The Magic Password Box

In a previous post I mentioned that an advantage of secret languages is that encryption happens within the human mind, beyond the reach of keyloggers, malware and packet sniffers.

The security of the human mind is also acknowledged in one of the most common exhortations regarding passwords: Don't write it down! Memorize it!

But memorizing passwords becomes increasingly difficult as we need more of them, and they must be more complex, and each must be different from the others. Many people have started to keep passwords in text documents, while more security-conscious people are starting to use applications like Password Safe. But what if someone gets access to your document, or there is an unrecognized vulnerability with your password storage application?

I'm in the same boat as everyone else. Once upon a time I used to generate passwords by looking around, concatenating two unrelated nouns representing things in my environment, and changing some of the letters to numbers and punctuation marks. Eventually I wrote an application to store my passwords in an encrypted text file, and that gave me the freedom to start generating passwords randomly.

Currently I probably only remember a tenth or fewer of my passwords. If my encrypted text file were lost, my passwords would be lost along with them.

Now I am experimenting with an idea that I call the Magic Password Box. The principle is relatively simple, but the affect on the security of my passwords is profound. Here is how it works:

• I create one long password, over 100 alphabetic characters, in the form of a nonsense limerick
• For each environment in which I need to use a password, I create a short mnemonic, like "gmail", "amazon" or "creditcard"
• For passwords that do not require frequent updates, I compute the password as a function of SHA256(limerick + mnemonic)
• For passwords that require updates every 90 days, I compute the password as a function of SHA256(limerick + mnemonic + quarter + year)

I'm already using a random number generator to create passwords, so replacing that with a hash isn't a huge change for me. The big change is this: I never need to store a password again, and all of my passwords can now rely on the security of my memory. If my laptop is struck by lightning, I can still get my passwords. (Perhaps I need a backup in case my brain fails to reproduce the limerick, though!)

There are some mundane considerations around how to write the code for the password calculator so that (for example) it won't leak my root password, and it can generate passwords that conform to different password policies. But there are also some interesting possibilities, such as having the calculator send the password to the system clipboard so I never even see it or type it, hiding it from prying eyes and keyloggers.

A brief history of Chinese hacking: Part III

(The following draws extensively from an online text titled "The Record of X on the Rise of the Chinese Hacker", supplemented from other sources.)

In the last two posts, I have mentioned two galvanizing events for the Red Hacker movement: Violence against ethnic Chinese in Indonesia; and the NATO bombing of the Chinese embassy in Belgrade.

Two months after the bombing of the embassy in Belgrade, the government of Taiwan announced a 'Two States' policy, which undermined the long-held idea that China and Taiwan were a single country suffering a temporary disunion. Seasoned by the 1998 action against Indonesia and the May 1999 action against the United States, the Red Hacker apparatus was ready to turn and defend the honor of the motherland on the battlefield of Taiwan's networks.

They attacked the website of the Executive Yuan of Taiwan, as well as many other websites, deploying newly developed tools like Glacier (冰河, a trojan horse) for the first time, and NetSpy (a tool for uploading and downloading files from a server, apparently).

In 2000, the number of internet cafes mushroomed, and the hacker spectrum broadened. The old Black Hackers were still around, but the ready availability of technology led to a large number of careless, headstrong and unskilled teenagers pursuing the black hacker path. These "script kiddies" were nicknamed the Little Blacks (小黑黑) by an influential female hacker of the time named Wollf.

Alongside the Black and Red hackers, there also arose Blue Hackers (篮客, lán kè), who were relatively unconcerned with cheap tricks and politics, and intensely passionate about computer security.

In 2001, after the South China Sea collision incident, a small American hacker group called PoizonBOx defaced at least a hundred Chinese websites, and reportedly 80,000 Chinese hackers returned fire beginning on May 4. Most of these were unskilled script kiddies, so the damage done did not reflect their large numbers, and some considered the action to be a farce. As far as I can tell, 100-600 websites were vandalized, and the White House website suffered a DOS attack that blocked access from May 4 to May 8.

