Nart Villeneuve

Google has just announced that there were successful attacks against their infrastructure resulting in the theft of intellectual property. Google traced the attacks to China and although the attribution regarding the Chinese government is unclear, Google also discovered that the attackers also attempted to compromise the Gmail accounts of Chinese human rights activists.

But the most interesting result was due to the combination of attacks, surveillance and censorship Google has decided to reassess their operations in China:

These attacks and the surveillance they have uncovered–combined with the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

The decision to review our business operations in China has been incredibly hard, and we know that it will have potentially far-reaching consequences. We want to make clear that this move was driven by our executives in the United States, without the knowledge or involvement of our employees in China who have worked incredibly hard to make Google.cn the success it is today. We are committed to working responsibly to resolve the very difficult issues raised.

Wow.

The connection between censorship, surveillance and attacks is the key. Censorship, such as the blocking of web sites, is fairly crude but effective when combined with targeted surveillance and attacks. While many, especially the technically savvy, can circumvent China’s filtering system, the “GFW”, using tools such as Psiphon and Tor most Chinese citizens do not. The GFW doesn’t have to be 100% technically effective, it just has to serve as a reminder to those in China about what content is acceptable and that which should be avoided. The objective is to influence behaviour toward self-censorship, so that most will not actively seek out banned information of the means to bypass controls and access it.

The nexus of censorship, surveillance and malware attacks allows China is the key to China’s information control policies. It is not just about the GFW. Internet users in China face complex threats that are heavily dependent on additional factors, such as involvement in political activities, that involve targeted attacks and surveillance. China chooses when, where and how to exercise this granular control.

The InfoWar Monitor — which is a partnership between the Citizen Lab, Munk Centre for International Studies, University of Toronto and The SecDev Group (and SecDev.cyber which focuses on Internet threats) — has been focusing on these threats. For example, in a report “Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform” we documented how Tom-Skype (the Chinese version of Skype) was censoring and capturing politically sensitive content. In “Tracking GhostNet: Investigating a Cyber Espionage Network” we documented targeted malware attacks that compromised over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

Google’s decision to re-asses their operations in China is courageous. I strongly hope that Microsoft, Yahoo! and others follow Google’s lead — as, to their credit, they have done in the past. In “Search Monitor Project: Toward a Measure of Transparency” I compared the censorship practices of Google, Yahoo! and Microsoft as well as the domestic Chinese search engine Baidu and found that all followed Google’s lead to some extent by at least disclosing their censorship practices to their users. I hope that they stand by Google.

China, the ball is in your court.

BlackBerry Spyware Dissected – Analysis by Veracode. My favourite quote: “it’s not even necessary to send the .jar, but they did, completely unobfuscated. Arrogance or incompetence? ”

The 0s and 1s of Computer Warfare – Op-Ed by Evgeny Morozov. My favourite quote: “A serious international debate about cybersecurity is impossible if our only reference points are “digital Pearl Harbors” and “e-Katrinas.” ”

Lawmaker Wants ‘Show of Force’ Against North Korea for Website Attacks – Wired. My favourite quote: “They’re reaching the conclusion that this was a state act and that “this couldn’t be some amateurs,” claimed Hoekstra, in direct opposition to what security experts have actually been saying. ”

In you’re going to Defcon, go to:

0-day, gh0stnet and the inside story of the Adobe JBIG2 vulnerability

CIPAV – docs 1, 2, 3 — Because suspects are increasingly using tools to mask their IP address the FBI now uses a “computer and internet protocol address verifier” to identify a suspect’s IP (as well as additional info) . It appears to work be levergaing various “drive-by” exploits. On a worrying note, the first few lines of the document obtained by Wired via FOIA note “we are seeing indications that it is being used needlessly by some agencies, unnecessarily raising difficult legal questions”.

Joint Strike Fighter – The same WaPo reporter behind the “electricity grid hack” story strikes again. This time with at least a few interesting details. What I found interesting is the mention of the fact that the attacks were reportedly on allies, such as Turkey, that are part of the development and on contractors such as Lockheed Martin, Northrop Grumman Corp. and BAE Systems PLC. (more here).

“Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities” — I haven’t read it in detail yet, but it looks very interesting. the best line so far: “Today’s policy and legal framework for guiding and regulating the U.S. use of cyberattack is ill-formed, undeveloped, and highly uncertain.”

Insider Threat — This is something I’ve been focusing on recently, but here is a report which suggests that “37% of employees would become insiders given the right incentive”.

