It isn't hard to figure out why China is stealing source code and then signing it with certificates that look like they are legitimate. Symantec has published an interesting report on something called Suckfly [a better name might be nice] which uses compromised signing certificates to make the code look valid by someone thinking the certificate was valid and therefore from someone who made the software.
Symantec's report [http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates] began to be written when they discovered a code signing cert from a mobile software developer on something that wasn't for mobile devices. One thing led to another, and eventually to Chengdu, China where other certs were traced.
The Chinese are stealing us blind and undermining the Internet infrastructure with bogus domains and bogus software. Sometimes they are doing this to resell software they have stolen and sometimes just to control their own people and keep them from using the real Internet. If they stuck to their own people and not populated certs across the Internet, we might conclude they were doing it for internal security. They aren't.
When Google stopped accepting certs from the China NIC, the world should have been paying attention to what they were doing. They are spreading their own software on the Internet that can monitor anyone they choose. They are not content to monitor just their own.
No comments:
Post a Comment