Chinese Spying is Big

Brian Krebs reported yesterday on software made by Shanghai ADUPS Technology that was sending back call records and text messages to China.  The University of Toronto has done extensive reporting from its Citizen Lab that shows browsers from Baidu, and a host of others, are sending back much more from anything using those browsers.  It seems apparent the Chinese government is influencing what is being sent back and requiring vendors to put hooks into software to collect data for them.  In that instance, it was more than just text messages.  Some software sends information on the hard drive, WIFI connections used, location data, cell phone unique identifiers, and numerous things like those to China.  Why they need to know my hard drive serial number is a mystery only to those not hacking individual systems in the countries they are getting this information from.  So, while the Chinese mock us for what Edward Snowden said the US does, they try to equal, or exceed that capability without anyone raising a fuss.      

This fits with an even bigger problem that I described earlier and repeat here:

It isn't hard to figure out why China is stealing source code and then signing it with certificates that look like they are legitimate.  Symantec has published an interesting report on something called Suckfly [a better name might be nice] which uses compromised signing certificates to make the code look valid by someone thinking the certificate was valid and therefore from someone who made the software.

Symantec's report [http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates]  began to be written when they discovered a code signing cert from a mobile software developer on something that wasn't for mobile devices.  One thing led to another, and eventually to Chengdu, China where other certs were traced.

The Chinese are stealing us blind and undermining the Internet infrastructure with bogus domains and bogus software.  Sometimes they are doing this to resell software they have stolen and sometimes just to control their own people and keep them from using the real Internet.  If they stuck to their own people and not populated certs across the Internet, we might conclude they were doing it for internal security.  They aren't.

When Google stopped accepting certs from the China NIC, the world should have been paying attention to what they were doing.  They are spreading their own software on the Internet that can monitor anyone they choose.  They are not content to monitor just their own.