China Scrambles to Repair Crumbling Green Dam
Green Dam, the Web-filtering software that the government of China wants installed on every PC sold in that country, riddles computers with security holes and opens them to Internet attacks, according to researchers at the University of Michigan. They also found evidence that some of the blacklists the software uses to filter sites was taken from U.S.-based Solid Oak Software, maker of Cybersitter.
Jun 15, 2009 1:26 PM PT
For years, China's government has kept the country's Internet surfers on a very short leash. Censors attempt to block any content considered immoral, which could be anything from pornography to politically charged blog posts.
Its latest plan is to order the installation of filtering software directly into all personal computers. While that software may shut Internet users out of certain corners of the Web, it could also leave doors wide open for malicious hackers, according to J. Alex Halderman's students at the University of Michigan.
A report the team released last week shows just how big a problem bad Chinese software can be for everybody.
The filtering software the government has ordered installed on all computers shipped into its country after July 1 -- known as "Green Dam" -- leaks like a sieve and can become a virtual Chinese buffet for hackers, according to Halderman.
On Monday, China said it was ordering patches for the filtering software, but "I would doubt with the time available before the July 1st mandate that they would be able to make the software adequately secure," Halderman, an assistant professor of electronic engineering and computer science, told TechNewsWorld.
Never mind the fact that human rights and privacy critics argue the Green Dam software would be used to filter political content and dissent and not just the pornography the government cites as its reason for the mandate. Also, never mind that a U.S. software company, Solid Oak Software, claims Green Dam uses code stolen from its Cybersitter filtering software. Those are side issues compared to the major cracks Halderman and his students found in Green Dam.
"Once Green Dam is installed, any Web site the user visits can exploit these problems to take control of the computer," the University of Michigan report states. "This could allow malicious sites to steal private data, send spam, or enlist the computer in a botnet. In addition, we found vulnerabilities in the way Green Dam processes blacklist updates that could allow the software makers or others to install malicious code during the update process."
An Example of Software Piracy?
"We did this extremely quickly," Halderman said. "I was very proud of my students and some of the technical work we were able to accomplish. It was about 12 hours of doing the initial security analysis and some time after that writing that up, but we were able to find the problems [in Green Dam] pretty quickly. Part of it is that I have quite talented students, but the software also showed itself to be extremely vulnerable."
Halderman and his team discovered evidence that Solid Oak Software code may have been lifted and placed in Green Dam. It wasn't just that "blacklisted" URL addresses appeared to be copied directly from Cybersitter; "a news item, almost like a press release that Cybersitter sent to customers was included in the shipping version of Green Dam software," Halderman said. "It appeared to be copied into Green Dam by mistake."
If Green Dam's makers can't plug the holes by the July 1 deadline, computers used in China could become new zombie machines in spam and phishing networks, spewing out malicious code and causing damage to computers in other countries.
In addition to the holes Halderman's students found in Green Dam, they found suspicious similarities between the blacklists the software uses to filter pages and those used by Cybersitter, a popular Web parental control product from Solid Oak Software.
China's problem with software piracy has always been a major talking point in trade negotiations with the U.S. and other western nations, but Halderman says the Green Dam issue shines a new spotlight on the problem.
"Piracy is very common in China, but the real issue is that a program that appears to have been built based on the work of others without their permission is now being mandated by the government," Halderman said. "The question is, why didn't the government of China look into this more carefully before they mandated it?"
Reaction to the Report
There were similarities in the blacklisted Web addresses, the Chinese designers of Green Dam admitted to China Daily. However, they denied stealing software code. The designers also acknowledged there were flaws in the filtering software and that the Chinese government had ordered them to patch the problems, indicating that China is sticking with Green Dam for now.
Halderman has sent Green Dam's makers a copy of his report, he said, and he offered more information to help fix the software, "but we haven't heard back from them yet. I don't know what to chalk that up to -- certainly, there is a language barrier at play here."
The big lessons for any U.S. or western technology firms wanting access to China's billion-plus market and its emerging economic strength: "I think software piracy is a problem globally, but companies need to be diligent about making sure that the people they're doing business with are being honest," Halderman said.