Small Start-Up Helps the CIA To Mask Its Moves on the Web

[InfoSec News <isn () C4I ORG>]

http://cryptome.org/cia-safeboy.htm

By NEIL KING JR.
Staff Reporter of THE WALL STREET JOURNAL
February 12, 2001

How's this for a curious pairing? Stephen Hsu and his partners at
SafeWeb Inc. launch a Web site (www.safeweb.com) offering the utmost
in Internet privacy -- and then hook up with the notoriously intrusive
Central Intelligence Agency.

The new alliance between the Oakland, Calif., entrepreneurs and the
spooks from Langley, Va., shows how serious the CIA is about improving
its spycraft. The agency two years ago set up its own venture-capital
firm, known as In-Q-Tel, to search out just the sort of innovations
that SafeWeb offers.

The CIA, in this case, wants to use a SafeWeb program to mask its own
movements on the Internet, so it can gather information incognito.
SafeWeb suggests that the CIA also might use its technology to allow
its far-flung agents and informants to communicate home, without the
countries they are spying on ever knowing.

What's puzzling is why a tiny, year-old start-up would want to link up
with an agency that is the nemesis of privacy buffs everywhere.

"I'm sure we'll take a hit from the 5% of our most paranoid
customers," says Mr. Hsu, SafeWeb's 34-year-old co-founder and a
theoretical physicist by training. But the CIA connection, he says, is
deliberately distant. SafeWeb will provide the agency with customized
software, but the CIA will have no access to the company's Web
computers or to the workings of its core software, he insists.

And who better to test the power of its privacy software than the
world's top spies? "If our technology can satisfy them," Mr. Hsu says,
"it can satisfy just about anyone."

The technology is a clever piece of software called Triangle Boy that
SafeWeb plans to post free this month on the Web. The CIA, through
In-Q-Tel, is investing in a revved-up version of the software, which
can bounce digital traffic around the Web anonymously, as well as
rights to an equity stake in SafeWeb should the company go public.
Neither side will disclose financial details.

The CIA has been slow to mine the riches of the Internet for fear of
exposing its own vast computer network to viruses or hacker attacks.
It also worries that others will monitor its activities if it roams
the Web without proper disguise.

What SafeWeb offers is a chance to move about the Internet without
leaving any trace. Users simply go to the company's Web site and type
in the address of the actual site they are seeking. SafeWeb's site
acts as an intermediary; anyone monitoring the activity would see only
the traffic between the user's computer and SafeWeb -- and not the
user's ultimate destination. The site recorded more than one million
unique visits last month.

But what really caught the CIA's fancy was Triangle Boy, a software
package that can turn any personal computer into a surrogate Web
server. The system allows users to navigate to any number of innocuous
PC addresses, and then go to the actual Web site they are seeking --
without leaving a trace. Triangle Boy works by forwarding the request
for the desired Web site on to SafeWeb's site, which then makes the
connection. SafeWeb developed Triangle Boy to deter companies or
countries from blocking access to its site, as Saudi Arabia did last
November.

CIA specialists say their core interest in Triangle Boy is anonymous
Internet browsing. "We want to operate anywhere on the Internet in a
way that no one knows the CIA is looking at them," says a senior CIA
official with connections to the In-Q-Tel team.

But the possible uses go way beyond that. SafeWeb says the agency also
could use the technology as a secure way for its "assets," or
contacts, to communicate with CIA headquarters. The CIA also suggests
that it may one day build a global network made up of Triangle Boys
and servers equipped with SafeWeb-style software to communicate with
employees and informants. CIA Director George Tenet told the Senate
last week that one of his chief ambitions is "to take modern Web-based
technology and apply it to our business relentlessly."

The SafeWeb technology could prove just as handy in getting
information covertly into other countries. It was this application
that originally inspired Mr. Hsu to reach out to the CIA last summer.
"I imagined them wanting to use Triangle Boy to get Voice of America
or something like that into countries where it was blocked," he said.

Others suggest more devious possibilities. An application like
Triangle Boy, if scattered among hundreds of PCs, could be a way to
cloak a multipronged "cyber attack" on someone else's computer system.
The CIA, along with the Pentagon, has worked for years to perfect ways
to electronically meddle with other countries' banking systems or
electricity grids, and Triangle Boy could allow them to do it without
the target ever knowing who was behind the attack. "It would be the
functional equivalent of an electronic silencer," says one technology
expert with wide experience in the intelligence community. "You could
shoot electronic bullets right down the pipe without anyone knowing
where they came from." Intelligence officials deny they have any
interest in using Triangle Boy for offensive attacks.

The CIA wants the strengthened version of Triangle Boy reconfigured so
it can handle the CIA's own much higher-powered encryption. It also
wants to ensure that only its own employees and contacts can
communicate via Triangle Boy. SafeWeb is expected to deliver the
customized version by April.

Some observers suggest that the CIA's real interest is figuring out
how to crack Triangle Boy and to thwart its use among the public.
Encryption and the spread of Internet-based communications have made
life miserable for the National Security Agency, the CIA's sister
organization responsible for electronic eavesdropping around the
world. Software such as Triangle Boy will render the challenge that
much tougher.

But the CIA denies the allegation. "We're looking to use new
technology, not to break it," said the CIA official, who added that
the NSA was informed of the Triangle Boy investment and will later get
to inspect the software. But with or without CIA involvement, the
official said, technology is moving too fast for the NSA to keep up.

For Mr. Hsu, the key is to manage the relationship with the CIA
without damaging his company's reputation. His customers, after all,
are people who take privacy very seriously, so trust is a critical
part of its business model. There are already glimmers of suspicion in
some Internet chat rooms. "This could be the greatest NSA trap ever,"
wrote one skeptic of the SafeWeb site. "This actually makes it easier
for people to spy on you," wrote another.

Mr. Hsu, though, insists that the CIA relationship is "completely
separate from our core business." The agency will have no access to
SafeWeb's operations or insider knowledge of its proprietary software.
But on the other hand, he says, if the CIA is pleased with its
customized version of Triangle Boy and puts it to use, "that will be a
big seal of approval from the government."

Write to Neil King Jr. at neil.king () wsj com

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".