> CHAPTER 9

> TOR AND CITIZEN LAB

AT DEF CON back in 2001, as the Cult of the Dead Cow panel focused
on hacktivism and touted the spin-off Hacktivismo, the group also
announced what it said would be its first tool for evading government
censorship. Dubbed “Peekabooty,” the idea was complex. Users in free
countries could install the software and then serve as intermediaries for
people behind national firewalls in China or elsewhere, who might not be
able to reach forbidden religious, news, or other websites directly. They
could contact the volunteers running Peekabooty, who would not be
blocked, and the volunteers could automatically route the desired content to
them over the commonplace Secure Sockets Layer encryption, used at sites
whose web address begins with “https.” The authorities would not be able
to read any traffic, and they would not be alarmed, because it would look
like an ordinary encrypted business transaction.
Though the BBC had reported that the open-source project would be
unleashed at Def Con, it was not ready for release. Laird Brown was hoping
the advance publicity would attract more volunteers whom he could assign
to different aspects of the job. The lead programmer to emerge and labor
full-time on the task was software developer Paul Baranowski, who worked
with Laird at Toronto start-up OpenCola. But Baranowski grew annoyed
that Laird couldn’t find other programmers, and he and friend Joey deVilla
left Hacktivismo with the code. They released it on their own at a San
Francisco conference in February 2002. “Hacktivismo is good with thinking
up new projects” but not with follow-through, Baranowski said. But they
didn’t get critical mass, either. “Peekabooty’s most valuable contribution
was to say, ‘Hey, this kind of thing is possible, here’s an idea, go run with
it,” deVilla said. “Its truest value was as a proof of concept.”
In 2004, Laird announced what he called the Six/Four System, a
reference to the June 4, 1989, Tiananmen Square massacre. Written by
incoming cDc member Kemal Akman, a talented German hacker with the
handle Mixter, Six/Four was another serious try at a safe network of
proxies. “I thought subverting totalitarian governments was cool,” Kemal
said. “cDc was making the most of its publicity for something positive.”
Kemal spent more than a year getting Six/Four to a point where it could be
published for others to build on. But Hacktivismo’s mailing list still only
had about twenty active members and perhaps two hundred lurkers. Like
Baranowski’s earlier attempt, Six/Four failed to thrive in the wild. All the
same, Hacktivismo’s very public attempts to provide free secure web tools
for the hundreds of millions of people under severe government scrutiny
and restrictions inspired other programmers who got the job done. It turned
out they didn’t need to invent a new tool, just revise an old one.
Back in the mid-nineties, three men at the US Naval Research
Laboratory had come up with the idea of bouncing internet traffic from one
server to another to a third to keep both ends anonymous from snoops in the
middle. The first node would know only where the initial contact had come
from and, after opening the first layer of the message, where to send the rest
of the content. The second would know only that it had heard from the first
node and that the content needed to go to a third node. And the third node
would know the final content and who outside the network should receive
it. No one would know both the content and the sender. Because this
multistep unpeeling resembled an onion, the project became known as the
Onion Router, later abbreviated as Tor. The Defense Advanced Research
Projects Agency (DARPA) provided new funding in 1997, seizing on the
effort as a way to protect US military and other undercover officials from
being identified as they investigated online.
To the government, though, this system had a fatal flaw: anyone who
was contacted via Tor would know a fed was knocking on the door. But one
of the original navy trio, mathematician Paul Syverson, along with new
collaborators Roger Dingledine and Nick Mathewson, discovered a way to
make it appealing enough that people outside the government would use it
too, effectively hiding the agents in the crowd. They completed a prototype
in September 2002, seven months after Peekabooty code came out, and
released a version of Tor to the public the following year.
