Forget James Bond's super-gadgets, this chap spied for China using SD card dead drops. Now he's behind bars An American citizen will spend the next four or so years behind bars in the US for smuggling corporate secrets out of the states to his spymasters in China. A federal district judge this week sentenced Xuehua Edward Peng, 56, of Hayward, California, after he admitted handing over the trade secrets to Beijing. Peng earlier …
I wouldn't be surprised to hear that he made some withdrawals for the first payment and then used the cash from the reimbursements for the next payments. How the reimbursements got to him is another story, but if I needed to deliver a bunch of cash without getting caught, I'd probably run it that way.
Any time someone mentions here that China engages massively in corporate espionage, a gang of commentards ridicules and abuses them for believing such lies. How, then, can this story be true?
I trust our loyal commentards will promptly rally round and sort out this ElReg journo, set him to rights.
What people ridicule is that only China is doing that (I'm pretty sure most countries do that, actually), and they also like to point out that e.g. Cisco had actually backdoors for the US TLAs in their products to exfiltrate (i.e. steal) secrets, whereas in the case of other Chinese companies there is no proof so far (apparently not even any shared secretly with allied countries, otherwise they would be banning that stuff as well).
Yeah, dftt, I know...
We don't ridicule the idea that China is engaging in industrial espionage. We ridicule the idea that they're the only ones. Do you somehow think that the western countries aren't also spying on China?
You're mistaking our cynicism about governments across the board (yes, especially including our own) for support for China.
And it never occurred to you to wonder why the people most targeted by the TSA for full scan inspections of laptops, phones and PDAs are businessmen working for large (non-American) companies? Or why the American government and spy agencies are so keen that the rest of the world uses equipment from the USA?
I don't ridicule anyone for saying "Look out, the Chinese are watching you!". I do, however, ridicule anyone stupid enough to say they are the only ones doing it and acting like the rest of us are the naïve ones...
All three of you make the same point.
I'd point out in return that there is a profound difference between the ubiquitous surf and a tsunami.
I suspect most of the commenters you're complaining about are reacting to the imbalance, and the sheer DEGREE of imbalance.
What imbalance? Our whole point is that we regard all governments EXACTLY THE SAME.
Or are you trying to say that the Chinese spy more than other governments? Your assertion is based on what, exactly?
Is it just "But they're THE BAD GUYS"?
Thanks for the chuckle in these straitened times, anyway.
Concisely put.
You have put your finger on the problem. Well done, and thank you -- saved me having to say it.
There IS a massive asymmetry. Massive imbalance. Well documented. To put it another way, in your words, governments are NOT all the same.
But you're not aware of it.
You're operating on the basis of an idea. And it IS a lovely idea. I'll give you that.
But it's not real. You clearly have not been paying attention to anything outside your preferred venues.
A largeish number of senior spy bods have warned that Russia and China 's espionage is running at levels higher than even during the cold war. For years now. Russia's is mostly vs the States; China's is more general. You apparently missed all that. Plus any number of local news stories globally re specific events demonstrating a whole-state level of effort that makes the 60s CIA look like sane kindergarten children with no budget.
But you don't need them to be alarmed. Have you even read the terms of the BRI contracts? That's eyes-out-on-stalks territory. Noticed the south china sea "coast guard" is shipping better-than-antarctic-standard ice breakers to smash ships? Are you not even aware that Xi very publicly ordered the southern army last year to be ready for immediate war? Do you even know of the 3 nonmilitary warfares China declared?
You seem to think that ignorance constitutes virtue, constitutes superiority.
You seem not to realise that you look like fools, to people actually paying attention.
"Useful idiots".
Look it up.
If the data on the SD cards was decently encrypted then just sending it by post to China would have been easier and far less likely to be detected.
An alternative method (also assuming decent encryption) post the data on a Usenet newsgroup - there is no easy method to determine who has received the data.
Your ideas do not improve the situation. Posting to a news group leave a permanent trail pointing to the sender. Same applies for a letter sent. Using dead drops sounds like a reasonable thing to do.
Also surveillance requires much less effort if you get on the radar. Tapping your comms is a no brainer. Giving your letter some extra care is also not so difficult. Getting caught in the act is really only the last step. We need this for a fair trial. The perp already knows he is guilty but for us citizens it is important to know that he is really guilty.
Neither Tor nor steganography provide a convenient method for money to be sent in reverse. Physical cash pickup does. In addition:
Tor: If you are being tracked, they'll notice you start using it. Unless you do that very often, they'll be suspicious. The amount of data you transmit can be determined, and the network itself is slow.
Steganography: That works fine if it's a small amount of information. If it's gigabytes, which would fit just fine on an SD card, you'll need to hide it in hundreds of gigabytes of extra data. That probably won't go unnoticed if someone's watching you. Also, you'd have to keep all of that up so it's not obvious that you uploaded a couple million cat pictures and deleted them instantly. In addition, whoever hosted the data for you will have logs of who happened to look at all of them.
Peng is not the guy compromising the security of the USA, he's just the courier.
The guy doing the compromising is, apparently, Ed. He's the guy the FBI should find.
Of course, Peng is part of an espionage ring and guilty, no doubt there, but I think the wording is wrong. Peng participated in compromising US security, but he did not do so directly himself.
According to the article, he apparently left $20k in cash in a hotel room on the promise that he'd be reimbursed.
Being a tour guide in San Francisco must be more lucrative than I imagine, if he's got $20k he can afford to leave lying around.
Of course his handlers may have given him the money in advance, but then it wouldn't be "reimbursement".
Nobody in the movie business would buy this story, it's only the tip of the iceberg - send it back to the writers for a rework to develop the back story.
