Feeds

Security holes poked in Chinese compulsory PC filter plan

Green Dam it all

Website security in corporate America

Plans to mandate the use of a particular brand of censorware software in China pose a grave security risk, security watchers and net privacy activists warn.

All PCs shipped to China from July 1 2009 onwards will be required to bundle a locally brewed application called Green Dam Youth Escort in order to prevent access to "harmful content". The parental control/censorship software, developed by Jinhui Computer System Engineering, will be used to block access to porn as well as politically sensitive content, in conjunction with server-side and ISP-level filters (the so-called Great Firewall of China) already in place.

By creating a software monoculture the Chinese authorities are creating a risk that a vulnerability in the software, providing it was serious enough to allow remote code injection, could be used to create a huge botnet. More subtle flaws might also be used to create targeted attacks on government computers - a factor that is unlikely to pass unnoticed down at the NSA.

And the whole exercise might be of limited use anyway, because early versions of the software work only IE or Google Chrome on Windows. According to collaborative tests, carried out in China and summarised by Global Voices here, the software fails to work with Firefox. The software - already widely deployed in China - is incompatible with Mac or Linux machines.

Other reported problems include suggestions that the Green Dam Youth Escort is a resource hog, might be high maintenance when it comes to applying upgrades, and has been found to inadvertently block course-related material in schools.

Questions are also being asked about the costs of the software, estimated as costing 41m Yuan in the first year.

Isaac Mao, a research fellow at Harvard University's Berkman Center for Internet and Society, has uncovered other problems with the software. Communications between the systems at Jinhui and client PC running its Green Dam Youth Escort are unencrypted, leaving the door open for man in the middle attacks and clickstream snooping. It could be the system is designed this way to allow the Chinese government to monitor its citizens.

However, Green Dam maintains that its software is "only a filter", the BBC (citing reports in the official Chinese media last year) reports. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.