China Stories - US Busting Crypto Exports, Fighting Censorship by Corrupting Safeweb

[Bill Stewart]

The NYT and USA Today both have articles about the
Customs busting two US Chinese guys for exporting US military crypto gear.
It's the KIV-7HS, made by our old buddies at Mykotronx (who made Clipper.)
The NYT said the Feds were worried that if the Chinese reverse engineered it,
they'd be able to crack lots of our crypto secrets.
Normally I'd say that if that's the case, it's really shoddy crypto -
but one of the interesting things Bamford mentions in "Body of Secrets"
is that one of the US spies, I think Hansen or Walker, had been
feeding crypto keys to the Russians, so the crypto gear they got from
the Pueblo made it possible for them to crack years of messages;
perhaps they're worried about the same thing here.
Eugene Hsu of Blue Springs, MO and David Yang of Temple City CA
face a maximum penalty of 10 years in jail and $1M fine.

Meanwhile, the NYT had a front-page story that one of the
US propaganda agencies is proposing to help fight censorship in China
by promoting Safeweb, which is partly funded by In-Q-It, the CIA venture fund.
They've apparently got about 100 servers, and the Triangle Boy feature
makes it possible for them to keep changing IP addresses to make
blocking harder.  I assume if there are also Chinese Spies using it,
the CIA will be able to get the operators to rat out their identities...
But the main use will be to feed lots of news into China.
I'd already mistrusted Safeweb - not their honesty, but their technology,
since they require you to enable Javascript to use their tools.
Yes, it makes it easy to write cool and powerful tools,
but even if _their_ Javascript is perfectly secure,
the fact that you need to have it turned on leaves you vulnerable
whenever you read other web pages.  (Also, their Javascript is slightly buggy;
I've had trouble with window size and positioning issues.)

A third China Card in the news is the GAO's announcement that they
suspect that Code Red originated at a university in Guangdong.
Keith Rhodes, GAO's chief technologist, gave written testimony to
the House Government Reform subcommittee, but didn't return US Today's calls.
Of course, the real blame belongs to Microsoft - and US Today,
who are getting surprisingly technical this week, has a couple of articles
about the recent Hotmail/Passport hacks, in which security consultant
and former Yahoo security advisor Jeremiah Grossman, who had recently
cracked Hotmail in three lines of code, now has it down to one line...
This is another cross-site scripting attack.