April 24, 2014

avatar

China's New Mandatory Censorware Creates Big Security Flaws

Today Scott Wolchok, Randy Yao, and Alex Halderman at the University of Michigan released a report analyzing Green Dam, the censorware program that the Chinese government just ordered installed on all new computers in China. The researchers found that Green Dam creates very serious security vulnerabilities on users’ computers.

The report starts with a summary of its findings:

The Chinese government has mandated that all PCs sold in the country must soon include a censorship program called Green Dam. This software monitors web sites visited and other activity on the computer and blocks adult content as well as politically sensitive material. We examined the Green Dam software and found that it contains serious security vulnerabilities due to programming errors. Once Green Dam is installed, any web site the user visits can exploit these problems to take control of the computer. This could allow malicious sites to steal private data, send spam, or enlist the computer in a botnet. In addition, we found vulnerabilities in the way Green Dam processes blacklist updates that could allow the software makers or others to install malicious code during the update process. We found these problems with less than 12 hours of testing, and we believe they may be only the tip of the iceberg. Green Dam makes frequent use of unsafe and outdated programming practices that likely introduce numerous other vulnerabilities. Correcting these problems will require extensive changes to the software and careful retesting. In the meantime, we recommend that users protect themselves by uninstalling Green Dam immediately.

The researchers have released a demonstration attack which will crash the browser of any Green Dam user. Another attack, for which they have not released a demonstration, allows any web page to seize control of any Green Dam user’s computer.

This is a serious blow to the Chinese government’s mandatory censorware plan. Green Dam’s insecurity is a show-stopper — no responsible PC maker will want to preinstall such dangerous software. The software can be fixed, but it will take a while to test the fix, and there is no guarantee that the next version won’t have other flaws, especially in light of the blatant errors in the current version.

Comments

  1. Anonymous says:

    China is surging ahead with economics and production, having Chinese citizens trained not to think for themselves will soon be the only advantage westerners have. Please, sit back and watch the train wreak but don’t try to stop it happening.

  2. Anonymous says:

    No one likes this in China.
    Having said “Chinese citizens trained not to think for themselves” only shows how little thinking you have done.

  3. Anonymous says:

    Would it be ethical for a computer maker to fix these bugs (thereby enabling the censorship)?

  4. Uffe says:

    While the rest of the world, and the affected computer owners undoubtedly will care, I doubt the communist Party officers care that the software they are forcing onto the Chinese citizens is full of holes. As long as the software does what it is meant to do (curb dissent, prevent access to porn and so on) I think the Communist Party is unlikely to bother about any flaws. After all, it’s not like the high-ranking Party officials are going to use the stuff themselves…

  5. Anonymous says:

    I AM FROM CHINA, I HATE GREEN DAM.REALLY!

    • Anonymous says:

      “I AM FROM CHINA, I HATE GREEN DAM.REALLY!”

      I hope that you have used a proxy to comment this or else the thought police may caught you.
      Nevertheless, use GNU/Linux, as far as I know there’s no version of this software for GNU/Linux, and GNU/Linux protects your freedom.

      You can get a copy here:
      gnewsense.org

      So sad that a nation like China which have a great history and a awesome culture is a dictatorship.

  6. Anonymous says:

    I’m from China, I only wanna say green dam is a so stupid software and i’m shamed we have so stupid officers…

  7. rp says:

    From the government’s point of view, this could be a desirable outcome. If you mandate installation of the software and nobody installs it, then you can use the failure to install as a prima facie cause for imposing punishment on people whom you want to punish for other reasons. And if the less-than-utterly-mainstream areas of the internet inspire fear of hacking that makes fewer people visit them, so much the better for that too. A repressive government wins either way.

  8. Anonymous says:

    Oh, yeah. Everyone that doesn’t install green dam will be prosecuted for any probable or improbable reasons. What a great idea! Is that how you think China works? I wonder who actually has been brainwashed.

  9. Anonymous says:

    In fact the most important reason that Chinese officers propose this software is to block Chinese people from getting access to “sensitive ” information.

  10. Anonymous says:

    PC-based filtering is even easier to defeat. Unlike the latter, the user actually controls their PC, so they can disable it on their computer, or just reinstall or use a Live CD or something. I wonder if they’ll block access to different OSes to prevent that. Note: It’s impossible with all the different options.

    I’m perfectly happy to let them do this, because it will make Australia’s ISP filtering idea look toxic, and maybe cause better changes over in China.

  11. Anonymous says:

    how sutpid the dictator is !they think that monitoring our private-data can help the dictatorship but it will NOT work eventually!!!!!!!
    thanks to the proxy-website,we can get sensitive-information .GOD OVERSEE YOU ALL CCP!!!!!
    AND AGAIN,I HATE THE GREEN-DAM-CENSORWARE!

  12. Anthony Lai, Hong Kong says:

    We will organize an event to disclose and try out various scenarios on next Saturday how bad this software is.

    Even they have target wordlist to kill your wordpad, notepad when you type in specific sensitive phrases like 4 June Massacre (in Chinese).

  13. Anonymous says:

    i’m Chinese. The corrupt government spent about 41,000,000 yuan to buy this rubbish without citizen agreement. In China, it’s a very big kidding to us. We are all angry. In my opinion, the government tend to control our freedom of discussion and freedom of thinking.

  14. Anonymous says:

    I am a Chinese and am studying in US now. I certainly not agree with the Chinese government about mandating installing such a software. It is also a shame to have vulnerabilities in it. However, some foreign friends, please don’t forget that windows OS is the most dangerous software ever created, which has millions of vulnerabilites.

  15. Anonymous says:

    The Chinese government did not mandate installation of Green Dam. PC makers can preinstall, or make the software available on accompanying CD-Roms. End user is under no obligaton to run it or keep it installed.

    Software have patches (sometimes critical), look at how many critical patches Wndows have had.

  16. LargestBotNetEver says:

    Imagine a 6-billion computer botnet in the hands of the Chinese government!!!

  17. Jill says:

    So instead of writing a virus to shut down the computer someone should write one to send the entire list of banned websites to the person in china using the computer

    Jill
    —————-
    Inside Houston

  18. Lee says:

    same thing is going on in the uk, true we don’t have software installed on our computers but ISPs have been forced to keep track of every webpage and every email we send. Also every phone call we make is recorded. Lee @ Wacker Plate

  19. Top Driver Scans says:

    The Chinese government did not mandate installation of Green Dam. PC makers can preinstall, or make the software available on accompanying CD-Roms. End user is under no obligaton to run it or keep it installed.