The flaws in China’s Green Dam filtering software, soon to be mandatory on every PC in China, have been known for some time — and the software still has holes.
This past week, officials in the U.S. State and Treasury Departments raised concerns about the software. The incident comes as tech firms are working to prove that they have no role in helping Iran censor the Internet in the wake of a disputed election there.
On Wednesday, the U.S. Commerce department reported in a press release that it had sent a letter to the government of China regarding Green Dam filtering software, which will be mandatory on all Chinese PCs as of July 1, 2009.
“The letter points out that the proposed new rule raises fundamental questions regarding regulatory transparency and notes concerns about compliance with World Trade Organization (WTO) rules, such as notification obligations,” the Treasury Department said.
“China is putting companies in an untenable position by requiring them, with virtually no public notice, to pre-install software that appears to have broad-based censorship implications and network security issues,” said U.S. Secretary of Commerce Gary Locke in a statement.
In a press conference, the State Department expressed support for the actions of the Treasury Department. “The State Department shares the concerns raised by international technology companies and by Chinese citizens regarding the potential impact of this software on trade and the free flow of information, and we think there are also some serious technical issues raised by the software,” said State Department spokesperson Ian Kelly.
Also on Thursday, Google in China was down
briefly as the Chinese government accused Google of being a purveyor of porn.
Flaws exposed in the Green Dam
University of Michigan graduate students Scott Wolchok and Randy Yao and professor J. Alex Halderman first reported flaws in China’s Green Dam software on June 11, 2009. In their latest report, dated June 18, 2009, they report that despite several patches to Green Dam, it still has critical vulnerabilities that could allow hackers to take control of a PC that has the software on it.
“We are encouraged that Green Dam’s developers have updated the program so quickly. This shows that they take security seriously,” they wrote. “Yet even after the recent fix, it is still possible for any web site a Green Dam user visits to exploit other security problems to take control of the computer. As we stated in our original report, the program makes use of insecure programming practices, and there are likely to be more undiscovered problems.”
It’s unlikely the problems will be fixed on time. “Consequently, making Green Dam safe will require substantial changes and careful retesting. It is unlikely that the required changes can be completed in the 12 days remaining before China’s July 1 deadline for mandatory distribution of Green Dam with new PCs,” they added.
Others agreed that patching won’t fix the problem. “The research conducted by the University of Michigan on Green Dam is an excellent example of how a patched system can never be considered secure,” Mickey Boodaei, CEO of Web browser security vendor Trusteer wrote in an e-mail to InternetNews.com.
“It took the Michigan researchers less than 12 hours to find unknown vulnerabilities in Green Dam. Similar research conducted by organized criminals, who have vastly more resources, would yield similar results. These vulnerabilities when exploited by a new piece of malware could result in millions of compromised computers in China,” added Boodaei.
That’s not the only problem. There are also reports that the filter uses open source software in violation of the license. The experts at the University of Michigan said that Intel’s OpenCV open source software is likely used in violation of its license.
“OpenCV is an open-source computer vision package developed by Intel. Green Dam uses it to try to recognize online images that contain nudity. . . Green Dam’s use of OpenCV prior to version 3.174 may be in violation of OpenCV’s license,” their report said.
China’s not the only government in trouble over filtering. The Australian government recently won an “Internet
Villain” award from the UK ISP Association for “continuing to promote network-level blocking despite significant national and international opposition.”
