WIRED:China's 'Green Dam' program for the country's PCs is nothing more than censorware, writes DANNY O'BRIEN
THE COMPUTER security experts have a saying: if an attacker gains physical access to your computer, all bets are off. You can run the most clever, most private, encrypted, super-secure application in the world, and use the longest password you can cram onto a Post-It note – but if someone gets hold of your PC without you knowing, your data is toast.
Your assailant might drop a keylogger (a program that records every key you type) to save and monitor your password.
They could replace that ultra-secure program with one of their own devising. Your assailant could monitor every byte you send over the networks.
Give a cracker an hour with your machine, and you’ll never be safe again – at least until you’ve reformatted the thing from CD, and started from scratch.
No business user would or should accept such vulnerability. Which is why, I hope, businesses that are based or work in China should be hitting the roof around about now. Last weekend, the Wall Street Journal reported that China’s ministry of industry and IT has declared that from the beginning of July, all PCs should have a government-mandated program installed before they are sold in the country.
Such an order is tantamount to letting the Chinese authorities physical access to your business computers. It will give them the same powers as any cracker: potentially to record your key presses, monitor your communications, even scan your hard drive.
The program the government wishes to be installed is called “Green Dam”, and in its current form is censorware: it blocks websites that its parent company, Jinhi, has deemed to be unsuitable for viewing. Its current primary use is in Chinese schools, and the main content that it targets for blocking is pornographic websites.
But by making its installation obligatory on all domestic PCs, the Chinese government has instantly created a backdoor for almost any kind of intrusive censorship and surveillance system they choose to create. Even if Green Dam’s software is relatively innocuous now, a simple remote software update could widen its brief – from blocking political sites, to collecting information on any Chinese citizen or foreign business.
It’s not as if China’s authorities have been above pulling similar tricks in the past. The local Chinese version of Skype was found to have had new code placed in it that handed over private IM conversations to an unknown third party. Tibetan dissidents have found themselves tracked and monitored by trojan keylogging software that seems specifically targeted at them as a group.
Western countries have planned or defended similar software, aimed by law enforcement at suspects during police investigations. The FBI uses keylogging software as part of its wiretapping arsenal; the Bavarian government has been caught looking for client code that can crack Skype’s encryption.
The United States and German plans are bad enough: by using such software they risk collecting far more data than their warrants or court procedures permit. But China’s plan to install such software on every PC on the mainland goes far beyond this. And, indeed, it may be a step too far, even for China’s generally compliant domestic PC industry.
In the late 1990s, China announced it would restrict the use of cryptography in PC software. The plan, presumably, was to curtail any parties who used cryptography to hide their communications from the government. Microsoft and others pointed out that this would require weakening business software so greatly that criminals (and foreign governments) would be able to spy on Chinese companies and state communications. Rather than making China safer, it would permanently ruin the mainland’s domestic security.
The same is true of this new plan. A government-mandated backdoor provides an opening not just for abuse by the Chinese state, but a weakness that others can exploit.
It provides, in the words of those security experts again, a large “surface” for independent crackers to probe for vulnerabilities and attack.
That’s especially true if China insists that its software cannot be removed, or puts pressure on anti-virus companies to add it to a whitelist of “permitted” spyware. When Sony Music put secret malware on its CDs to prevent customers from copying its music onto their iPods, others used that code as a shield to insert their own malicious software onto users’ PCs.
I’m sure there are many criminals just waiting to claim in phoney e-mails that their attachment is the “Green Dam” that the government requires you to install.
However, companies within and outside China have begun to fight back against the proposal. Dell, one of the largest distributors of PCs in China, says it will only install the software if it can be turned off, and only blocks pornography. Others have expressed outrage at the lack of consultation and the tight deadline.
In the end, China listened to Microsoft and other experts and agreed to allow cryptography to be used without restriction in domestic software.
I hope they have the sense to back down from this intrusive proposal: the confidence of their business sector and their country’s security depend on it.