Despite its suspicious name, hackbase.com’s operators want to let people know it is a legitimate computer school for defensive purposes and not an illegal hacking school.

“We don’t train hackers, instead we provide professional training for Internet security. It’s up to the trainees whether they want to be a hacker or network administrator,” said Chen Qian, director of the training department.

The online classes are given in the evening and cover topics such as computer maintenance, anti-virus, data recovery, code protection and network attack and defense.

The courses, which cost between 398 to 1,998 yuan ($58- 292), are “easy” and aimed at everyone, even those without a college background or without English language skills, Chen said.

Kang Lingyi

According to reports, in 1999, Kang Lingyi participated in hacking the US Embassy and the White House over the accidental bombing of the Chinese Embassy in Belgrade.   He then went on to fame founding several nationalist websites.

An international controversy has broken out over an article he published on one of his websites called, the China International Strategy Net.  In the article, Kang suggests that India can be removed as a competitor by intentionally encouraging separatists to bring about the collapse of the state.  The statements caused such an uproar that the Indian government was forced to issue a statement saying that the relationship between China and India was peaceful.

As of this writing, Kang’s website has a message up saying that the site is currently under maintenance.  It has been up all day so let the wild speculations begin:

1) Beijing took it down as a concession

2) Indian hackers

3) The boring option of site maintenance          

The picture seen above is an advertisement for a Chinese hacker training course.  Now I know many of you are struggling to process this information;  something seems wrong with the picture.  The reason your brain is having trouble with the image,  is that it is located in a place called, the “outdoors”.  Like me, many of you spend way too much time online and this poster is horribly out of place.

The following report from China Daily talks about the growing public concern over hacking and online hacking courses.  It also interviews Wang Xianbing, a consultant for hackbase.com:

“Lots of hacker schools only teach students how to hack into unprotected computers and steal personal information,” said Wang Xianbing, a security consultant for hackerbase.com. “They then make a profit by selling users’ information.”

For investing hundreds of yuan in hacker school, students could obtain the skills to make a fortune, Wang said.

“Hacker school is a bit like driving school – they teach you how to drive but it’s up to you if you are going to drive safely or kill someone,” said Wang.

What the article doesn’t tell you is that Wang Xianbing is also known as Janker and the Lonely Swordsman; one of China’s first generation of hackers and the leader of online conflicts with the US and Japan.

The Chinese hacker who defaced the Melbourne Film Festival website signed his message of protest with the sid Oldjun.  To obscure his online identity, he named his personal website…Oldjun.com.  Some people just don’t care about their chosen profession and it shows.

Even the people who have stopped by Oldjun’s blog are dismayed by his total disregard for anonymity.   They point out that his personal info is all over Baidu and his blog site.   It gives away his surname, age, where he went to school and ID number.  They joke telling him to run and hide.

Huanqiu.com tracked Oldjun down using a Whois lookup on the website and got him to confess:

After tracing the domain name Oldjun, The Sunday Age spoke to Zhou Yu, 24, an IT professional from Nanjing, who admitted hacking the site after learning about the controversy from the internet.

Mr Zhou denied acting on behalf of the Chinese Government, stating he acted ‘because I am Chinese. I’m very angry — not only me, but I think all of the Chinese people— about this.’

As an added bonus, our old friend Sunwear shows up in the comments section.  My theory still holds that if Sunwear is present, something bad is happening.

In response to these same events, a hacker, using the online name cn_magistrate, formed a group called Revenge of the Flame and announced his plan to carry out a DDoS attack on the  CNN website.  We followed the events as calls went out for Chinese netizens to join the action.  We were there when cn_magistrate called off the attack and disbaned the organization.  Then he vanished…

cn_magistrate

Cold Case:  Yeah, we keep looking.  Finally located him through a combination of e-mail address, website and online name.   Below are the results of a Whois search we conducted on the associated website during the time of the attack (Notice the website name and e-mail address):

Domain Name: hacksa.cn
ROID: 20070811s10001s50288265-cn
Domain Status: ok
Registrant Organization: 判官
Registrant Name: 判官
Administrative Email: Kenan2677@126.com
Sponsoring Registrar: 北京万网志成科技有限公司
Name Server:ns1.okidc.com Name Server:ns2.okidc.com
Registration Date: 2007-08-11 11:59
Expiration Date: 2008-08-11 11:59

Hacksa.cn website letter

The image seen above was taken from cn_magistrate’s current blog showing the old URL  hacksa.cn,  which was associated with the CNN attack.

This reply from cn_magistrate in the comments section of his blog shows the e-mail address  Kenan2677@126.com, used to register hacksa.cn.