Peekabooty and Six/Four were major influences on Tor. “One of the
strongest ways that Peekabooty influenced Tor was in pushing us to make
good, clear specifications of how Tor works and what it tries to achieve,”
Dingledine said. In addition, he said, Peekabooty was years ahead of Tor in
resisting censorship instead of just preserving anonymity. In 2004, craving
funding from an outside and nongovernmental source, the Tor Project
sought and won a grant from the Electronic Frontier Foundation, whose
lawyers had already been involved in efforts by cDc and Hacktivismo. The
EFF’s support, in turn, helped Tor get money from Human Rights Watch,
Google, and other parts of the federal government. Among other things, the
early competition from Hacktivismo showed potential funders that there
was a real demand for anonymity services and that activists independent of
the government wanted to provide it. “We saw them as a key part of our
constituency and fellow travelers,” then EFF legal director and future
executive director Cindy Cohn said of cDc. “These folks were trying to
support the use of technology, sometimes really advanced stuff, to empower
users and make social and political change. That’s what we believed in
too.”
The friendly competition continued, to the good of the users. In 2006,
Hacktivismo and a Texas cDc Ninja Strike Force member named Steve
Topletz released the most popular of the group’s anonymity tools, another
try at a protected browser, called Xerobank, or xB. This one was designed
to work with Tor, which at that point allowed for computer-to-computer
connections, email, and other services but not easy web surfing. This
browser was a modified version of Firefox that could work from a USB
stick. That meant it could go with a user to a public computer and leave no
trace. Once again, by publicly working on a safe browser, Hacktivismo
prodded Tor along. Tor released its own browser as part of a bundle,
making it far more usable. By 2006, more users were relying on Tor to
evade censorship, not to stay anonymous, and China had become the third-
largest market, with about ten thousand daily users.
In 2006, Laird organized a conference on wireless technology in
Dharamsala, India, the seat of the exiled Tibetan government. That helped
establish the area as a place for idealistic developers to work. Laird moved
to the city in 2009 and spent three years there helping the community
without pay. He worked on security in the Dalai Lama’s office and helped
build up local expertise. Then he spent two more years in Bangalore at an
internet policy nonprofit.
Hacktivismo inspired hundreds or thousands of individuals and groups.
Many had stories like Nathan Freitas’s. A New York tech worker at the turn
of the millennium, Freitas first heard about Tibetan repression from
concerts headlined by the Beastie Boys. Through a work acquaintance, in
the late 1990s he stumbled across a tiny Tibetan group in the Hell’s Kitchen
neighborhood that had only one modem and needed assistance setting up an
office network. He did that, then noticed that there were viruses on virtually
every machine. He realized that the Tibetans were under constant attack by
the Chinese government.
In 2004, Freitas had to make a choice. The small start-up he helped
found had been acquired by Palm, the smartphone pioneer, years before.
Now Palm wanted to promote him and move him to Silicon Valley. But if
he took that promotion, he’d be too busy for part-time activism. Freitas
looked at what the hackers in cDc had been able to do. “They were
hilarious, interesting, and effective,” he said. They showed that small
groups could “impact nation-state or global corporate policies. It was cDc
that made me say, ‘Maybe I can bring these things together.’”
Freitas quit Palm and used money from the acquisition to turn to
hacktivism full-time. He went to China for a month with equipment to
figure out how shortwave radio was being blocked and how to protect it.
Then he helped start Tibet Action Institute with Students for a Free Tibet
leader Lhadon Tethong, providing technical help and security advice to
emigrants around the world. In the run-up to the Beijing Olympics in 2008,
Freitas set up the satellite video feed to a publicly viewable website for a
protest from the base camp on Mount Everest. The higher-profile activism
brought more sophisticated cyberattacks from China, which just hardened
his resolve. In just 2008, he equipped seventy people, many inside the
mainland, with $3,000 crypto phones, burner phones, and netbooks. Freitas
went to Dharamsala in 2008 to train Tibetans and met up with Laird. “He
had this monk-like status, but he was this big, tall Canadian white guy,”
Freitas said. Laird coached Freitas and helped brainstorm about how to
accomplish more with less, and he introduced Freitas to his world of
contacts. When Google launched Android, Freitas jumped to use it for
making a secure phone more cheaply. Eventually, he masterminded a
version of Tor for the phones. Since then, his program has been downloaded
17 million times, and he now heads all of Tor’s mobile offerings.

