Loading ...
Sorry, an error occurred while loading the content.

FW: (ai) The Spy Who Hacked Me Will Open Source Be The Hero Of In (fwd)

Expand Messages
  • Fred Cohen
    Read to the center at least for the information about targeting the U.S. The Spy Who Hacked Me Will Open Source Be The Hero Of International Security? Neil
    Message 1 of 1 , Mar 20, 2001
    • 0 Attachment
      Read to the center at least for the information about targeting the U.S.

      The Spy Who Hacked Me Will Open Source Be The Hero Of International
      Security?

      Neil McAllister, Special to SF Gate

      If there's strength in numbers, then the open-source software movement and
      Linux in particular might soon get a whole lot stronger, having gained the
      support of an unusual -- and populous -- ally.

      According to reports in recent months, the People's Republic of China has
      begun endorsing the free operating system as the nation's preferred
      computing platform, for both private and government use.

      On the surface, it might seem to make sense that the "socialized"
      development process of open-source projects would appeal to a communist
      nation such as China.

      But that's not really the main reason for China's interest in Linux. True
      open-source software is often described as being "free, as in free speech"
      but China's never shown much of an interest in promoting free speech.

      Economic concerns aren't the motive, either. Sure, Linux is also "free, as
      in free beer." But in a country with almost zero recognition of intellectual
      property rights, so is just about everything else. Current estimates reckon
      that some 90 percent of the software in use in China today comes from
      pirated copies.

      So why the move toward Linux? Simple. It may be the only OS China can trust.

      Consider: Today, as many as 95 percent of the computers in use in China are
      powered by Microsoft Windows, a U.S.-made product. That includes the
      machines used for government e-mail systems, banks and even defense.

      To some officials in the Chinese government, this reliance on foreign
      software represents a serious potential vulnerability.

      According to Sun Yufang, president of Chinese Linux vendor Red Flag, China's
      suspicion of foreign software stems is based on more than just ideology. "We
      are mainly concerned that foreign software, including Microsoft's, has back
      doors," Sun said in an interview with Bloomberg news. "We cannot control
      it."

      A "back door" is a secret method of gaining access to a computer by taking
      advantage of some undocumented feature or bug. When hackers discover flaws
      in closed-source software, they often exploit them to gain access to
      confidential information, or to damage systems outright.

      One Dutch cracker, who goes by the pseudonym OnTheFly, recently gained
      notoriety as the creator of a Windows-exploiting script known widely as the
      Anna Kournikova e-mail worm. Anna, like the "Love Bug" before it, attacks
      vulnerabilities in Microsoft's Outlook e-mail software, mailing copies of
      itself to a user's entire address book. Typical of virus creators, OnTheFly
      blames Microsoft's failure to secure its software for the losses that
      result.

      For individuals, virus attacks such as the Anna Worm are a frustrating
      annoyance. For corporations, they can amount to serious losses. But for a
      country such as China, the threat from unidentified vulnerabilities in
      applications and OS software can be much more severe. In their case, attacks
      by crackers could be a matter of national security.

      In its January 1997 issue, Popular Science magazine related the tale of a
      Xerox machine installed at the Soviet embassy in Washington, D.C., in the
      early 1960s. Xerox engineers cooperated with the CIA to install a miniature
      camera inside the copier to record images of classified documents. Each time
      a Xerox field rep was called out to service the machine, the camera's film
      was swapped out for a new roll.

      The Xerox story comes off mainly as an amusing anecdote of the Cold War,
      perhaps because it sounds about as high-tech as "Candid Camera." But
      development of eavesdropping technology didn't end in the '60s. The more
      sophisticated information systems become, the more sophisticated the means
      of snooping.

      Perhaps the most infamous Windows security exploit is a software package
      called Back Orifice, developed by the hacker group Cult of the Dead Cow.
      When secretly installed on a Windows 95 or Windows NT system, this tiny
      program allows snoops remote access to the system's passwords, views of its
      desktop, free run of its hard drive and more.

      The most insidious thing about all the software exploits mentioned is that
      they are network-based, and entirely remotely operable -- no Xerox repairman
      necessary. Internet attacks frequently cross international borders as
      effortlessly as reaching the server down the hall. In fact, of all the
      highly publicized network attacks that have affected American Internet users
      in recent years, only one -- the Melissa Virus -- originated in the United
      States.

      Could China's fears, then, be grounded in reality? Could sophisticated
      foreign hackers use software exploits such as Back Orifice to gain access to
      Chinese national and industrial secrets?

      Certainly, the threat of international espionage remains undiminished, even
      after the end of the Cold War. We know, because it happens to us.

      Adam L. Penenberg and Marc Barry, in their book "Spooked: Espionage in
      Corporate America" from Perseus Publishing, paint a picture of a
      never-ceasing cycle of international industrial espionage, and an almost
      constant flow of American trade secrets into foreign hands.

      Even some allies of the United States, such as France and the United
      Kingdom, are known repeat offenders when it comes to pilfering American
      industrial secrets, say the authors. And as for our enemies, they treat the
      US "like one giant R&D laboratory."

      China itself is no stranger to espionage in hi-tech industries. According to
      Penenberg and Barry, the Chinese are "notorious" for setting up front
      companies to purchase and gain access to off-limits technologies. So why
      shouldn't China expect its enemies to use whatever means available to gain
      intelligence on its own activities?

      Hence China's dilemma. For all they know, unforeseen vulnerabilities in the
      foreign software that powers their networks could be the equivalent of a
      window left wide open. Thus, one solution that's gaining popularity is to
      use an OS and applications from a source with no corporate secrets: the free
      software community.

      The idea has support from the highest levels of Chinese government. Red
      Flag, which ships a version of Linux custom-tailored for Chinese language
      processing, is controlled by the son of China's President Jiang Zemin.

      But for many end users in China, Linux has been a tough sell. Red Flag's Sun
      believes that lack of documentation is one of the key issues. Another is
      that Linux support for the Chinese language is less mature than that for
      Windows.

      Ironically, while the United States is currently far ahead of China in Linux
      development, our government's interest in the free OS is still lagging
      behind that of the private sector. In large part, this is due to heavy
      lobbying from the same closed-source software vendors that China eyes with
      suspicion, chiefly Microsoft.

      Open-source advocate Eric S. Raymond believes this profit-motivated thinking
      is ultimately a losing proposition. In his famous essay "The Cathedral and
      the Bazaar," he asserts that closed-source development is the inferior
      model, irrespective of one's own moral position on software development.

      "The open-source culture will triumph not because cooperation is morally
      right or software 'hoarding' is morally wrong," says Raymond, "...but simply
      because the closed-source world cannot win an evolutionary arms race with
      open-source communities that can put orders of magnitude more skilled time
      into a problem."

      And China is, after all, the most populous nation in the world. The
      Tokyo-based Asian Technology Information Program expects the number of
      software professionals in China to increase by 20,000 each year. Other
      sources predict even greater numbers, with some plotting exponential growth
      in the software field, as China continues with its aggressive campaign to
      teach English to professionals and schoolchildren.

      That's one hell of a potential open-source software community. In time, it
      could give China an impressive advantage in what Raymond terms the
      "evolutionary arms race" of software.

      And should China succeed in embracing Linux, the United States may someday
      need to peek in on what China's doing more than ever -- just to keep up.

      Neil McAllister is a writer, Internet developer, and technology consultant
      based in San Francisco.
    Your message has been successfully submitted and would be delivered to recipients shortly.