Bill Stewart wrote:

The NYT and USA Today both have articles about the Customs busting two US Chinese guys for exporting US military crypto gear. It's the KIV-7HS, made by our old buddies at Mykotronx (who made Clipper.) The NYT said the Feds were worried that if the Chinese reverse engineered it, they'd be able to crack lots of our crypto secrets. Normally I'd say that if that's the case, it's really shoddy crypto - but one of the interesting things Bamford mentions in "Body of Secrets" is that one of the US spies, I think Hansen or Walker, had been feeding crypto keys to the Russians, so the crypto gear they got from the Pueblo made it possible for them to crack years of messages; perhaps they're worried about the same thing here. Eugene Hsu of Blue Springs, MO and David Yang of Temple City CA face a maximum penalty of 10 years in jail and $1M fine.

Meanwhile, the NYT had a front-page story that one of the US propaganda agencies is proposing to help fight censorship in China by promoting Safeweb, which is partly funded by In-Q-It, the CIA venture fund. They've apparently got about 100 servers, and the Triangle Boy feature makes it possible for them to keep changing IP addresses to make blocking harder. I assume if there are also Chinese Spies using it, the CIA will be able to get the operators to rat out their identities... But the main use will be to feed lots of news into China. I'd already mistrusted Safeweb - not their honesty, but their technology, since they require you to enable Javascript to use their tools. Yes, it makes it easy to write cool and powerful tools, but even if _their_ Javascript is perfectly secure, the fact that you need to have it turned on leaves you vulnerable whenever you read other web pages. (Also, their Javascript is slightly buggy; I've had trouble with window size and positioning issues.)

A third China Card in the news is the GAO's announcement that they suspect that Code Red originated at a university in Guangdong. Keith Rhodes, GAO's chief technologist, gave written testimony to the House Government Reform subcommittee, but didn't return US Today's calls. Of course, the real blame belongs to Microsoft - and US Today, who are getting surprisingly technical this week, has a couple of articles about the recent Hotmail/Passport hacks, in which security consultant and former Yahoo security advisor Jeremiah Grossman, who had recently cracked Hotmail in three lines of code, now has it down to one line... This is another cross-site scripting attack.

Pretty short-sighted if CRII is a Chinese govt. intel operation. Looking through my logs I see scans from rooted boxes in Guangdong. As well as hundreds of locations all around the world. A number of Middle Eastern locations, for instance. Unless they're all honeypots, they're giving as much as they're getting. If this supposition is true, which I doubt. Could have been anybody, and no particular reason to single out China over any other potential culprit. Nope, no telling who, and more importantly, no point worrying about it, since everybody and his brother that's wont is exploiting it. Just chalk it up to entropy and deal with it. I'm wondering if that Mykotronx box couldn't have done more guod for U.S. intel if it *had* gone to China, but I'm not familiar enough with it to know. Unless the recipient was planning to set up a counterfeit assembly line or something. In which case I wouldn't be too happy if I were Mykotronx. Since Mykotronx is getting press, I will put in a word for Bytex, which also makes encrypting ATM firewalls and such. You can get a way-cool Leo Marks WWII Silk Code mousepad from their website, http://www.bytex.com, in exchange for your sekrit personal info. jbdigriz