In the years between 2000 and 2002, Chinese hackers created and released the Code Red, Code Blue and nimda computer worms. But many also undertook a serious discussion of the ethical dimensions of hacking, and of hacking culture. They began to discover and publish their own findings on network and software vulnerabilities, which have been picked up by international security research organizations.

A brief history of Chinese hacking: Part II

(The following draws extensively from an online text titled "The Record of X on the Rise of the Chinese Hacker", supplemented from other sources.)

I ended the last post with the emergence of the Chinese hacktivist alliance in response to violence against ethnic Chinese in Indonesia in 1998. This era also saw the emergence of the Green Corps and the Chinese Green League. (I'm not sure what the significance of the color "green" is in these names, but I wonder if it doesn't relate to the color of CRT screens).

Webpages discussing the technical details of hacking began to proliferate, and Chinese hackers eagerly undertook to study the relevant technologies. The most famous hacker of this period may have been Xiǎo Róng (小榕), creator of tools like Stream of Light (流光, a vulnerability scanner), Tracing Snow (溯雪, a password cracker) and Chaos Knife (乱刀).

1999 saw a dramatic increase in the number of internet users in China, and it also saw the NATO bombing of the Chinese embassy in Belgrade, which many Chinese saw as a deliberate act of retribution on the part of the United States for China's criticism of NATO action in Yugoslavia.

The second day after the bombing of the Chinese embassy in Belgrade, the first Red Hacker website was born, initially called the Chinese Hacker's Rallying Point for the Motherland (中国红客之祖国团结阵线), and later renamed the Chinese Hacker's United Front for the Motherland (中国红客之祖国统一战线).

This site drew intense interest from Chinese citizens around the world, and the Red Hackers carried out widespread attacks on American websites and email servers.

Hacking tools created in this period included NetSpy (inspired by Cult of the Dead Cow's Back Orifice), Glacier (冰河, a trojan horse), Black Hole (黑洞), Network Thief (网络神偷), Gray Dove (灰鸽子), XSan and YAI.

Glacier, Black Hole and Network Thief are still considered by many to be essential tools for the Chinese hacker. "Official" development of Glacier has ceased, but users have forked off many versions of their own.

A brief history of Chinese hacking: Part I

(The following draws extensively from an online text titled "The Record of X on the Rise of the Chinese Hacker", supplemented from other sources.)

China's earliest online community arose in the mid-1990s, with a small number of people using PCs and dial-ups to interact with each other on bulletin-board systems. Between 1994 and 1996, BBS servers proliferated in major Chinese cities, and interest in copying software and breaking license controls on software also grew, creating the first generation of Chinese hackers.

Internet access came to China in 1996, and the BBS culture moved from dial-ups and isolated servers to the internet. It is interesting to me that the BBS format is incredibly prevalent on Chinese websites today, while they have been basically replaced by social networks in America. It was during this period that a man named Gao Chunhui created the first personal website in China, and it is said that his personal site at that time was dedicated to the topic of breaking software registration controls.

This era also saw a brief period of phreaking (电话飞客), but advances in telecom technology rapidly put an end to that.

In 1998, a Taiwanese student named Chen Ing-Hau released the Chernobyl virus, which caused billions in economic damage in mainland China. Because the author was a Taiwanese student, some Chinese users perceived the damage done by the Chernobyl virus as a politically motivated attack.

Also in 1998, amid the deepening Asian Financial Crisis, there was widespread violence against ethnic Chinese in Indonesia. Chinese internet users formed teams that flooded Indonesian government email accounts, and they tried to bring down Indonesian websites with ping-based DOS attacks. In order to coordinate these attacks, a group was formed called the Chinese Hacker Emergency Meeting Center (中国黑客紧急会议中心). This might be considered the first Chinese hacktivist alliance.

So, from the very beginning, Chinese hacking has been closely tied to nationalist sentiments.

The Chinese Hacker's Code

In 1984, Steven Levy suggested that there was a commonly understood but unwritten [American/European] "hacker code of ethics", that encompassed the values of sharing, openness, decentralization, free access to computers, and world improvement.

On many Chinese hacker sites I have found a written code of conduct, which is attributed to an influential Taiwanese hacker named CoolFire, who has his roots in the computer culture of the late 1990s. I will present that code of conduct below, but first I want to write out something about the connotations of the word "hacker" in Chinese.

