Security News > 2001 > February > Small Start-Up Helps the CIA To Mask Its Moves on the Web
http://cryptome.org/cia-safeboy.htm By NEIL KING JR. Staff Reporter of THE WALL STREET JOURNAL February 12, 2001 How's this for a curious pairing? Stephen Hsu and his partners at SafeWeb Inc. launch a Web site (www.safeweb.com) offering the utmost in Internet privacy -- and then hook up with the notoriously intrusive Central Intelligence Agency. The new alliance between the Oakland, Calif., entrepreneurs and the spooks from Langley, Va., shows how serious the CIA is about improving its spycraft. The agency two years ago set up its own venture-capital firm, known as In-Q-Tel, to search out just the sort of innovations that SafeWeb offers. The CIA, in this case, wants to use a SafeWeb program to mask its own movements on the Internet, so it can gather information incognito. SafeWeb suggests that the CIA also might use its technology to allow its far-flung agents and informants to communicate home, without the countries they are spying on ever knowing. What's puzzling is why a tiny, year-old start-up would want to link up with an agency that is the nemesis of privacy buffs everywhere. "I'm sure we'll take a hit from the 5% of our most paranoid customers," says Mr. Hsu, SafeWeb's 34-year-old co-founder and a theoretical physicist by training. But the CIA connection, he says, is deliberately distant. SafeWeb will provide the agency with customized software, but the CIA will have no access to the company's Web computers or to the workings of its core software, he insists. And who better to test the power of its privacy software than the world's top spies? "If our technology can satisfy them," Mr. Hsu says, "it can satisfy just about anyone." The technology is a clever piece of software called Triangle Boy that SafeWeb plans to post free this month on the Web. The CIA, through In-Q-Tel, is investing in a revved-up version of the software, which can bounce digital traffic around the Web anonymously, as well as rights to an equity stake in SafeWeb should the company go public. Neither side will disclose financial details. The CIA has been slow to mine the riches of the Internet for fear of exposing its own vast computer network to viruses or hacker attacks. It also worries that others will monitor its activities if it roams the Web without proper disguise. What SafeWeb offers is a chance to move about the Internet without leaving any trace. Users simply go to the company's Web site and type in the address of the actual site they are seeking. SafeWeb's site acts as an intermediary; anyone monitoring the activity would see only the traffic between the user's computer and SafeWeb -- and not the user's ultimate destination. The site recorded more than one million unique visits last month. But what really caught the CIA's fancy was Triangle Boy, a software package that can turn any personal computer into a surrogate Web server. The system allows users to navigate to any number of innocuous PC addresses, and then go to the actual Web site they are seeking -- without leaving a trace. Triangle Boy works by forwarding the request for the desired Web site on to SafeWeb's site, which then makes the connection. SafeWeb developed Triangle Boy to deter companies or countries from blocking access to its site, as Saudi Arabia did last November. CIA specialists say their core interest in Triangle Boy is anonymous Internet browsing. "We want to operate anywhere on the Internet in a way that no one knows the CIA is looking at them," says a senior CIA official with connections to the In-Q-Tel team. But the possible uses go way beyond that. SafeWeb says the agency also could use the technology as a secure way for its "assets," or contacts, to communicate with CIA headquarters. The CIA also suggests that it may one day build a global network made up of Triangle Boys and servers equipped with SafeWeb-style software to communicate with employees and informants. CIA Director George Tenet told the Senate last week that one of his chief ambitions is "to take modern Web-based technology and apply it to our business relentlessly." The SafeWeb technology could prove just as handy in getting information covertly into other countries. It was this application that originally inspired Mr. Hsu to reach out to the CIA last summer. "I imagined them wanting to use Triangle Boy to get Voice of America or something like that into countries where it was blocked," he said. Others suggest more devious possibilities. An application like Triangle Boy, if scattered among hundreds of PCs, could be a way to cloak a multipronged "cyber attack" on someone else's computer system. The CIA, along with the Pentagon, has worked for years to perfect ways to electronically meddle with other countries' banking systems or electricity grids, and Triangle Boy could allow them to do it without the target ever knowing who was behind the attack. "It would be the functional equivalent of an electronic silencer," says one technology expert with wide experience in the intelligence community. "You could shoot electronic bullets right down the pipe without anyone knowing where they came from." Intelligence officials deny they have any interest in using Triangle Boy for offensive attacks. The CIA wants the strengthened version of Triangle Boy reconfigured so it can handle the CIA's own much higher-powered encryption. It also wants to ensure that only its own employees and contacts can communicate via Triangle Boy. SafeWeb is expected to deliver the customized version by April. Some observers suggest that the CIA's real interest is figuring out how to crack Triangle Boy and to thwart its use among the public. Encryption and the spread of Internet-based communications have made life miserable for the National Security Agency, the CIA's sister organization responsible for electronic eavesdropping around the world. Software such as Triangle Boy will render the challenge that much tougher. But the CIA denies the allegation. "We're looking to use new technology, not to break it," said the CIA official, who added that the NSA was informed of the Triangle Boy investment and will later get to inspect the software. But with or without CIA involvement, the official said, technology is moving too fast for the NSA to keep up. For Mr. Hsu, the key is to manage the relationship with the CIA without damaging his company's reputation. His customers, after all, are people who take privacy very seriously, so trust is a critical part of its business model. There are already glimmers of suspicion in some Internet chat rooms. "This could be the greatest NSA trap ever," wrote one skeptic of the SafeWeb site. "This actually makes it easier for people to spy on you," wrote another. Mr. Hsu, though, insists that the CIA relationship is "completely separate from our core business." The agency will have no access to SafeWeb's operations or insider knowledge of its proprietary software. But on the other hand, he says, if the CIA is pleased with its customized version of Triangle Boy and puts it to use, "that will be a big seal of approval from the government." Write to Neil King Jr. at neil.king () wsj com ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".