The Spy Who Hacked Me

Will Open Source Be The Hero Of International Security?

by Neil McAllister, Special to SFGate
(Originally published Thursday, March 15, 2001. Editor: Amy Moon)

If there's strength in numbers, then the open-source software movement and Linux in particular might soon get a whole lot stronger, having gained the support of an unusual — and populous — ally.

According to reports in recent months, the People's Republic of China has begun endorsing the free operating system as the nation's preferred computing platform, for both private and government use.

On the surface, it might seem to make sense that the "socialized" development process of open-source projects would appeal to a communist nation such as China.

But that's not really the main reason for China's interest in Linux. True open-source software is often described as being "free, as in free speech" but China's never shown much of an interest in promoting free speech.

Economic concerns aren't the motive, either. Sure, Linux is also "free, as in free beer." But in a country with almost zero recognition of intellectual property rights, so is just about everything else. Current estimates reckon that some 90 percent of the software in use in China today comes from pirated copies.

So why the move toward Linux? Simple. It may be the only OS China can trust.

Consider: Today, as many as 95 percent of the computers in use in China are powered by Microsoft Windows, a U.S.-made product. That includes the machines used for government e-mail systems, banks and even defense.

To some officials in the Chinese government, this reliance on foreign software represents a serious potential vulnerability.

According to Sun Yufang, president of Chinese Linux vendor Red Flag, China's suspicion of foreign software stems is based on more than just ideology. "We are mainly concerned that foreign software, including Microsoft's, has back doors," Sun said in an interview with Bloomberg news. "We cannot control it."

A "back door" is a secret method of gaining access to a computer by taking advantage of some undocumented feature or bug. When hackers discover flaws in closed-source software, they often exploit them to gain access to confidential information, or to damage systems outright.

One Dutch cracker, who goes by the pseudonym OnTheFly, recently gained notoriety as the creator of a Windows-exploiting script known widely as the Anna Kournikova e-mail worm. Anna, like the "Love Bug" before it, attacks vulnerabilities in Microsoft's Outlook e-mail software, mailing copies of itself to a user's entire address book. Typical of virus creators, OnTheFly blames Microsoft's failure to secure its software for the losses that result.

For individuals, virus attacks such as the Anna Worm are a frustrating annoyance. For corporations, they can amount to serious losses. But for a country such as China, the threat from unidentified vulnerabilities in applications and OS software can be much more severe. In their case, attacks by crackers could be a matter of national security.

In its January 1997 issue, Popular Science magazine related the tale of a Xerox machine installed at the Soviet embassy in Washington, D.C., in the early 1960s. Xerox engineers cooperated with the CIA to install a miniature camera inside the copier to record images of classified documents. Each time a Xerox field rep was called out to service the machine, the camera's film was swapped out for a new roll.

The Xerox story comes off mainly as an amusing anecdote of the Cold War, perhaps because it sounds about as high-tech as "Candid Camera." But development of eavesdropping technology didn't end in the '60s. The more sophisticated information systems become, the more sophisticated the means of snooping.

Perhaps the most infamous Windows security exploit is a software package called Back Orifice, developed by the hacker group Cult of the Dead Cow. When secretly installed on a Windows 95 or Windows NT system, this tiny program allows snoops remote access to the system's passwords, views of its desktop, free run of its hard drive and more.

The most insidious thing about all the software exploits mentioned is that they are network-based, and entirely remotely operable — no Xerox repairman necessary. Internet attacks frequently cross international borders as effortlessly as reaching the server down the hall. In fact, of all the highly publicized network attacks that have affected American Internet users in recent years, only one — the Melissa Virus — originated in the United States.

Could China's fears, then, be grounded in reality? Could sophisticated foreign hackers use software exploits such as Back Orifice to gain access to Chinese national and industrial secrets?

Certainly, the threat of international espionage remains undiminished, even after the end of the Cold War. We know, because it happens to us.

Adam L. Penenberg and Marc Barry, in their book Spooked: Espionage in Corporate America (Perseus Publishing), paint a picture of a never-ceasing cycle of international industrial espionage, and an almost constant flow of American trade secrets into foreign hands.

Even some allies of the United States, such as France and the United Kingdom, are known repeat offenders when it comes to pilfering American industrial secrets, say the authors. And as for our enemies, they treat the U.S. "like one giant R&D laboratory."

China itself is no stranger to espionage in hi-tech industries. According to Penenberg and Barry, the Chinese are "notorious" for setting up front companies to purchase and gain access to off-limits technologies. So why shouldn't China expect its enemies to use whatever means available to gain intelligence on its own activities?

Hence China's dilemma. For all they know, unforeseen vulnerabilities in the foreign software that powers their networks could be the equivalent of a window left wide open. Thus, one solution that's gaining popularity is to use an OS and applications from a source with no corporate secrets: the free software community.

The idea has support from the highest levels of Chinese government. Red Flag, which ships a version of Linux custom-tailored for Chinese language processing, is controlled by the son of China's President Jiang Zemin.

But for many end users in China, Linux has been a tough sell. Red Flag's Sun believes that lack of documentation is one of the key issues. Another is that Linux support for the Chinese language is less mature than that for Windows.

Ironically, while the United States is currently far ahead of China in Linux development, our government's interest in the free OS is still lagging behind that of the private sector. In large part, this is due to heavy lobbying from the same closed-source software vendors that China eyes with suspicion, chiefly Microsoft.

Open-source advocate Eric S. Raymond believes this profit-motivated thinking is ultimately a losing proposition. In his famous essay "The Cathedral and the Bazaar," he asserts that closed-source development is the inferior model, irrespective of one's own moral position on software development.

"The open-source culture will triumph not because cooperation is morally right or software 'hoarding' is morally wrong," says Raymond, "...but simply because the closed-source world cannot win an evolutionary arms race with open-source communities that can put orders of magnitude more skilled time into a problem."

And China is, after all, the most populous nation in the world. The Tokyo-based Asian Technology Information Program expects the number of software professionals in China to increase by 20,000 each year. Other sources predict even greater numbers, with some plotting exponential growth in the software field, as China continues with its aggressive campaign to teach English to professionals and schoolchildren.

That's one hell of a potential open-source software community. In time, it could give China an impressive advantage in what Raymond terms the "evolutionary arms race" of software.

And should China succeed in embracing Linux, the United States may someday need to peek in on what China's doing more than ever — just to keep up.



2001 Article IndexArticles HomeNeil's Homepage

Valid XHTML 1.1!