Laird also inspired what many independent security experts consider the
best model for researching and exposing government use of the internet for
repression: the Citizen Lab, at the University of Toronto’s Munk School of
Global Affairs. It started with a University of Toronto student, Nart
Villeneuve, all the way back in 2001. He had read cDc text files and was
following along when the group launched Hacktivismo, soon joining that
mailing list. Inspired, he launched a modest website tracking various
hacktivism efforts, and he interviewed Laird for a text file of his own.
“When I was starting out, I sort of became attracted to the mythical hacker
archetype who could do everything,” Villeneuve said. Without a technical
background, he was interested in traditional politics and protests. Initially,
disruptive tactics like web defacements and denial-of-service attacks made
sense to him. But Laird’s writing took him toward “a more constructive side
of things,” he said, including getting around censorship. At the time, people
in China were complaining that they couldn’t see some of the web, but there
was no data about what was off-limits. Villeneuve came up with a way to
test for website blocking and wrote a class paper on it for professor Ron
Deibert. Deibert encouraged him to build out such software and hired him
for what became the nonprofit OpenNet Initiative, which monitored
censorship around the world. Then Villeneuve introduced Deibert to Laird.
The two men had long talks about the technological, social, political,
and business challenges of keeping the internet as free as John Perry
Barlow had declared it to be. They spoke about the need to get and publish
objective, detailed information about what was happening inside routers
and switches in hostile places. They agreed that the funding model for such
a project had to be above reproach, so that it could not be accused of being
in the pocket of an intelligence agency or a government. It would need to be
able to get the word out to other researchers, the press, and the public, so
that political pressure could be brought to bear on the implicated
governments as well as companies, many of them based in the West, that
provided the tools for censorship and spying.
“Some of our early interactions around hacktivism definitely were
important to me in terms of setting up Citizen Lab,” Deibert said. “I was,
like Laird, inspired by this hacking in the original sense of the word,
combined with some political orientation or morality underneath it. I
thought that was very appealing. I think we have the same outlook and
philosophy about what’s acceptable and not.”
Major research belonged at a university, Laird argued, because it
prioritized scholarship over profit or politics. Like Tor in the practical
sphere, a university could take in some government money yet remain
clean, as long as it declared its policies. It could also draw on those in
multiple disciplines—computer and security experts but also political
scientists. It would take a tremendous leap in ambition, since many colleges
still didn’t even offer courses in security.
In the spring of 2001, after receiving approval from the University of
Toronto and an initial grant from the Ford Foundation, Deibert opened the
Citizen Lab, with Villeneuve as his first hire. The modest official mission:
to study cyberspace “in the context of international security.” But the tools
to be used ranged from technical exploration to field research to political
theory. Almost immediately, the September 11 attacks multiplied the stakes.
With US intelligence agencies lambasted for not knowing enough,
surveillance was bound to soar in the West as well as the East. And that was
just the beginning. The geopolitics of the internet were metastasizing, on
their way to becoming one of the most significant and complex issues
facing the world. It would be hard to find the answers. But no one would be
in a better position to try.
Early on, the lab looked hard at web filters in the Arab world, including
their suppliers and what pages or words were restricted. As part of that
long-running effort, it found that Syria was using software from Silicon
Valley firm Blue Coat to spy on its people, potentially violating US
sanctions. The lab also took on the legal sale of exploits and other tools for
what the industry calls “lawful interception,” tracking many cases where the
vendors said they sold only to governments that respected human rights.
Despite such claims, researchers often found repressive regimes deploying
wares from companies like UK- and Germany-based Gamma Group and
Italian firm Hacking Team against human rights advocates, journalists, and
minority-party politicians. Much later, a devastating series of four front-
page reports in the New York Times, driven by Citizen Lab findings,
documented Israeli company NSO Group’s Pegasus spyware being used
against Mexican journalists, politicians, and others in Mexico, including
officials investigating mass disappearances and even anti-obesity
campaigners. Mexico’s president ordered an investigation that the FBI
concluded was a sham.
