Last week, computer scientists at the University of Michigan, The Open Net Initiative, and an independent group of Chinese programmers all found serious security flaws in the government-mandated Green Dam-Youth Escort software.
Earlier this week a Chinese official told the China Daily "that all security problems reported by the professors from University of Michigan had been fixed."
Well, not really. The Michigan team has found that while some problems are fixed, more serious security problems remain. Here is the summary of their latest update:
Following our initial analysis, the makers of Green Dam have released at least one security update and two filter updates. These updates address the original web filtering security vulnerability we described above, disable certain blacklists that were copied from the CyberSitter program, and bring the software into compliance with the OpenCV license.
Unfortunately, we have discovered an additional remotely-exploitable security vulnerability in the patched version. Even with the updated version installed, any web site a user visits can exploit this problem to take control of the computer. We continue to recommend that users protect themselves by uninstalling Green Dam immediately.
While Green Dam's developers have patched the software quickly, the program's continuing vulnerability suggests that its security problems run deep. We fear that the deeper problems cannot be resolved in time for the July 1 deadline for PC makers to distribute Green Dam on all new PCs sold in China.
Read the details here.
Also of possible interest is my Op-Ed in yesterday's Asian Wall Street Journal, The Green Dam Phenomenon: Governments everywhere are treading on Web freedoms.
Whether or not Green Dam ends up being mandated, this is not the end - not for China nor for the rest of the world. It's just the beginning. Get ready. I conclude:
It is very encouraging that a coalition of industry groups has pushed back publicly against the Green Dam mandate, calling on the Chinese government to reconsider. But the Green Dam incident is yet another example of why it behooves companies to think ahead about how they are going to uphold their larger responsibility to society. Industry has a choice: be reactive -- and be forced into growing complicity with government censorship and surveillance around the globe. Or be pro-active, develop robust human-rights policies, and consider how to responsibly handle the inevitable pressures by all kinds of governments to serve as national auto-parent, if not auto-cop.
Microsoft has been trying to fix security problem in Windows for over 10 years.
BTW, I’m happy to say, after days of search, finally found one article that got it right.
Bundle - what a difference a little word makes? (the word escaped me too):
http://blogs.zdnet.com/BTL/?p=19688
“[6/12] the Wall Street Journal reported that China wanted to require PC makers to
bundle Green Dam with each unit sold.”
There, this is the only reporting that’s consistent with the 5/19 MIIB announcement I’m able to find. Once again there’s no government censorship if end users are not required to install or run Green Dam, and the filters are configurable, does not call mothership.
Posted by: Charles Liu | June 19, 2009 at 09:20 PM