|
|
ONLINE FEATURES
Book Reviews
BW Video
Columnists
Interactive Gallery
Newsletters
Past Covers
Philanthropy
Podcasts
Special Reports
BLOGS
Auto Beat
Bangalore Tigers
Blogspotting
Brand New Day
Byte of the Apple
Economics Unbound
Eye on Asia
Fine On Media
Green Biz
Hot Property
Investing Insights
Management IQ
NEXT: Innovation
NussbaumOnDesign
Tech Beat
Working Parents
TECHNOLOGY
J.D. Power Ratings
Product Reviews
Tech Stats
Wildstrom: Tech Maven
AUTOS
Home Page
Auto Reviews
Classic Cars
Car Care & Safety
Hybrids
INNOVATION
& DESIGN Home Page Architecture Brand Equity Auto Design Game Room SMALLBIZ Smart Answers Success Stories Today's Tip INVESTING Investing: Europe Annual Reports BW 50 S&P Picks & Pans Stock Screeners Free S&P Stock Report SCOREBOARDS Hot Growth 100 Mutual Funds Info Tech 100 S&P 500 B-SCHOOLS Undergrad Programs MBA Blogs MBA Profiles MBA Rankings Who's Hiring Grads | |
JULY 23, 2002 SECURITY NET By Alex Salkever Skirting the Great Firewall of China A new peer-to-peer network called Peek-a-Booty allows users inside censored zones to easily get Web pages from the greater Net
How would this still-obscure piece of code break down the Great Firewall of China and other heavy-duty national censorship efforts? Peek-a-Booty takes a page out of the peer-to-peer (P2P) playbook by allowing anyone running the software to join a decentralized network. Its purpose is to serve encrypted Web pages rather than music or video files. Peek-a-Booty does so by using a maze of anonymous participants forming a constantly morphing virtual network that's designed to hide Peek-a-Booty data requests amid the general Internet noise and deliver forbidden content to Web surfers without tripping censorship alarms. UNSUSPECTING PLATFORM. However, like any powerful technological tool, Peek-a-Booty could also be used by the forces of darkness. Computer-forensics experts say terrorists or criminals surfing the Web or communicating over Peek-a-Booty will be nearly impossible to track through the maze of IP address in its constantly shifting network. And if a malicious hacker discovers an exploitable hole in the Peek-a-Booty software, the network could provide a ready-made and wholly unsuspecting platform for launching denial-of-service attacks on a massive scale, sending untold numbers of bogus page requests until a site's server collapses under the load. Worst of all, to encrypt its pages Peek-a-Booty uses the de facto standard for e-commerce transactions. So law enforcers looking for telltale signs of exotic e-mail encryption schemes see only Web-page requests and responses that are indistinguishable from a huge chunk of ordinary Internet e-commerce traffic. This double whammy circumvents standard traffic-analysis techniques used by the National Security Agency and others to create network "topographies," or maps of traffic that could lead to suspected wrong-doers, terroists organizations, and other bad guys. "That could create some challenges for our forensics and law-enforcement community. You can use Peek-a-Booty-like devices to cover your tracks," says Brian Kelly, CEO of Chantilly (Va.) Internet intelligence firm iDefense, which published an analysis of early Peek-a-Booty software in March. FOSTERING FREEDOM. So, as the West continues to grapple with threats of terror, why release such a tool into the wild? Baranowski, who announced the first stable Peek-a-Booty release for Windows machines on July 11, thinks the time is right. And, overall, I happen to agree with him. While criminals might use Peek-a-Booty to evade detection, the skirting of censorship that it promises could be far more valuable to the U.S. and its allies. Unlike encrypted e-mail, which might serve as a better means of communicating for the few users who are sophisticated enough to set up compatible systems, Peek-a-Booty is geared toward opening the Web itself, providing free-flowing information to the masses. Access to info fosters open societies and democratic mores. In the long run, that's worth more to the cause of freedom, even if it means the spymasters and cops remain a bit more in the dark. Baranowski says he first started becoming concerned about Chinese Internet censorship when he was a grad student at the University of Wisconsin, Madison in the late 1990s. A few months after he received his masters degree, he attended the Hackers on Planet Earth Conference and met people there who banded together to start working on Peek-a-Booty. Baranowski learned the P2P ropes working for business-software company OpenCola. While an undisclosed number of people have worked on Peek-a-Booty in the past, the current crew numbers only three: Baranowski, the accordian-playing fellow project leader Joey deVilla, and Chris Cummer, their webmaster. INSTANT CONDUIT. Imagine a giant globe-girdling game of telephone played with Web-page requests, and you have the basic idea of how Peek-a-Booty works. Say a user in Beijing wants to read a story about Falun Gong crackdowns in Shanghai. Assuming she has the Peek-a-Booty software client installed, she launches the program, which automatically searches for fellow Peek-a-Booty nodes outside of China. When the software finds an active node, it logs her onto the Peek-a-Booty network and establishes a direct connection with a Peek-a-Booty user in a country where Internet news isn't censored. That user then serves as a conduit for the Chinese Peek-a-Booty user by brokering Web-page requests between her and Peek-a-Booty users in other countries. Wait, it gets more complicated. The software is designed to randomly select other Peek-a-Booty users in a process called virtual circuits. That dot-com-sounding term simply means that the connection between Peek-a-Booty users relaying data back and forth