Time and time again, the lab’s independent academic structure gave it a
way to write about what others could not. The university’s review board had
to approve research methods on ethical as well as legal grounds. All the
same, the retired head of Canada’s main intelligence agency once noted
pointedly that some people thought Deibert should be arrested. As more
countries turned to spying on each other over the net, using companies as
stepping-stones or knowing accomplices, untangling it all could have had
political and business repercussions for any private researchers. The same
big companies that excelled at examining and explaining malicious
software that served organized crime shied away from being as clear when
they realized that the culprits were the governments controlling major
markets for their security software. Governments themselves stayed mum
because the intelligence agencies maintained dominance over cyber offense
and defense within the bureaucracy, and such agencies preferred not to
reveal what they knew.
Some specialized firms, such as Mandiant and CrowdStrike, disclosed
more in private reports to clients, and they sometimes went public with
accounts attributing infections in certain industries to coordinated
campaigns by government-affiliated hacking groups. But they faced
accusations of bias because their detection systems were only deployed in
some countries, they had US government contracts, or they had marketing
reasons for publishing what they did. Moscow-based Kaspersky Lab,
likewise, became the best in the world at ferreting out US-sponsored
cyberespionage campaigns, beginning with Stuxnet, the pathbreaking
weapon that defanged Iranian nuclear centrifuges before its exposure in
2010 opened everyone’s eyes to the new era of cyberwarfare. But
Kaspersky found very little new to say about Russian malware.
Citizen Lab could call things as it saw them. And it extended its reach
by working with researchers inside other companies, including Google, who
would have found it hard to publish under the name of their principal
employer. The lab also worked with researchers at Amnesty International
and the Electronic Frontier Foundation.

The lab’s work only got better and more important as the years went on.
One of Villeneuve’s biggest projects was learning what spying was
happening in Tibet. There was likely to be at least some, since activists
were routinely stopped from entering China, at times arrested, and
occasionally shown transcripts of their electronic chats with people inside
China. They were risking their lives. Laird introduced the team to Greg
Walton, who was still spending time in Dharamsala and working on
Canadian-funded rights initiatives. Walton had good relations with the
Tibetans, and Deibert hired him as a field researcher in 2008. For the first
time, Deibert learned about targeted malware. Later, Walton got the Dalai
Lama to agree to turn over the leadership’s computers for study. Attackers
had riddled those machines with compromises. But a hunch led to a big
payoff. The network traffic from many of the machines included the same
string of twenty-two characters. So Villeneuve googled that string. In short
order, he was on a machine in mainland China, looking at a portal listing
hundreds of computers that same group had broken into. The victims
included an email server for the Associated Press in Hong Kong, an
unclassified computer at NATO headquarters, and embassies belonging to
India, Pakistan, Germany, and Thailand.
Deibert’s team dubbed the spy network GhostNet. Citizen Lab disclosed
it in 2009, making front pages around the world. Deibert had brought the
New York Times in early, in part for maximum impact and in part as a hedge
in case the Canadian government tried to suppress what the Citizen Lab had
found. The first such account by a nongovernment agency and one of the
first of any kind linking specific computer espionage to a world power, the
GhostNet paper did not explicitly blame China. But that country was
obviously behind this instance of what would become known as an
advanced persistent threat, or a committed cyberspace adversary. Four
servers controlled the penetrations, including one on the island of Hainan,
home to the Third Technical Department of the Chinese People’s Liberation
Army.
The team had worked feverishly to unwind all of the connections and
document how they functioned. At the same time, the crew had wrestled
with new issues about disclosure. If China had been found spying on a
single identifiable person, they would have felt a responsibility to warn the
victim, though there was no clear ethical rule on the matter. What if their
own government was among the victims? What about other governments?
Who should be told what, and when? Rather than go directly to Canadian
intelligence and risk being co-opted, Deibert went to the Canadian
computer emergency response team as a courtesy. The Citizen Lab also
asked the Canadian foreign affairs ministry if it could pass along
notifications to other countries. It took months for the ministry to even
respond, and then it declined to help.