I received a request regarding the types of logs that TOM-Skype keeps and have seen some discussion around what Skype could possibly be keeping. (For background on TOM-Skype censorship and surveillance practices, see Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform and blog posts here, here and here.) While my report focused on the “content filter” logs that contained the text of chat messages there were a variety of other logs:

• contentfilter*.log – ip, username, message, date, time (+ unknown parameters)‏
• skypecallinfo*.log – ip, username, version, username/phone number, date, time (+ unknown parameters)‏
• skypelogininfo*.log – ip, version, username, date, time
• skypenewuser*.log – ip, version, username, date, time
• skypenewusersendmoneytest*.log – unable to decrypt
• skypeonlineinfo*.log – ip, username, version date, time (+ unknown parameters)‏
• skypeversion*.log – version, ip, date, time (not encrypted)‏

The function of each logs is pretty self-explanatory based on the name of the file. In addition to the “contentfilter” logs, the “skypecallinfo” logs were very important as these files contain a record of who called who (skype usernames or phone numbers). In total, between the “skypecallinfo” logs and the “contentfilter” logs there are upwards of 4.5 million unique skype usernames or phone numbers in the logs I was able to download.

This doesn’t tell us anything about possible wiretapping with Skype or whether or not voice calls (other than the call data record in “skypecallinfo”) can be logged in other ways. Still, in many cases just knowing who is talking to who is as valuable as the content of the conversation itself.

The Irish Times reports:

CHINA’S TOP surveillance tsar has been has been arrested for taking bribes and framing a business rival, a move that has inspired and gratified both local bloggers and foreign journalists used to stultifying censorship regulations, and prompted questions at senior levels of the Communist Party about how the “Great Firewall of China” is enforced.

Unfortunately, the article itself has some of the typical nonsense seen in many articles about surveillance in China such as:

But China has tens of thousands of “net nannies”, who read every e-mail, web posting or search for “Dalai Lama”, and they are a huge impediment to reporting in China.

I wish they’d think about what “read every e-mail” means.

I raised questions in the “Breaching Trust” report regarding why TOM-Skype started to log their users’ messages and who had access to the data? Skype now says that the monitoring was a Chinese government requirement. Now we know why it was done and who had access to the captured messages.

Skype President Josh Silverman writes:

What have you learned from TOM about the uploading and storing of certain chats, and what are you doing about it?

What we have discovered in our conversations with TOM is that they in fact were required to do this by the Chinese government.

UPDATE: Skype President Addresses Chinese Privacy Breach — Josh Silverman’s statement on the Skype blog.

The AFP reports:

Skype said it learned just Wednesday that a previously disclosed text filter operated by TOM-Skype, a joint venture between Chinese mobile firm TOM Online and Skype, had been altered.

“Last night, we learned that this practice was changed without our knowledge or consent and we are extremely concerned,” Skype, which is owned by US online auction house eBay, said.

“We deeply apologise for the breach of privacy relating to chat messages on TOM’s servers in China and we are urgently addressing this situation with TOM,” the company said.

AFP

Skype president Josh Silverman said in a statement that TOM Online “just like any other communications company in China, has established procedures to meet local laws and regulations.

“These regulations include the requirement to monitor and block instant messages containing certain words deemed ‘offensive’ by the Chinese authorities,” Silverman said.

“It is common knowledge that censorship does exist in China and that the Chinese government has been monitoring communications in and out of the country for many years,” he said.

He recalled that in April 2006, Skype admitted that TOM Online “operated a text filter that blocked certain words in chat messages” and unsuitable messages were to be “discarded and not displayed or transmitted anywhere.”

“It was our understanding that it was not TOM’s protocol to upload and store chat messages with certain keywords, and we are now inquiring with TOM to find out why the protocol changed,” he said.

“We are currently addressing the wider issue of the uploading and storage of certain messages with TOM,” Silverman said, stressing that the millions of people around the world using standard Skype software were unaffected.

I have been getting a lot of questions and feedback on the “Breaching Trust” report. I’ll try to post more details and answer questions. Here are some of the common questions people have been asking.

How were you able to determine that messages containing keywords were being uploaded to a web server? How did you find and decrypt the messages?

Wireshark. Every time I typed the word “fuck” an HTTP connection was made to a TOM Skype server. I visited the URL directly in Firefox, cut off the file name and was able to view the contents of the directory. With a little poking around I found the encryption key. A few lines of Python and voila. I did not “crack” anything nor was there any “elite” hackery — just plain, simple stuff.

Is “normal” Skype affected?

No. The Skype software downloaded from skype.com is not affected by the behavior. The only time “normal” Skype users are affected is when they communicate with TOM-Skype users.

What is TOM-Skype and what is the difference between it and Skype?

If you go to www.skype.com from China, you are redirected to skype.tom.com — so that’s version most Chinese people will use.

In 2004 Skype developed a relationship with TOM Online, a leading wireless provider in China, and announced a joint venture in 2005. Skype and TOM Online produced a special version of the Skype software, known as TOM-Skype, for use in China.

What is Skype saying, have they said anything to you?

I contacted Skype to have the security issue fixed before the report was released. So, they have configured the servers so that one can no longer view the logs and they have deleted sensitive files, such as the one containing the encryption key. Other than that contact, I’ve only seen the
statements they’ve made to reporters.

The NYT:

Jennifer Caukin, an eBay spokeswoman, said, “The security and privacy of our users is very important to Skype.” But the company spoke to the accessibility of the messages, not their monitoring. “The security breach does not affect Skype’s core technology or functionality,” she said. “It exists within an administrative layer on Tom Online servers. We have expressed our concern to Tom Online about the security issue and they have informed us that a fix to the problem will be completed within 24 hours.” EBay had no comment on the monitoring.