What was happening behind the scenes? Clearly a lot more than this little dribble of information "reveals" - I think there's probably enough happening behind locked doors to make the story into a 30 episode series.
Having stayed at various hotels in the Bay Area, including months at a time at one in Newark. I can tell you that the cleaning staff definitely weren't bothering to look under, behind or even around furniture in the rooms. Pretty much a horror story even at even the big name hotel chains.
So if this story means they actually bother to clean rooms properly, that's great news for the guests. Of course they might look under furniture etc and still not bother to clean the years of dust, hair and worse hiding there ...
"This case exposed one of the ways that Chinese intelligence officers work to collect classified information from the United States without having to step foot in this country,"
Or, in plain English, a paid agent nicks it from WITHIN THE COUNTRY, passes it to a paid courier WITHIN THE USA who manually transports it to China ... the only bit that's 'without having to step foot in this country' being the final delivery. Isn't that chain similar to the way every case of espionage works?
Obviously the CIA don't do that as they always set foot in a foreign country and directly send their spying results to HQ (probably after opening channel d) and would never employ local agents and dead drops to do naughty stuff for them ...
Why take the risk of exchanging physical media and cash?
My method would be - the corporation or government buying the data opens 4 or 5 bank accounts in China. It sends the debit cards associated with those accounts to the spy in the USA. The spy can at any time request a balance on the accounts from any ATM to see if money has been deposited.
The stolen data is sent via Tor or any other secure link (e.g. encrypted inside an innocent photograph or video uploaded to a foreign image sharing site). If very paranoid, connect to the Internet via a satellite service (with the subscriber being the same organisation buying the data). The location of satellite users cannot be pinpointed (unless they want to be located).
The spy gets his money via multiple cash withdrawals from different ATMs around a city using the multiple bank cards over a period of a week or two. Maybe using a suitable disguise in case CCTV footage is examined. $20000 would be lost in the noise of many Chinese tourists and business people using ATM services with Chinese debit cards.
I covered the problems of Tor and steganography above, but the short version is that Tor can be detected and steganography works well only if the information is short. I didn't talk about satellite though. It's not easy to have an untraceable satellite connection--if someone's watching you, they'll see the dish on your house, and most things that don't require extra hardware don't allow much data traffic. Either way, there'll be an extra bill to pay, so someone would ask "Why is a Chinese bank account with no ID paying for satellite internet service or a satellite phone in the U.S.", assuming the U.S. allows people to do that with unverified addresses, which they might not. Your method for getting the money out would probably work though.
I remember a novel plot point in a spy book I read many years ago, possibly the 80's. The spy would go outside at certain specified times, lay on his back and then mouth the words of the information he needed to pass on. The timing was critical because the spy satellite passing over would be filming him for the lip-readers back home.
Now that I've typed that out, ISTR it was an SF book, but set in the present or at least very near present day (of the time, not 21st C)
Actually there are ways of doing these drops securely over the Internet which are near impossible to trace but I'll be damned if I give a tutorial. Difficult? Yes. However, in this case, you are up against the NSA once you become a "person of interest." It's never getting on their RADAR that's the trick.
"b) remember the European Convention on Human Rights"
This is the U.S. They don't subscribe to the ECHR, and capital punishment is still allowed in some parts of the country. You could argue against it on American law, moral grounds or by referring to U.N. human rights statements that the U.S. has signed, but not the ECHR. Of course, the U.S. hasn't tried at all to enact that punishment in this case anyway.
Four years for just being a mule seems appropriate. What you don't know is if the feds are on the hunt for "Ed". That guy if they catch will be breaking big ones into little ones for a long time. My guess is that they did not arrest him for a while to see if they could find the other end of the drop. I be we don't hear about that one for a while, if at all.
AH!
you forget the goose and gander story?
one Chinesse mule caught gets 4 years, chineese are smart he'll be the only one,
makes international news
Merkin spy get caught in Chaina, pain, suffering will follow, collaps of whole spy ring will follow, Many good merkin citizans working for NGO's attached to the merkin enbisey , but not the merkin govt,
will be rounded up and more pain, suffering and talking , more collaps etc.....
no jail time , no international news, on news at all, nothing to see here!
no bodies, no more talk.
Why highlight this via quotes : "training in traditional Chinese medicine"?
It has been almost proven on multiple occasions that traditional Chinese medicine is nearly 0.0001% effective even for those refuseniks that believe in fairy tales and has had almost no massive impact on already highly endangered species like Rhinocerosses, Heffalumps, Tigers and Whales and such like at all...
Oh...
"I'm pretty sure somebody will want to have a chat with him soon."
No point in publicising you know the mule until you have "Ed" as well. Otherwise he'll just go to ground. In spy story scenarios "Ed" could be a double agent - possibly even planted to give the Chinese false information or expose their agents..
"In which case the mule didn't transport secrets so isn't guilty."
Deliberately attempting to break a law is probably an offence - even if you don't achieve your aim. In English Law such crimes can be covered by the generic blanket of "conspiracy to" - which is treated as a very serious offence. In the USA a possible defence could be that it was entrapment.
Totally unsurprising, the Chinese Government has infiltrated many structures around the world.
Universities are key area they target and Chinese academics often seek to become involved with long term research projects that may have commercial or military outcomes their home state wants access to. The spread of Confucius Institutes further extends their influence, and enables party officials access both to University management and policies, and to 'control' the aforesaid academics, often using threats against their extended family back in China to ensure compliance. They also arrange Ambassadorial visits, where they bring their own 'scientists', often in the guise of 'secretaries' or other support to look over research facilities with a knowledgeable eye and others who will try to get 'lost' so they can assess security.
No doubt some Chinese students attending UK Universities taking computer security courses are doing so to learn not just how to do it but to know how our computer security specialists are trained to keep them out too.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
