China 'Green Dam' Censorware Called Security Risk

By Thomas Claburn
InformationWeek

June 12, 2009 06:14 PM

Chinese authorities claim the software is necessary to protect people from ****ography, but the software has been found to block politically sensitive terms.

China's plan to require Web filtering software on all PCs sold in the country after July 1 continues to draw fire from individuals and organizations inside and outside the country.

Three computer scientists with the University of Michigan on Thursday published an analysis of the "Green Dam Youth Escort" software required by the Chinese government and found that "it contains serious security vulnerabilities due to programming errors."


The researchers state that the software contains systemic flaws in its code as a result of unsafe programming techniques and that the software's problems are compounded by a design that exposes it to a large variety of potential attacks.

"If Green Dam is deployed in its current form, it will significantly weaken China's computer security," the report states. "While the flaws we discovered can be quickly patched, correcting all the problems in the Green Dam software will likely require extensive rewriting and thorough testing. This will be difficult to achieve before China's July 1 deadline for deploying Green Dam nationwide."

Chinese authorities claim the software is necessary to protect people from harmful information, specifically ****ography. But the software has been found to block politically sensitive terms.

According to a report in The Wall Street Journal, two professors in China have filed formal complaints against the government's plan to the China State Council and the National Anti-Monopoly Committee stating that the Green Dam mandate is an "abuse of power."

Li Fangping, a human rights lawyer in Beijing, is also challenging the legality of the government's plan. He has asked China's Ministry of Industry and Information Technology to hold a hearing on the issue.

On Thursday, the Global Network Initiative, a coalition of information and communications companies, human rights organizations, academics, and others, said the software raised human rights concerns. It also questioned the legitimacy of the Chinese government's approach.

"An approach for protecting children online that requires the mandatory installation of a particular software package that is difficult to uninstall and filters far more than ******ly explicit content is not consistent with the practices of other countries that have encouraged parental control tools and is far out of proportion to the goal of child protection," the GNI said in a statement.

The Chinese government appears not to like what it's hearing. Rebecca MacKinnon, assistant professor at the Journalism & Media Studies Center at the University of Hong Kong, notes in a blog post that Chinese Internet users have been posting copies of notices, sent from the government's Central Propaganda department to news organizations, that direct recipients "to tone down the criticism and take on a more positive tone toward Green Dam."

InformationWeek Analytics has published an independent analysis on what executives really think about security.
Download the report here (http://cxoreport.informationweek.com) (registration required).

Link (http://www.informationweek.com/news/security/government/showArticle.jhtml?articleID=217801058)

China delays implementation of mandatory censorware

By Aileen McCabe, Canwest News Service
June 30, 2009

SHANGHAI

China blinked Tuesday night, issuing an 11th-hour reprieve to its order forcing computer companies around the world to include controversial censorware in all computers sold in the country starting July 1.

The official news agency Xinhua said there would be a "delay" in implementing the policy, but it gave no new date when the Green Dam-Youth Escort software must be included with computers sold in China.

The Ministry of Industry and Information Technology said Green Dam would continue to be installed on computers in public places, schools and Internet cafes and that free downloads of it would be available on the Internet. It said the software has already been downloaded to more than seven million computers in schools and Internet cafes across China.

The ministry said it had "third-party" proof that Green Dam can successfully block 90 per cent of Internet ****ography.

Beijing insists its Green Dam software is meant to block ****ography only but, around the globe, governments and rights activists are warning it can also be used to scrub political content from the Chinese web.

The European Union Chamber of Commerce was the latest group to urge Beijing to reconsider its Green Dam edict. In a release this week, it said the program ``raised serious concerns about security, privacy and user choice.''

In a letter sent to two Chinese ministries last week, top U.S. trade officials also called on Beijing to scrap Green Dam.

``China is putting companies in an untenable position by requiring them, with virtually no public notice, to pre-install software that appears to have broad-based censorship implications and network security issues,'' Commerce Secretary Gary Locke and U.S. Trade Representative Ron Kirk wrote.

Their words underlined the concerns that 22 international business organizations put to Chinese Premier Wen Jiabao just a few days earlier. The Wall Street Journal said its reporter saw the letter which informed Wen: ``The Green Dam mandate raises significant questions of security, system reliability, the free flow of information and user choice.''?

Multinational businesses, such as Google and Yahoo, have been implicated in Chinese censorship - the ``Great Firewall'' - in the past, but never in the numbers or on the scale Green Dam involves.

The business organizations, including the Information Technology Industry Council, told Wen they feared problems with the Green Dam software, which include serious security concerns plus credible claims of copyright violation, could endanger computer makers worldwide if they are forced to hastily pre- install it in their products.

Even before Tuesday's reprieve, it was doubtful most computer makers could actually meet China's deadline.

Some Sony Viao computers were apparently arriving in Chinese stores with the new software included and Taiwan-based Acer said it would be in compliance by Wednesday.

But at a major computer retailer in downtown Shanghai, a technical staffer said Tuesday that they only had ``some'' computers loaded with Green Dam available.

``Say you come to buy a Lenovo (Wednesday), you won't get one with Green Dam in it,'' he said in a telephone interview.

At another store contacted, the salesperson was confused by the question, but was quick to say that staff could un-install Green Dam easily from any computer they sold.

China has the world's largest Internet community, nearly 300 million strong and growing rapidly. It is an overwhelmingly young, predominately male and fairly technically savvy group that has lived with censorship for several years and knows a thing or two about outsmarting the watchers.

But the vast censorship bureaucracy doesn't seem to worry overly about pesky ploys like word substitution - flg for the forbidden Falun Gong - or people using proxy servers and virtual networks. Indeed, in many ways, what keeps the Great Firewall relevant and effective is the psychological affect it has on Internet users who always know Big Brother is watching and often censor themselves or simply ignore troublesome topics just to save the hassle.

Link (http://www.canada.com/China+delays+implementation+mandatory+censorware/1747364/story.html)

Analysis of the Green Dam Censorware System

Scott Wolchok, Randy Yao, and J. Alex Halderman

Computer Science and Engineering Division
The University of Michigan

Revision 2.41 – June 11, 2009
*Update: Addendum 1 added June 18, 2009


Summary

We have discovered remotely-exploitable vulnerabilities in Green Dam, the censorship software reportedly mandated by the Chinese government. Any web site a Green Dam user visits can take control of the PC.

According to press reports, China will soon require all PCs sold in the country to include Green Dam. This software monitors web sites visited and other activity on the computer and blocks adult content as well as politically sensitive material.

We examined the Green Dam software and found that it contains serious security vulnerabilities due to programming errors. Once Green Dam is installed, any web site the user visits can exploit these problems to take control of the computer. This could allow malicious sites to steal private data, send spam, or enlist the computer in a botnet. In addition, we found vulnerabilities in the way Green Dam processes blacklist updates that could allow the software makers or others to install malicious code during the update process.

We found these problems with less than 12 hours of testing, and we believe they may be only the tip of the iceberg. Green Dam makes frequent use of unsafe and outdated programming practices that likely introduce numerous other vulnerabilities. Correcting these problems will require extensive changes to the software and careful retesting. In the meantime, we recommend that users protect themselves by uninstalling Green Dam immediately.

Link (http://www.cse.umich.edu/~jhalderm/pub/gd/)