exists only to complete that specific data transaction. It also means that the participants in a chain of virtual circuits know only the IP address (Internet protocol address, a unique numerical identifier attached to each device on an IP network) of the Peek-a-Booty users directly connected to them, not any others up and down the chain. LESS TRACKABLE. Since most firewalls are designed to block particular IP addresses attached to specific networks, Peek-a-Booty allows people in Beijing to surf the Web freely, thanks to fellow Peek-a-Booty members outside China. And the Great Firewall of China, on the lookout the BBC's IP address but not that of Peek-a-Booty user John Smith running a cable modem in New York City, will let Web pages coming in via John Smith pass through unmolested. Voila! Censorship foiled, and the woman in Beijing gets her article -- albeit more slowly due to the many participants involved. Most important, no one gets busted. That's because, thanks to the ever-changing nature of the network and its cellular structure, no one knows the IP tags of more than a handful of fellow Peek-a-Booty users. That makes it hard to put the network out of business by impersonating a Peek-a-Booty user and harvesting IP addresses. Anonymous Web-surfing company SafeWeb has also released an open-source version of a similar application that uses P2P connections. Its system, called TriangleBoy, is already being used by Voice of America to try to get through to Web surfers in Asia who want to obtain censored information. Peek-a-Booty, however, promises to do the same thing with no dedicated servers and over a much more rapidly morphing and therefore far less trackable network. According to Baranowski, the Chinese government was able to quickly find TriangleBoy server IP addresses and screen them out, something he hopes Peek-a-Booty will prevent. MIXED FEELINGS. To date, Baranowski numbers Peek-a-Booty nodes at under 100. That's far too small a network to have the system work effectively. But he believes it could spread quickly. A freely accessible database of active Peek-a-Booty nodes posted on July 16 is already starting to do just that. To ensure that the genie never goes back in the bottle, Baranowski has made the source code to Peek-a-Booty public. That's not to say a government couldn't try to stamp out Peek-a-Booty. The system could be vulnerable if a government loads the data base with bogus nodes. A similar tactic is already being used by music companies that seed P2P music networks with bad files that resemble real music in an attempt to make it harder for swappers to find pirated music. I have mixed feelings about Peek-a-Booty. On the one hand, I understand the fears of the national security establishment. Tools such as Peek-a-Booty make it much harder to police the Net, a task that's already nearly impossible. Baranowski himself admits that Peek-a-Booty could provide ammunition as well as free communication. "You can use a hammer to hammer in a nail, or you can use it to break someone's knee," he says. TOO MUCH DATA. Still, assuming that Peek-a-Booty does spread quickly and widely, I believe it would be a boon to people in China, Saudi Arabia, or Tunisia, where Internet censorship is the norm. It's user-friendly and designed to give the masses access to info that Voice of America could never accomplish even with an unlimited budget. I'm also less worried about the intelligence community's fears that Peek-a-Booty could be used to achieve evil ends. If anything, communications failures in the FBI and CIA that missed key indicators that an attack was imminent point to a problem with those agencies having too much data already, not too little. Baranowski says easier ways exist to wreak havoc and cover your tracks than trying to use the Peek-a-Booty network -- encrypted e-mail for one. Same goes, says Baranowski, for anybody who's out to make a denial-of-service attack on a Web site. "It would take quite a bit of work to make Peek-a-Booty malicious," he says. That makes sense, viewing the ease with which hackers already set up malicious DOS attacks, often by sending out e-mail bearing the software that's used for such attacks (known as Trojan horse attachments) to rafts of America Online users or Road Runner users who don't know enough not to click on attachments that have .exe extension (meaning the file is a program). MIND YOUR NETWORK. And no matter how slick the bad guys are, "none of this stuff matters if [the FBI] can put a keyboard sniffer on your machine that will record everything you type," says Marcus Ranum, a security authority and formerly chief technology officer of intrusion-detection system company Network Flight Recorder. Plus, corporations needn't fear Peek-a-Booty problems -- if they tightly control what software gets installed on each machine in the organization. That's something most companies should aspire to do anyway. That would leave Peek-a-Booty as the province of concerned personal computers users, human-rights advocates, and academics. Which is precisely where it belongs and where Peek-a-Booty can become a strong tool for freedom of information and democratic values.  Salkever is Technology editor for BusinessWeek Online and covers computer security issues weekly in his Security Net column Get BusinessWeek directly on your desktop with our RSS feeds.  Add BusinessWeek news to your Web site with our headline feed. Click to buy an e-print or reprint of a BusinessWeek or BusinessWeek Online story or video. To subscribe online to BusinessWeek magazine, please click here. Learn more, go to the BusinessWeekOnline home page  | | JULY |
 Copyright 2002, by The McGraw-Hill Companies Inc. All rights reserved.Terms of Use | Privacy Policy |
Printer-Friendly Version
