Chinese Govt Spyware Puts Computers At Risk

Ihmhi writes "China's mandatory 'Green Dam Youth Escort' web filter software apparently has a series of severe flaws. In addition to not working on Linux or MacOS, traffic between the software and its servers is unencrypted." I'm sure it only gets better after that.

Linux people always complaining

In addition to not working on Linux or MacOS

FFS, just run it in Wine!

Re:Linux people always complaining

[mcgrew]

In this case, not running in Linux or Mac is a feature, not a bug!

Security 101

[sakdoctor]

Do not write any code that could intentionally be used to DDOS your ass.
But seriously, this is great. It's going to be one hell of a show when it gets cracked.

This software is legally mandated.

[Wonko+the+Sane]

So does that mean that selling computers with Linux or OSX installed is illegal? Or will they get away with "installing" the software on those computers even though it can not function?

Re:This software is legally mandated.

[Darkness404]

Considering that the Chinese government has put a lot of time/effort into mandating Red Flag Linux for internet cafes, I would say that they "install" it and it doesn't function.

Re:This software is legally mandated.

[L4t3r4lu5]

It's mandated that it be sold with all new computers. It doesn't need to be installed, just supplied with the PC.

Think of it as an AOL Free Trial CD. You remember, the free coaster they shipped.

Is the software available to download anywhere?

[wjh31]

after all the slating given to china over censorship, it would be interesting to be able to browse from behind such a filter and see how much it would affect the surfing of a typical westoner

Re:Is the software available to download anywhere?

[sakdoctor]

Wouldn't it be more fun to disassemble the software, find the gaping flaws, and simultaneously take 300 million computer off the net?

Epic lulz would have to be redefined from then on.

Re:Is the software available to download anywhere?

[Darkness404]

But filtering in China is done at a level independent of the computer. This adds another layer of "protection" and enforcement but isn't really the full filtering of the internet. Think of this like a porn blocker that blocks a few sites compared to the "Golden Shield" which blocks all references to anti-communist or different forms of communist ideals.

Re:Is the software available to download anywhere?

[drinkypoo]

Wouldn't it be more fun to disassemble the software, find the gaping flaws, and simultaneously take 300 million computer off the net?

Wouldn't it be more fun to use the gaping flaws to build a botnet, DDoS various targets and blame it on China?

It's chinese stuff

[courteaudotbiz]

Hey, it's Chinese stuff for god's sake, did you expect some quality out of it?

What are you calling a "flaw"?

[Bander]

I hardly consider the lack of Mac or Linux versions a "flaw". In fact, I consider that one of the few positive aspects of the software.

Your friendly Chinese government official here.

[BlueKitties]

The "mandatory" software these computers will be shipped with is no different than a VChip inside of all modern American TVs; it's a feature people may use, but are allowed to uninstall at their sole discretion. Besides, this stuff runs on Windows, it's just one more straw on the pile of ways to hijack an unprotected computer. We also choose a tool that doesn't run on Linux because we're sick of typing 'sudo apt-get install wine' everytime we install a new Linux distro. This assures minimal typing for all Chinese Linux users.

Re:Your friendly Chinese government official here.

[BlueKitties]

TVs, in general, cannot be hijacked (BoTVnet?) The mentioned security concerns are reasons to push for improvements to the software, not as an excuse to defame a government for trying to give parents more tools to protect their children. Again, if you do not wish to use this software, please feel free to uninstall it -- it's only there for those who want to use it.

Re:Your friendly Chinese government official here.

[Darkness404]

not as an excuse to defame a government for trying to give parents more tools to protect their children.

"protect" them from what? From the evils of porn? This isn't 1995 here people, and its pretty hard to not know your going to a porn site today especially if you use a search engine to find sites. If your kid is searching for porn then obviously they aren't as "innocent" as you think they are. And whenever their censorship is under the guise of "protecting" the people from such evil ideas as human rights and alternate ideologies, it gets quite suspicious whenever they try to mandate more controls.

Again, if you do not wish to use this software, please feel free to uninstall it -- it's only there for those who want to use it.

Thats nice, but why install it in the first place? There are loads of internet "protection" filters out there, mandating the installation of one, especially from a government that constantly abuses its citizens should be cause of concern or alarm. Don't you think?

Re:Your friendly Chinese government official here.

[Opportunist]

it's only there for those who want to use it.

for now.

Salami technique and boiling the frog ain't new for governments. For now it's "only humanitary" or "only to catch terrorists/pedophiles/boogieman_of_the_month", but when it's in place and we have "wide acceptance for it", why not use it for more? Or, in this case, make it mandatory since "so many thought it's a great thing" (read: didn't know about it and/or don't care enough to stink up a storm).

Bad move ...

[oldspewey]

"We found a series of software flaws," explained Isaac Mao, a blogger and social entrepreneur in China

... when contacted later for further comment, it was discovered that Mao had been assigned to 18 years of reeducation through labour in the coal-mining provinces.

Re:Bad move ...

[BlueKitties]

No, we've assured his skills will remain in good use. If you wish to speak on him, please PM him on the US Shattered Hand Realm for WoW, where he has been assigned 18 years of reeducation through labor in the WoW-gold mining servers.