Nathan Freitas, the hacktivist and Tor specialist helping Tibetans, had
run into a similar problem. As reports shed light on Chinese spying, more
people came looking for copies of what infected the Tibetans. “Malware we
got hit with, no one had ever seen before,” Freitas said. “Researchers came
out of the woodwork saying, ‘Can we have a sample?’” Some were
academics looking for material for doctoral theses, some were employees of
private companies, some were government officials. It was obvious that
some were intelligence agents or contractors. “You can’t fool yourself,”
Freitas realized. “This is global cybersecurity warfare.” Rather than try to
sort out who was working for whom and whether it would be appropriate to
favor one country’s emissaries over another’s, Freitas threw up his hands.
He decided to share samples only with the Citizen Lab, which had done the
hard ethical reasoning. But in a community as heavily targeted as the
Tibetans, with various Westerners helping out, some information inevitably
went to the powerful Western agencies who were fighting the Chinese in
many places. Hacktivism gave those operatives an excuse to be in and
among the activists.
For all of Deibert’s careful ethical balancing, intelligence figures still
involved themselves in the Citizen Lab’s work. The lab got analytical help
from Rafal Rohozinski, a lab research advisor who was wearing other hats
at the same time. Rohozinski was CEO of Psiphon Inc., a proxy network for
evading censorship that the Citizen Lab had spun out. He also had worked
in the military and as a technical advisor to the UN on telecommunications
projects in former Soviet countries around the world. Though he described
himself as an independent contractor, he acknowledged an intelligence
background, and his affinities were clear. Laird and Villeneuve both called
him a “spook,” which Rohozinski said was inaccurate.
Laird also denies being a spy, and he never revealed himself as one to
cDc. But his odd initial approach to the group, changing Hong Kong
Blondes backstory, and later international work have caused several in cDc
to wonder, even without being aware of the intelligence relationships that
have since come to light. Laird was close enough to the community that it
may have regarded him, fairly or not, as an “asset,” two of his intelligence
contacts told me. That’s enough to change the history of hacktivism.
Intelligence agencies ardently consumed information from the GhostNet
effort. Rohozinski and Villeneuve briefed the NSA together, and
Rohozinski learned more from Greg Walton directly. In some ways,
Western intelligence agencies delighted at the Citizen Lab’s work. It
exposed a geopolitical rival, and it looked better because the lab had no
ulterior motive. It also engaged in legal but invasive use of internet tools,
such as port scanners, that would have required multiple levels of approval
if some governments had used them directly. Yet Deibert detected hostility
as well from the Canadian authorities he ran into, more than he could
explain as professional jealousy or disdain for upstarts. Poring over the
documents released by Edward Snowden a few years later, Deibert thought
he realized why, and Rohozinski agreed: the Canadians had known about
the Chinese spy network and had been piggybacking on it, collecting their
own intelligence, until the Citizen Lab blew the whistle.
The year after the GhostNet report, Google said that the Chinese had
hacked it as well, and that it was pulling out of the mainland as a result.
Now everyone realized that they had been living in an undeclared cyberwar.
Google had among the best technical defenders anywhere. After Google
realized the Chinese had gotten in and gone after the accounts of human
rights advocates and Google’s own code, it brought in the best outside
minds it could find. That included Dave Aitel and other NSA veterans, and
even the NSA itself. The public was alarmed, but it never realized how
effective the Chinese campaign really was, because no one had an incentive
to admit it. According to Mudge, the Chinese had broken into repositories
for the source code of many big companies and written in what looked like
programming mistakes. In reality, they were back doors that would allow
Chinese spies to break into the customers of those big tech companies
whenever they wanted. In a fight like that, Google and many others
understandably considered the NSA to be the good guys. But it was not that
simple. In a few years, with the public debut of NSA leaker Edward
Snowden, Google and many other American tech companies, to say nothing
of the rest of the world, would see the agency as an archenemy.
OceanofPDF.com