SURPRISE…

He claims to be a Taiwanese citizen…

I’ve written to cn_magistrate and asked if he will talk to us about the incident.  Off topic, did anyone hear the news about Taiwan and the US coming closer to an extradition agreement?  That would be cool.

This article, from the People’s Daily, details Wang Zi’s efforts to bring back the patriotic spirit of the Red Hacker Alliance.

“The Tao that can be described in words is not the true Tao. The Name that can be named is not the true Name,” – the first two sentences of Tao Te Ching are the slogan of hong ke that appear on the new union’s new homepage.

After the Olympics, Wang Zi’s group retired from the web for a short time, and then on the first day of this year, the group made a bold new announcement.

The blurb on their newly-launched website reads, “Hong ke culture is back. We will hold and transmit hong ke spirit focusing on justice, pioneering and love for the motherland.”

Lin Lin, the leader of Evil Octal (another Chinese hacker organization), refutes Wang Zi’s claim to the title of new leader:

“Lion is the spiritual leader of the hong ke union,” Lin Lin, a leader of hacker group Eviloctal Security Team, told the Global Times. “And without him, no hong ke organization can be regarded as a reorganization of the original.

The article goes to great lengths to distance the organization from being government sanctioned:

Wang Zi says his union is a purely non-governmental organization. They could not register the union’s name with the Ministry of Industry and Information Technology until they deleted “Zhongguo” (China) from it.

In the last few days, the story of Yingcracker, “the most beautiful female hacker in China,” has been making the rounds  in Chinese news outlets and blogs.  Her exploits and earnings, in this male dominated society, have been posted by  numerous online sources.  The number of male friends added to her blog since the story first appeared have been impressive.

Problem: Yingcracker is a man baby! He thinks it’s kinda funny to pretend to be a MM (girl) online.  Xiao Tian e-mails me this:

It was absolutely my privilege to  spend a few days talking with Mara Hvistendahl on the subject of Chinese hackers.  She is such a fantastic lady and I couldn’t have enjoyed our time more.

While linking to our interview may seem a bit of shameless self-promotion, I mainly wanted it on record that Mara called me, “a trim 46-year-old.”  I pushed for other words like swashbuckling, ruggedly handsome and athletic until Mara started mentioning other adjectives such as weird, strange and goofy.

…TRIM!

Hackers: the China Syndrome by Mara Hvistendahl

Lost33 did not make contact with Jumper last night.  In fact, it seems he spent the night changing his QQ number and deleting all info from his blog. The website is now completely empty, except for a change to his personal data.  Lost33 changed his current residence from Sichuan to Beijing:

We retained a full copy of the previous night’s conversation with Lost33 but have decided to only release two sections.  The first section is being reprinted to prove the connection between Lost33 and the losttemp33 hotmail account:

The second section is being released…well, to be honest, just because I think it is funny. I can practically see Jumper’s expression as he types, “Yes, really.”

Are we surprised, shocked, or angry over Lost33 punking us…

-Hey, it’s just his nature.

Yep, that would be us…

According to researchers at IWM, Lost33′s information was only included in the GhostNet report because his malware was found on two computers associated with the Dalai Lama’s network.  However, it was different from the remote control access tool gh0stRAT that made up the backbone of GhostNet.

From the report by Robert Lemos at Security Focus:

However, the e-mail address was found only on two of the computers analyzed for the investigation, said Nart Villeneuve, a researcher at the CitizenLab and one of the authors of the GhostNet report. Both computers had been infected with a second piece of malware, separate from the gh0st remote access tool (gh0stRAT) that formed the backbone of the surveillance network, he said.

“That is a valid piece of malware but it is not the one related to the malware that connected to the admin interface for the gh0stRAT,” Villeneuve said.

So it looks like we are now investigating a massive network intrusion of two computers.  One, two.  We will call our project CasperNet.

Spoke with Jumper earlier today and he still feels it is worthwhile to pursue.  So, he will continue his conversation with Lost33 tonight.

UPDATE: Wanted to add this comment left by Nart Villeneuve because I thought it was super nice of him.  I botched up his report but he was still kind enough to stop by and offer these words of encouragement:

“I wouldn’t say lesser at all — just different. The CasperNet (www.lookbytheway.net/www.macfeeresponse.org) which sounds way better than what I’ve been calling it (CGI after their use of CGI scripts) was the one that was found to be retrieving a sensitive document related to the Dalai Lama’s negotiating position. In addition to being found at the OHHDL it was also found at the Tibetan NGO Drewla.”