The most common word for "hacker" in Chinese is 黑客, hēikè, derived phonetically from the English word "hacker". These two characters literally mean "black guest", which I think is a great way to describe a hacker's presence on your system. Unlike the English word "hacker", however, the Chinese hēikè seems to have a less negative, perhaps more ambiguous connotation.

The less common word is 骇客, hàikè, also derived phonetically from English "hacker", but with a literal meaning of "terrifying guest". This seems to be a more negative term, maybe more like cyber-criminal.

There is a strong association between hacking (hēikè) and patriotism in China, dating back to the earliest organizations and activities of hackers in the 1990s. This has given rise to another term, 红客, hóngkè, meaning "red guest". This is sometimes translated as "honker", but I'll render it as Red Hacker for now. (Not only does "honker" also mean someone from Hong Kong, but it sounds pejorative to me.)

Without further ado, here is a composite of the Chinese Hacker Code, drawn from several similar versions.

1. Do not sabotage any system. It will only bring you trouble.

2. Do not modify any system files. If you must do so to access a system, please restore them to their original state after you are done.

3. Do not casually hack a website and then tell friends whom you do not trust.

4. Do not talk about what you have hacked in a BBS or forum.

5. Do not use your real name when you post an article.

6. Do not leave your computer while you are actively engaged in invasion.

7. Do not invade or attack telecom/government organization servers.

8. Do not talk about what you have hacked over the phone.

9. Keep your notes in a safe place.

10. Read everything related to system security or vulnerabilities (learn English quickly!)

11. Do not delete or alter accounts on the systems you invade.

12. Do not modify system files, unless it is necessary to conceal your intrusion. In any case, maintain the security of the system, do not invade and disable the original security.

13. Do not share the accounts you have cracked with your friends.

14. Do not invade or destroy government organization servers.

15. If you can't program you can't be a good hacker.

16. Hackers are not "pirates".

Motherlode

Last month, I idled away some hours trying to get some idea of the Chinese hacker culture. I assumed that, like the hackers I knew when I was younger, that Chinese hackers would have some kind of specialized vocabulary, like a Chinese version of 1337. I figured if I could find a few terms in that specialized vocabulary, I might be able to do some narrow internet searches that would give me a general outline of the Chinese hacker world.

It didn't really work. I did get a really interesting look into how the Chinese government is handling cybersecurity, but I never found anything that really looked like a hacker site.

Today, by chance, I hit the motherlode. I found the type of site I was looking for, and the wealth of information available is a bit overwhelming. My experience with Chinese government sites has been that, after I access them a few times, they may drop off the net, especially if they are very interesting. I fear I won't have enough time to learn what I want to learn before this site goes away too.

If my luck holds, I will soon have much new and interesting information to blog about.

Secret sign

I was walking down a steep mountain path in Sichuan with a local guide, paying rapt attention as he told me stories about the area. There were graves in the hillside, he said, and as a troublesome young man he once looked into them, and was terrified by the corpses. Another time he lost his favorite horse, who slipped on the path and fell to his death in a deep ravine. That complex in the valley was a prison, where he had spent some time.

Let's get together in the village later in the day, he said finally. But let's lose the Chinese guy. I don't trust him.

Indeed, I had been curious about the soft, overweight Chinese man in our party. He did not seem physically suited to a three-day horse ride, and he seemed to prefer reading stories on his cell phone to enjoying the dramatic scenery of the Sichuan mountains. Why was he there? My guide seemed to find it suspicious.

If anyone had been listening in, they would have been completely unaware of our conversation on the matter. This is because my guide was deaf, and we were communicating in Chinese Sign Language, of which I had managed to learn a fair amount over the prior three days.

In a previous post, I mentioned some qualities of a good secret language. Here, let me extol the virtues of sign language as an effective means of secret communication in the 21st century.

A secret language is, roughly speaking, a substitution cipher that operates on the level of morphology and grammar. Experience teaches us that unknown languages are difficult to decipher, so as long as the "key" remains a secret, the language remains relatively secure. The "key", in this case, is the combination of lexicon and grammar.

