The Spy Who Hacked Me

[InfoSec News <isn () C4I ORG>]

http://www.sfgate.com/cgi-bin/article.cgi?file=/technology/archive/2001/03/15/china.dtl

The Spy Who Hacked Me
Will Open Source Be The Hero Of International Security?

Neil McAllister
Special to SF Gate
Thursday, March 15, 2001

If there's strength in numbers, then the open-source software movement
and Linux in particular might soon get a whole lot stronger, having
gained the support of an unusual -- and populous -- ally.

According to reports in recent months, the People's Republic of China
has begun endorsing the free operating system as the nation's
preferred computing platform, for both private and government use.

On the surface, it might seem to make sense that the "socialized"
development process of open-source projects would appeal to a
communist nation such as China.

But that's not really the main reason for China's interest in Linux.
True open-source software is often described as being "free, as in
free speech" but China's never shown much of an interest in promoting
free speech.

Economic concerns aren't the motive, either. Sure, Linux is also
"free, as in free beer." But in a country with almost zero recognition
of intellectual property rights, so is just about everything else.
Current estimates reckon that some 90 percent of the software in use
in China today comes from pirated copies.

So why the move toward Linux? Simple. It may be the only OS China can
trust.

Consider: Today, as many as 95 percent of the computers in use in
China are powered by Microsoft Windows, a U.S.-made product. That
includes the machines used for government e-mail systems, banks and
even defense.

To some officials in the Chinese government, this reliance on foreign
software represents a serious potential vulnerability.

According to Sun Yufang, president of Chinese Linux vendor Red Flag,
China's suspicion of foreign software stems is based on more than just
ideology. "We are mainly concerned that foreign software, including
Microsoft's, has back doors," Sun said in an interview with Bloomberg
news. "We cannot control it."

A "back door" is a secret method of gaining access to a computer by
taking advantage of some undocumented feature or bug. When hackers
discover flaws in closed-source software, they often exploit them to
gain access to confidential information, or to damage systems
outright.

One Dutch cracker, who goes by the pseudonym OnTheFly, recently gained
notoriety as the creator of a Windows-exploiting script known widely
as the Anna Kournikova e-mail worm. Anna, like the "Love Bug" before
it, attacks vulnerabilities in Microsoft's Outlook e-mail software,
mailing copies of itself to a user's entire address book. Typical of
virus creators, OnTheFly blames Microsoft's failure to secure its
software for the losses that result.

For individuals, virus attacks such as the Anna Worm are a frustrating
annoyance. For corporations, they can amount to serious losses. But
for a country such as China, the threat from unidentified
vulnerabilities in applications and OS software can be much more
severe. In their case, attacks by crackers could be a matter of
national security.

In its January 1997 issue, Popular Science magazine related the tale
of a Xerox machine installed at the Soviet embassy in Washington,
D.C., in the early 1960s. Xerox engineers cooperated with the CIA to
install a miniature camera inside the copier to record images of
classified documents. Each time a Xerox field rep was called out to
service the machine, the camera's film was swapped out for a new roll.

The Xerox story comes off mainly as an amusing anecdote of the Cold
War, perhaps because it sounds about as high-tech as "Candid Camera."
But development of eavesdropping technology didn't end in the '60s.
The more sophisticated information systems become, the more
sophisticated the means of snooping.

Perhaps the most infamous Windows security exploit is a software
package called Back Orifice, developed by the hacker group Cult of the
Dead Cow. When secretly installed on a Windows 95 or Windows NT
system, this tiny program allows snoops remote access to the system's
passwords, views of its desktop, free run of its hard drive and more.

The most insidious thing about all the software exploits mentioned is
that they are network-based, and entirely remotely operable -- no
Xerox repairman necessary. Internet attacks frequently cross
international borders as effortlessly as reaching the server down the
hall. In fact, of all the highly publicized network attacks that have
affected American Internet users in recent years, only one -- the
Melissa Virus -- originated in the United States.

Could China's fears, then, be grounded in reality? Could sophisticated
foreign hackers use software exploits such as Back Orifice to gain
access to Chinese national and industrial secrets?

Certainly, the threat of international espionage remains undiminished,
even after the end of the Cold War. We know, because it happens to us.

Adam L. Penenberg and Marc Barry, in their book "Spooked: Espionage in
Corporate America" from Perseus Publishing, paint a picture of a
never-ceasing cycle of international industrial espionage, and an
almost constant flow of American trade secrets into foreign hands.

Even some allies of the United States, such as France and the United
Kingdom, are known repeat offenders when it comes to pilfering
American industrial secrets, say the authors. And as for our enemies,
they treat the US "like one giant R&D laboratory."

China itself is no stranger to espionage in hi-tech industries.
According to Penenberg and Barry, the Chinese are "notorious" for
setting up front companies to purchase and gain access to off-limits
technologies. So why shouldn't China expect its enemies to use
whatever means available to gain intelligence on its own activities?

Hence China's dilemma. For all they know, unforeseen vulnerabilities
in the foreign software that powers their networks could be the
equivalent of a window left wide open. Thus, one solution that's
gaining popularity is to use an OS and applications from a source with
no corporate secrets: the free software community.

The idea has support from the highest levels of Chinese government.
Red Flag, which ships a version of Linux custom-tailored for Chinese
language processing, is controlled by the son of China's President
Jiang Zemin.

But for many end users in China, Linux has been a tough sell. Red
Flag's Sun believes that lack of documentation is one of the key
issues. Another is that Linux support for the Chinese language is less
mature than that for Windows.

Ironically, while the United States is currently far ahead of China in
Linux development, our government's interest in the free OS is still
lagging behind that of the private sector. In large part, this is due
to heavy lobbying from the same closed-source software vendors that
China eyes with suspicion, chiefly Microsoft.

Open-source advocate Eric S. Raymond believes this profit-motivated
thinking is ultimately a losing proposition. In his famous essay "The
Cathedral and the Bazaar," he asserts that closed-source development
is the inferior model, irrespective of one's own moral position on
software development.

"The open-source culture will triumph not because cooperation is
morally right or software 'hoarding' is morally wrong," says Raymond,
"...but simply because the closed-source world cannot win an
evolutionary arms race with open-source communities that can put
orders of magnitude more skilled time into a problem."

And China is, after all, the most populous nation in the world. The
Tokyo-based Asian Technology Information Program expects the number of
software professionals in China to increase by 20,000 each year. Other
sources predict even greater numbers, with some plotting exponential
growth in the software field, as China continues with its aggressive
campaign to teach English to professionals and schoolchildren.

That's one hell of a potential open-source software community. In
time, it could give China an impressive advantage in what Raymond
terms the "evolutionary arms race" of software.

And should China succeed in embracing Linux, the United States may
someday need to peek in on what China's doing more than ever -- just
to keep up.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".