Wednesday, June 10, 2009

China's personal computers at hacking risk

Every PC in China could be at risk of being taken over by malicious hackers because of flaws in compulsory government software.

The potential faults were brought to light by Chinese computer experts who said the flaw could lead to a "large-scale disaster".

The Chinese government has mandated that all computers in the country must have the screening software installed.

It is intended to filter out offensive material from the net.

The Chinese government said that the Green Dam Youth Escort software, as it's known, was intended to push forward the "healthy development of the internet" and "effectively manage harmful material for the public and prevent it from being spread."

"We found a series of software flaws," explained Isaac Mao, a blogger and social entrepreneur in China, as well as a research fellow at Harvard University's Berkman Center for Internet & Society.

For example, he said, tests had shown that communications between the software & the servers at the company that developed the program were unencrypted.

Mr Mao told BBC News that this could allow hackers to "steal people's private information" or "place malicious script" on computers in the network to "affect large scale disaster."

For example, a hacker could use malicious code to take control of PCs using the software.

"Then you have every computer in China potentially as part of a botnet," Colin Maclay, also of Harvard, told BBC News.

A botnet is the name given to a network of hijacked computers that can then be used to pump out spam or launch concerted attacks on commercial or government websites.

No one from Jinhui Computer System Engineering, the company that developed Green Dam, was available for comment.

'Naked pig'

The software has also caused a backlash amongst privacy experts, academics and some Chinese citizens. It has also raised the scorn of the blogosphere inside the country who feel the system is no match for tech-savvy teenagers.

One blogger posted a screenshot of the software purportedly blocking an attempt to visit a porn site using Microsoft's IE.

But, he said, there was no problem accessing the site using the Firefox web browser.

Others have reported that the system only runs on Microsoft Windows, allowing Mac and Linux users to bypass the software.

It is thought that at least 3m computer users have already downloaded the software, opening them up to potential security problems.

Another formal study by the Open Network Initiative into the risks posed by the software is expected soon. However, many people in China who have been forced to use the software are already reporting other problems.

For example, the system reportedly blocks legitimate as well as banned content. For example, it designed to identify the proportion of skin colour in a picture to determine whether it is pornography.

But comments on a bulletin board run by the software company that designed the system, suggest the system does not work perfectly.

"I went on the internet to check out some animal photos. A lovely little naked pig was sent onto the black list. Pitiful little pig!," read one comment.

"I was curious, so I looked up some photos of naked African women. Oh, they were not censored!"

Another message read: "We were ordered to install the software. So I've to come to this website and curse. After we installed the software, many normal websites are banned."

The forum was taken down after it was seemingly flooded with complaints. A message on the site said says it is being "upgraded".

Mr Mao told BBC News that they believed there was a new guideline from the country's central propaganda department "to comb all media and online forums to block critics and discussion over the issue."

Firewall flaw

The government may be keen to shut down discussion to quell rumours that the system could be used to monitor its citizens.

"Once you have got government-mandated software installed on each machine, the software has the keys to the kingdom - anything can be logged or affected," said Professor Jonathan Zittrain, also of Harvard's Berkman Center.

"While the justification may be pitched as protecting children and mostly concerning pornography, once the architecture is set up it can be used for broader purposes, such as the filtering of political ideas."

In particular, the system could be used to report citizens' web habits.

"It creates log file of all of the pages that the users tries to access," Mr Maclay told BBC News.

"At the moment it is unclear whether that is reported back, but it could be."

A twitter user in China claims that the software transmits reports to Jinhui - the maker of the software - when the user tries to access blacklisted websites.

However, Zhang Chenmin, general manager of the developer of Green Dam, told the China Daily newspaper last year: "Our software is simply not capable of spying on internet users, it's only a filter."

Although many countries around the world routinely block and filter net content, China's regime is regarded as particularly severe.

"There is no transparency about what they are blocking," said Mr Maclay.

Free speech campaigners are concerned that the list could be tweaked to suits the government's aims.

Recently, there has been a web black out across China in advance of the 20th anniversary of the Tiananmen Square massacre.

Website such as Twitter and the photo-sharing site Flickr were blocked in an attempt by the government to prevent online discussion on the subject.

However, some users were able to bypass the filters to distribute pictures and commentary including links to photos of plain-clothes policemen blocking the lenses of foreign journalists with their umbrellas.

The country is able to take action like this because it already has a sophisticated censorship regime, including the so-called Great Firewall of China. However, it is known to have some flaws.

A 2007 study by US researchers showed that the system was much more porous than previously thought.

It found that the technology often failed to block content banned by the Chinese government, allowing web users to browse unencumbered at least some of the time.

Filtering and blocking was "particularly erratic", they said, when large numbers of people were online in China.

Despite the failures, the researchers said, the idea of the firewall was more effective than the technology at discouraging talk about banned subjects.

This kind of social pressure was also key to another tactic used by the Chinese government to make sure its citizens only use sanitised portions of the web.

In 2007, the government introduced virtual policemen that pop-up onscreen when web surfers visit many of China's popular website to remind them to stay away from illicit content.

In addition, the government expects internet service providers in China to actively monitor and censor published content, such as blogs.

Experiments have suggested that this approach is hit-and-miss, with some organisations more proactive than others.

However, these systems, combined with the new software, will allow the Chinese government to sanitise the web for most of the 300m of China's population of 1.3bn have access to the net.

"I think this is intended as a sort of belt-and-braces approach, said Professor Zittrain.

source: http://news.bbc.co.uk/2/hi/asia-pacific/8094026.stm

No comments:

Post a Comment