a matter of minutes.

The latest iteration in the struggle between the
Chinese government and dissidents over Internet
communication is brought to us by none other than Citizen Lab.

In 2007, Citizen Lab developed and spun off a
"censorship circumvention software" it called
Psiphon, which establishes an encrypted link from
inside a country that limits Internet browsing to
a computer in another country that allows free browsing.

Citizen Lab's Ron Deibert undoubtedly did not
endear himself to the Chinese government by
publicizing the Psiphon service in the aftermath
of the unrest in Tibet last year as a way for
activists inside China to get the word out to the
West. Psiphon also advertised its commercial
service to foreigners as a safeguard against
Chinese cybersnooping during the 2008 Beijing
Summer Olympic Games; apparently the BBC and the
US State Department signed up for the service as
a way to secure their communications from Beijing.

Psiphon uses the "small is beautiful" strategy,
but avoids the problems of TOR by eschewing the
"anonymizer" route. Instead, the network's
integrity is protected because the owners of the
computers in the free-browsing countries - called
"psiphonodes" in the company jargon - only invite
users of the service, "psiphonsites", that they personally know and trust.

The owners provide a distinct URL or web address
(generated by Psiphon) pointing to their
computer, and a unique password for each user,
that enables the user to connect to the page
using the https protocol; once logged in the
owner's computer, the user can surf to his or her heart's content.

Well over 150,000 owners have signed up to become
Psiphonodes. It is unclear how many users link to these nodes.

User traffic can be monitored by the psiphonodes
and apparently some of the operators have been
knocked out of their Birkenstocks by the
insatiable demand for porn of some of their
trusted users - and the legal risk that serving
as the connecting node to the offending site exposes them.

Psiphon, as a diffuse set of mini-networks each
closely controlled by its own node, is proof
against a massive, malicious use attack that
threatens the GIFC and TOR services.

Its vulnerability seems to exist not in the world
of cyberspace, but in the realm of the system's human users and operators.

A Psiphon system can apparently be compromised if
the node or site computer is penetrated through
operator carelessness in response to something
called "social engineering": the deployment of
phishing e-mail that exploits the human target's
natural curiosity and desire to engage and
communicate, and enables the installation of
malware - like the gh0st RAT program that
bedeviled the Tibetan government in exile.

For the record, Citizen Lab denied that its
investigation of gh0st RAT was related to any
vulnerabilities in Psiphon and did not confirm
that any of the targeted computers were running
as Psiphon nodes serving inside China.

Indeed, the penetration of computers in Dharmsala
- one monk reported watching Outlook Express open
by itself and send an e-mail off with a document
attached - was a pressing issue in itself, and
enough to justify the extensive investigation.

However, what happened to the Tibetan computers
brings to mind weaknesses that might be exploited
at Psiphon node or site on a PC platform:
non-professional operators with an uncertain
grasp of security working on vulnerable machines,
unwittingly downloading malware that enables
remote observers to read files, keylog passwords and extract keys.

On a psiphonsite, malware could extract details
of the log-in and disable and/or imperil its
psiphonode by logging in for a malicious,
bandwidth-hogging session. If a psiphonode is
identified and penetrated, apparently details of
the psiphonsite(s) it is serving - and the pages
they have visited - can be extracted.

Balancing Psiphon's reliance on a "network of
trust" versus the willingness of the Chinese
government (or their bespoke hackers) to pour
resources in the cyber struggle with the Tibetan
emigre movement, this skirmish in cyberspace might turn out to be a draw.

Interestingly, Citizen Lab seems to be interested
in dialing down the rhetoric in the wake of its
cybersecurity coup against "GhostNet".

Despite a preponderance of circumstantial
evidence - such as the nature of the targets and
the existence of three out of four of the gh0st
RAT control servers inside China - its report
went out of its way to caveat assumptions of
Chinese government involvement in the attack and
stress that Citizen Lab researchers had not
broken any laws in the investigation.

Certainly, Citizen Lab did not wish to find
itself - or the Canadian government -
characterized as a provider of
counter-intelligence services to the Tibetan
government in exile in its battle with incessant Chinese cyber-intrusions.

Citizen Lab's restraint may have also reflected
Professor Deibert's publicized dismay at the
West's growing interest in militarizing the
Internet - illustrated by a bipartisan proposal
that the Barack Obama administration appoint a
"Cybersecurity National Adviser" with the power
to disconnect the government and "critical"
civilian networks from the Internet in case of
national emergency - largely in response to
China's perceived intentions and capabilities in cyberwarfare.

On a more strategic level, Deibert's caution may
also reflect an awareness that the
censorship-circumvention infrastructure may be
adequate for low-level skirmishing with malicious
Chinese hacker-patriots and the drudges running
day-to-day Internet interdiction for China, but
perhaps would not be able to withstand a
concerted assault by China's cyberwarfare
specialists - or cope with an Internet fragmented
into Chinese and Western cybersecurity fortresses.

The Internet seems destined to frustrate both
hopes of China for national security, and those
of dissidents for an irresistible truth weapon.

One of the most famous observations concerning
the Internet is by John Gilmore, founder of the
Electronic Freedom Foundation: "The Internet
treats censorship as a defect and routes around it."

Perhaps the Internet has the same response to
censorship's doppelgangers - secrecy, encryption
and the user's desire for privacy: it rejects them and finds a way around.

Those bits and bytes just want to be free. And we
have to find a way to live with that.

1. See Tracking GhostNet: Investigating a Cyber Espionage Network
2. See Hushmail warns users over law enforcement backdoor.
3. For the report, click here.
4. See Defeat Internet Censorship: Overview of
Advanced Technologies and Products
5. See Why you need balls of steel to operate a Tor exit node

Peter Lee writes on East and South Asian affairs
and their intersection with US foreign policy.
CTC National Office 1425 René-Lévesque Blvd West, 3rd Floor, Montréal, Québec, Canada, H3G 1T7
T: (514) 487-0665
Developed by plank