

Security vulnerabilities found in China's nationwide installed filter software - liuliu
http://www.cse.umich.edu/~jhalderm/pub/gd/

======
paulbaumgart
James Fallows argued pretty persuasively that these sorts of things aren't
actually relevant to the Chinese government's ability to accomplish effective
censorship in his article about the Great Firewall:
<http://www.theatlantic.com/doc/200803/chinese-firewall>

_What the government cares about is making the quest for information just
enough of a nuisance that people generally won’t bother. Most Chinese people,
like most Americans, are interested mainly in their own country. All around
them is more information about China and things Chinese than they could
possibly take in. The newsstands are bulging with papers and countless glossy
magazines. The bookstores are big, well stocked, and full of patrons, and so
are the public libraries. Video stores, with pirated versions of anything.
Lots of TV channels. And of course the Internet, where sites in Chinese and
about China constantly proliferate. When this much is available inside the
Great Firewall, why go to the expense and bother, or incur the possible risk,
of trying to look outside?_

The same points arguably hold for the Green Dam.

Edit: I guess I missed the point of the advisory (see comment below). I
assumed they were discussing methods of circumventing the system, but after a
second (more careful) reading, that's obviously not the biggest concern.

It's really a crappy situation: mandated software that's this broken. Either
join a botnet or potentially raise the government's suspicions by uninstalling
the software.

~~~
udekaf
The point is that the censorship software is mandated in every sold PC in
China. If it is so vulnerable and user's machine so eaisly to be taken control
of, considering China's population, thounds and thounds PCs may be turned into
hacking proxies.

------
jrockway
The legal consequences of this (in China) are frightening. Imagine a malicious
site that uses this vulnerability to download child porn onto the target
computer, and then reports the user to The Authorities. Many lives could
easily be ruined, as I imagine China does not provide many rights for the
accused. (This will probably get you into trouble in the US, too, which is why
I make sure all my filesystems are encrypted.)

~~~
paulbaumgart
_This will probably get you into trouble in the US, too, which is why I make
sure all my filesystems are encrypted._

That's exactly what happened to this guy and he got off:
<http://news.cnet.com/8301-10784_3-9970660-7.html>

I don't doubt that there's a sizable chance of getting convicted anyway, but I
really hope it's not "probable".

~~~
jrockway
The encryption ensures that you avoid charges in the first place.

My imagined dialogue: "We're here to seize your hard drive to see if you are
doing anything illegal." "OK." "Damn, it's encrypted, tell us your password."
"I refuse to testify against myself." "Uh, you have to." "I forgot the
password." "Fuck."

The fishing expedition then ends fairly quickly. (If you really are
distributing child porn, though, they will probably get you some other way.
This is exactly how the system should work.)

(You might want to have a "honeypot" that can be activated with a certain
password so that you don't even have to claim you forgot the password. This
could be helpful for avoiding "contempt of court". IMHO, this should not be
necessary, but I Am Not The Supreme Court.)

~~~
paulbaumgart
Slightly off topic, but I'm curious: what sort of encryption set-up/software
do you use? Does it affect access times in any noticeable way?

~~~
jrockway
I use LUKS, and it doesn't appear to affect performance much. During heavy
disk activity, the crypto threads do use some CPU, but it is not noticeably
slow, even on my eeepc.

------
khandekars
This poses some pretty interesting questions.

1\. Is it mandatory to install such filter software on Linux boxes also? 2\.
How do they handle the case where the filter software is chroot'ed in a jail,
so that the individual is complying with the letter of the law by installing
and running the software, but managing to avoid the ill-effects?

I'm not speaking about censorship etc., just plain curious.

------
cnlwsu
Will be fascinating on how China's government responds to this. With any luck
these findings will postpone this terrible idea... Or at least get some
competent(security focused) people writing this application.