Re:So this is a good thing

[Darkness404]

No, not a good thing. You see in the authoritarian/communist society which is China, the government owns or has major influence in everything. So even with OSS projects that have a commercial vendor (like Red Hat) the government could convince the company to poison the source repos and the binary repos with modified versions. So in the end you have an authoritarian Linux system that even pirated Windows would be looked at by dissenters as "more free" because it doesn't run into the poisoning of OSS.

When you buttume ...

[David+Gerard]

"We have buttiduously canvbutted the industry, buttessed what is available and buttembled the finest selection of contractors chosen in a completely open manner for this buttignment. Butterting free speech is one thing, but a triparbreaste committee considers that that does not justify mere pbuttive breastillation at the expense of others. The filters will buttociatively clbuttify all communications and filter then, I can butture you, rebuttemble them with surpbutting exacbreastude in any quanbreasty. Consbreastuents can be rebuttured that a mulbreastude of industry compebreastors will butture quality and keep our clbuttrooms safe. Green Dam will not embarbutt us!"

Only Windows, only IE

[bugbeak]

From the article: "One blogger posted a screenshot of the software purportedly blocking an attempt to visit a porn site using Microsoft's Internet Explorer. But, he said, there was no problem accessing the site using the Firefox web browser. "

are US computers built in China safe?

[wiredpasture]

Ok, so it's a pretty ham-handed first attempt. My question is: with all the US computer companies outsourcing to China, will my US PC or Apple eventually be affected? Perhaps we should stop buying US PCs made in China.

U.N. Declaration of Rights

[Alzheimers]

"As the Americans learned so painfully in Earth's final century, free flow of information is the only safeguard against tyranny. The once-chained people whose leaders at last lose their grip on information flow will soon burst with freedom and vitality, but the free nation gradually constricting its grip on public discourse has begun its rapid slide into despotism. Beware of he who would deny you access to information, for in his heart he dreams himself your master."

  Pravin Lal, Alpha Centauri

Re:International competition for stupidest governm

[powerlord]

Lately it's like all the countries of the world are engaged in an Olympic competition to see who can screw themselves up the most through acts of extreme stupidity and greed. What the fuck is wrong with people?

I don't know what you just said except "Olympics", and we all know what we do at the Olympics, right? Support your country to be number one, no matter WHAT the event!

U-S-A! U-S-A!~

Linux is not ready for the desktop

[TheRaven64]

First, it's incompatible with all of those Windows-only worms, now it won't run invasive government-mandated spyware. At this rate, it will never be the year of the Linux desktop.

Re:So this is a good thing

[tattood]

First of all, I don't think that China could convince Red Hat, or any other commercial vendor to poison their own products to add things like this in. If anything, they would modify the files themselves, and then have their firewall/cache systems return their modified versions instead of the real version. Even if they were able to do that, there are dozens, if not hundreds of Linux distros out there. They cannot convince all, or even most of them to make these changes, so there will still be plenty of ways that Chinese people can get a hold of "un-tainted" Linux distributions.

It's not supposed to work

[Ritz_Just_Ritz]

After spending a number of years living/working in China, I've come to the conclusion that the government just doesn't care if this new "feature" works or not. The goal isn't to really censor here, but to let people know that "the man" is watching. In China, that is enough to keep the vast majority of people in line. There are still tens (perhaps hundreds) of millions of people that have vivid memories of the Cultural Revolution. They know all too well what happens to the squeaky wheel and tailor their activities accordingly. Sad, but that's the way it is.

Re:So this is a good thing

[Darkness404]

First of all, I don't think that China could convince Red Hat, or any other commercial vendor to poison their own products to add things like this in

Well, not Red Hat but what about Red Flag which is widely used in China and is mandated in some places for internet cafes. If they can convince the OEMs, convincing Chinese OS makers would be the next logical step, Linux is open and Red Flag already has a large userbase in China.

Even if they were able to do that, there are dozens, if not hundreds of Linux distros out there. They cannot convince all, or even most of them to make these changes, so there will still be plenty of ways that Chinese people can get a hold of "un-tainted" Linux distributions.

Censorship can never convince 100% of the population, but if you can get 95% and the 5% either are ordinary people who are scared to protest, high-ranking people who if they tell they loose their money, or unaccepted "radicals" who even though they have no fear of the government, the government or media makes it seem like their ideas are unworkable or destructive.

Spyware Puts Computers At Risk

[Arancaytar]

Spyware Puts Computers At Risk

I nominate this for the most awesome headline ever.

I have no problem with Big Brother...

[Macman408]

...it's the lack of encryption that really bothers me. After all, that could let some unknown party watch what I'm doing online!

Re:Elephant

[Opportunist]

Being "secure" would not make the whole thing any better, it would still be a huge blow against freedom of speech (despite the lack thereof in China anyway) and the freedom of the net. But it raises another concern that our govermnemts might take into account before pulling a similar crapstunt (I'm fairly sure they have something like this planned already. Freedom of speech ain't just a threat to governments in China...).

Whenever you mandate some software to be installed, especially if this software is to offer connections to the outside world or is to communicate with a server, you open a security hole in a system. Worse, one that the user is not informed about and cannot plug because he is required to keep it open.

Easy to Beat

[ironicsky]

Step 1: Install Virtual PC, or other VM Software
Step 2: Install the Mandatory Software INSIDE the VM
Step 3: Leave the VM running in the background and never touch it