The Dark Visitor

Loyal readers of TDV may remember Heike’s post about Peng Yinan, aka Coolswallow of Javaphile. According to this NY Times article, the school that Yinan has occasionally taught at was discovered to have been involved in the Google compromise revealed last month. At this point, it is only the IP addresses that seem to link the school to the compromise but it is an interesting coincdence that one of the most prolific Chinese hackers has a close connection to the school.

There are many possibilities for SJTU’s IP addresses being involved in the incident. Any assessments made about SJTU’s involvement at this point would be just a guess.

This hunt for Coolswallow of Javaphile begins, right here at our website…

On the 1st and 2nd of this month, the site started receiving a lot of traffic from the Shanghai Jiaotong University bulletin board. A poster going by the online name ericool linked to an article (UPDATE: ericool has removed the  link) previously posted here about Javaphile. Ericool said that the information I got about Javaphile was taken from his old website (he is absolutely correct) and since all that info came from Coolswallow’s blog…that means that Ericool is in fact…Coolswallow. A much earlier posting by Ericool in 2002 leaves little room for doubt (note the moniker circled in red at the bottom of the post):

The reasons I have been following Coolswallow, is that he was fairly active during the US and Chinese cyber conflict that occurred over the collision between a US EP-3 reconnaissance aircraft and a Chinese fighter. One of the characteristics that makes Coolswallow standout from the normal Chinese hacker is his scholarly work on Buddhism. It is a theme that has repeated itself throughout his writings and will be the primary cause for some speculation later in this search.

Started running some searches on ericool and found him linked to the Beasts of Burden Society, that is composed of graduate students from Jiaotong University. The society has been putting on a wide variety of academic seminars on various topics for the last two years.

(Image Removed upon request)

For their 2nd anniversary, the lecture was titled “Hacker in a nutshell” and was given by Peng Yinan (彭一楠). According to the press release, Peng Yinan is a security information consultant for the Shanghai Public Security Bureau and a senior hacker. Futhermore, he uses Vajracchedika-Sutra Buddhism to explain the characteristics of hackers. Hmm, suspicious… Here is one of the fliers for the lecture that took place at the Chen Ruiqiu building on the 31st of October, 2007:

Continue Reading »

The group Javaphile was established in September 2000 by two Chinese hackers going by the online names of Coolswallow and blhuang (Liang Huang). All members of the group were said to be students of Jiaotong University in Shanghai. The group was later joined by thomasyuan who specialized in Unix programming. Initially the group was merely for Java language enthusiasts as the name implies. This attracted few members, since the Java language had only just been introduced to the country. Coolswallow joined the Red Hacker Alliance following the 2001 collision between the US reconnaissance aircraft and the PRC fighter. Coolswallow and thomasyuan would later initiate a program to reorganize the group into a hacker web site. Some notoriety was gained by the group in 2002 for the defacement of Lite-On, a Taiwanese IT company.

An examination of Javaphile, from the introduction of its web site to the defacements of Lite-On, Fox T.V., and others attacks show something slightly different from the normal Red Hacker Alliance cell. The graphics, language, and structure used by the group are not typical when compared to the majority of Chinese hacker web sites. The group’s homepage shows a picture of a Buddha head surrounded by tree roots, probably taken at Ayuthaya, Thailand. Coolswallow’s personal blog also contains references to Buddha and his/her personal translations and explanation of Tibetan Pali Buddhist engraved incantations.