Zeroday 01100100011010010

If you have been Chinese since the 1940's it's hard to imagine anyone thinking
China is imperialist.  Of course it is possible to say that China as capitalist 
would be equally shocking to Chinese society before 1980.  Imperialism requires
either a king or heavy handed policy.  Historically war has been the direct
result of this style of policy however in recent times economic sanctions also
work.  Take for instance the US led sanctions on Iraq.  
	While most countries require the UN to impose economic restraints, China has the
singular ability to make economic policy with it's own weight.  Google's recent
policy decision to self censor information fed to Chinese citizens is proof of
her ability.  Even though the United States does not have the
same sorts of restrictions on information dissemination Google has chosen to 
impose restrictions on itself in order to continue diplomatic relations.  It
would be interesting to know whether Google has Taiwanese relationships and 
how they plan to explain themselves.  "Taiwan Independence" is one of the 
restricted keywords.
	China is not new at imperialistic tactics.  A paper from the China Quarterly,
from Cambridge University Press, describes the "Macedonia Project" where China
bought influence in post communist countries before Taiwan could.  Countries 
who are UN abiding do not recognize Taiwan as a soverign country.  Macedonia did 
recognzie Taiwan for a time as a country.*  Capitalist nations follow their
corporations.  Corporations follow the revenue.  Any percentage point higher then
one from the overall population represents a large potentional of revenue from China.  
	The Japanese idiom that "business is war" could be taken literally here.  As 
our nations corporate players jockey around the Internet our governments bend
policy to their will.  In this case the pronoun "their" is entirely subjective
and could be the government's will (presumbly linked to the people) or the corporation's
will (presumbly linked to the shareholders).  If the government were to enact a policy
that stated "corporations could not create policy that would be illegal to enact on
citizens of the United States" then entities like Google and Yahoo would be 
bound to comply.  There would also not be a financial risk to them since the US
government would be responsible, and the ultimate defendant, in legal action.
Until that time China will have the ability to bend corporate policy to her 
own will regardless of that company's own laws.

* Canada currently favors Taiwan with diplomatic level relations. The US officially
recognizes “One China” but continues to sell fighter jet and submarine technology
to Taiwan.

As I signed onto my account today I was forced into registration for a new security service of Bank of America. The system is called SiteKey and it is a pseudo two factor authentication system. The idea is that the user will choose an image to display on the site after authentication. If the site doesn’t display the image then the user should begin freaking out and realize that they have just been phished.
The images themselves are retrieved via a dynamic URI which uses some very large hashes.
 https://sitekey.bankofamerica.com/sas/ge…[96 char hash]&iv=[15 char hash]

On the surface this seems like a decent system. I think the implementation is a bit off (backwards actually). When a user has cookies enabled and the site can then recognize the system only an ID field is presented. After entering the ID the user is taken to a real authentication page with both username and password fields. This authentication screen will display the SiteKey image. What’s wrong with this? If you are coming from a computer the system does not recognize then both username *and* password are required and then the SiteKey image is presented. Therefore it would not be impossible for a phisher to simply make calls after you enter your authentication info in a fake site to retrieve your actual SiteKey from the BoA website.

This system will raise the stakes in the phishing game but I don’t know if it will do so enough to thwart any but the most crude of phishers. If I have enough time I will try to mock up a proof of concept.