As a cryptographic system, secret languages are terrible. The key is difficult to transmit, and once broken, a new key must be laboriously created and transmitted. However, the great saving grace of secret languages in the 21st century is that encryption can take place entirely within the only device that remains free of malware: the human brain.

In order to remain secure, however, encryption must remain within the human brain. One of the significant weaknesses of secret languages in the era of the surveillance state is that users may be tempted to store or transmit the lexicon and grammar in an electronic form that may be intercepted and compromised. Another weakness is that keywords in the secret language may be distinctive enough that secret messages may be easily identified and used for traffic analysis.

A secret sign language is more secure on both of these counts. First, the key is actually difficult to store in writing, and is most naturally communicated person-to-person. Second, the easiest way to transmit a message over the internet is by video, which requires much more extensive and complex analysis even to pick out the existence of the secret communication.

Today's surveillance states have vast means at their disposal, and can easily out-spend and out-compute most of their adversaries. For the time being, however, there are a few faculties of the human mind that remain out of the reach of conventional computation. A secret sign language takes advantage of many of these capabilities, at a relatively cheap cost.

New Chinese information security terminology

The subject of information security is always interesting to me because it involves emergent behavior in complex systems and requires experimental research. In fact, I recently downloaded and have been playing with some vulnerability analysis tools. (I'm only working on my own network, no intention to engage in malicious behavior, etc).

I'm also interested in Chinese software and technological innovations. This afternoon I decided to put these two things together and see what I could find about information security in Chinese. This brought me to a Chinese website describing how hackers operate, including screenshots of some exploitation tools that appear to be Chinese innovations.

One of these is called The Struts2 Ultimate Loophole Exploitation Utility. It takes advantage of weaknesses in the Apache Struts2 framework to execute code on the server. The title of the window in the screenshot includes not only the utility name, but also the names of two of the developers and a phone number.

The names of the developers were unique enough that I was able to find their Weibo accounts, as well as their accounts on a Chinese social site for those interested in IT security. The site lists an ungodly number of software vulnerabilities--19 added today alone. It seems this "white hat" site rewards users for reporting vulnerabilities, which are then passed on to manufacturers. Clever!

Reading through these, I've started to update my "Chinese Programming Terminology" page with new vocabulary related to information security. I've also found a Chinese translation of the manual for the Metasploit pen-testing utility--another goldmine for this type of stuff.

Secret envelopes and distributed message transmission

(Note--I've edited this after thinking about the technical issues a bit)

When a message moves across a communication network, normally it has an "envelope" containing address information and metadata about the message necessary for its delivery.  For a letter that is physically mailed, the envelope is the physical envelope.  For a TCP/IP packet, the envelope is a packet header.  For email, it is the SMTP header...you get the picture.

Even if the content of the envelope is secret, a great deal of information can be gathered from analysis of the envelopes, which are generally unencrypted so the message can be transmitted efficiently.  But what if you wanted to keep the envelope secret, too?

It seems to me there are a small number of key ingredients to any system that could transmit messages and keep the recipient secret:

1.  The "address" must be something that only the recipient would recognize.  One approach would be for the recipient to provide a public key, and for the address to consist of a block of mostly random data with some unique property, encrypted using the public key.  For example, the block of data could be 256 bytes long, and consist of the byte values 0x00 - 0xFF in a random order.

2.  Messages must be distributed broadly, and should pass through many hands.

The upshot is that you exchange efficiency in transmission for anonymity.  I wonder if there is an equation that would say how inefficient the transmission system needs to be in order to guarantee a certain amount of anonymity.

Hacking a Trojan Horse

I get all kinds of Trojan Horses by email, and sometimes I wonder what they do.  This morning I had a few extra minutes, so I decided to start taking a look at one.

First, I installed binutils and configured it with the --enable-targets=all option, because these Trojan Horses are inevitably in PE/COFF format, and I don't do this kind of thing on Windows.

Then I disassembled my most recent Trojan Horse.  The executable section boils down to a mere 1781 lines of x86 assembly, so not really very large at all, with a bunch of small routines.  I haven't had a chance to look too closely at it yet, but it looks like it has some obfuscated chunk of something (executable) as an embedded resource.  I'll have to see if I can sort that out.