To the WSJ

Jennifer Caukin, a spokeswoman for Skype, said in an emailed statement that the security problem had been remedied as a result of the new report. The idea that China’s government “might be monitoring communications in and out of the country shouldn’t surprise anyone,” Ms. Caukin said. “Nevertheless, we were very concerned to hear about the apparent security issue” that enabled people to view user information, and “we are pleased that, once we informed TOM about it, that they were able to fix the flaw.”

In a separate statement, TOM Group said that “as a Chinese company, we adhere to rules and regulations in China where we operate our businesses.”

The WSJ blog, has the statement in full.

In the past Skype stated:

The text filter operates on the chat message content before it is encrypted for transmission, or after it has been decrypted on the receiver side. If the message is found unsuitable for displaying, it is simply discarded and not displayed or transmitted anywhere.

What I found directly contradicts this.

How does this relate to Corporate Social Responsibility (and the voluntary Principles of Free Expression and Privacy process)?

This case demonstrates the critical importance of the issues of transparency and accountability by providers of communications technologies. It highlights the risks of storing personally identifying and sensitive private information in jurisdictions where human rights and privacy are under threat. It also illustrates the need to assess the security, privacy and human rights impact of such a decision.

Some companies, such as Google, has stated that while the censor some search results they “will not maintain on Chinese soil any services, like email, that involve personal or confidential data.”

In this case Skype appears to have delegated all of the censorship and surveillance responsibilities to TOM – I don’t think they read Rebecca’s paper; they should. While examining the Yahoo! China – Shi Tao case she warned:

Companies that choose to ignore the broader human rights implications of their business practices are gambling with their long-term global reputations as trustworthy conduits or repositories of people’s personal communications and information.

Are the “key words” censored? Or are the messages just logged?

The only key word that I could use to trigger the content filter (the messages is not displayed to the user) and have logged in the content filter logs (uploaded to the tom-skype server) was “fuck” (and variations like f*ck). If a message contains the word “fuck” it is not displayed to the user (the entire message is not displayed) and the entire message is uploaded and logged.

In the same content filter logs I found that the majority of the logged messages did not contain obscenities, like fuck. However, many of the messages contained words like “Communist Party”, I counted the number of logged messages that contained these words, from that I identified what I think are key words. It is unclear if these messages are just logged, or are censored and logged.

Post questions in the comments and I’ll try to answer them :)

[UPDATE: New York Times coverage of the report here.]

Our investigation reveals troubling security and privacy breaches affecting TOM-Skype—the Chinese version of the popular voice and text chat software Skype. It also raises troubling questions regarding how these practices are related to the Government of China’s censorship and surveillance policies.

The questionable security practices of TOM-Online led to the disclosure of millions of records containing personal information regarding mobile phone accounts, SMS messages, and the usage of TOM-Skype. However, this disclosure also confirms that TOM-Skype is censoring and logging text chat messages that contain specific, sensitive keywords and may be engaged in more targeted surveillance.

These findings raise key questions. To what extent do TOM Online and Skype cooperate with the Chinese government in monitoring the communications of activists and dissidents as well as ordinary citizens? On what legal basis is TOM-Skype capturing and logging this volume and detail of personal user data and communication, and who has access to it?

Full Report (mirror)

More… »

China unblocked many usually censored web sites following intense international pressure and scrutiny after having promised uncensored access during the Olympics. Five days later (August 6, 2008) I tested the search engines that Google, Yahoo! and Microsoft customize for the Chinese market as well as the leading domestic search engine Baidu. I found that all of the search engines were still censoring content that was unblocked by China. one interesting find was that Yahoo! was censoring less than all the others and Baidu (and Google) were censoring much less than Microsoft.

For purposes on comparison Google and Microsoft make a good match because both have to de-list web sites form search results while Yahoo! and Baidu index form within China and thus do not (usually) index sites already censored by China. (For more read my report on search engine comparison.)

Now over a month later things have changed. While these sites remain accessible in China some are still censored by the search engines. Google has dropped to only censoring two sites and is now censoring the least amount of content. Baidu is next with three censored sites. Microsoft remained steady, but Yahoo! has shifted from censoring the least amount of sites to the most!

The divergence between Yahoo! and Baidu is very interesting. If both crawl from within China and are subject to China’s filtering why is Yahoo! censoring so much more than Baidu? It could be that the conclusion that Yahoo! and Baidu do not de-list content is not fully accurate. If the sites are accessible in China then Yahoo! is likely de-listing the sites. Because of the suboptimal method of censorship notification employed by Yahoo! (a standard disclaimer on every page regardless of whether any of the results are censored or not) I cannot fully distinguish between sites that are de-listed and sites that have not been indexed (e.g. because China blocks them).

I’m still struck by the fact that over a month later sites that are available and uncensored in China are still censored by these search engines.