• Home
  • Posts RSS
  • Comments RSS
  • Edit
  • China: Our Internet is Free Enough

    Friday, April 15, 2011
    China, with the most Internet users of any country in the world, has issued its first government whitepaper declaring an overall Internet strategy--one that advocates Internet growth while implicitly defending censorship policies amid global concern over online repression and China-based cyber espionage.
    "I think this whitepaper is a statement that the Chinese Communist Party intends to stay in power, and also intends to expand Internet access, and be on the cutting edge of Internet innovation, and that there isn't any contradiction in any of those things," says Rebecca MacKinnon, a China Internet expert who is a visiting fellow at Princeton University's Center for Information Technology Policy.
    While the document, which comes from Beijing's information ministry, contains no surprises, it is noteworthy as the first complete declaration of its kind from China. It is also clearly--if not explicitly--a response to recent events. Last year China announced it would require computers sold inside China to contain censorship software known as Green Dam, although it later suspended the requirement. And this year Google pulled its search operation out of mainland China, declaring it could no longer comply with censorship requirements after China-based attackers attempted to steal intellectual property and spy on e-mail accounts of human rights activists. Google has also asked the United States to petition the World Trade Organization to recognize Chinese censorship as an unfair trade barrier.
    "The timing of course coincides with the public uproar about Google China and Green Dam software," says Guobin Yang, a China Internet expert and sociologist at Columbia University, and author of the book The Power of the Internet in China. "What is interesting here is that I see this as reflecting part of an effort to promote the government's point of view--a larger strategy of projecting 'soft power.' They want to put out their own position, a defense of their policies and strategies."
    The whitepaper is partly an effort to promote the idea that states can assert sovereignty over and administer the Internet, Yang adds. "It's such big business, such a big part of the Chinese economy," he says. "More and more so, the government has an interest in maintaining growth of this economy, while at the same time it still wants to control the Internet."
    China has nearly 400 million Internet users--nearly one-quarter of the world's total--plus 750 million mobile-phone users, many of whom access the Web from their phones. Despite censorship, Internet-based grassroots campaigns on Chinese social-networking sites have had some targeted successes, such as pressuring the Chinese government to jail corrupt local officials. Referring generally to this kind of activism, the Beijing whitepaper makes a bold assertion: "Chinese citizens fully enjoy freedom of speech on the Internet." Left unstated is that Chinese Internet companies are under government pressure to self-censor, and do so very effectively on a slate of banned topics, including advocacy of democracy, opposition movements, the 1989 Tiananmen Square uprising, and Tibetan independence.
    "This is not the first time the Chinese government has said 'we have free speech in this country, except for the speech that isn't allowed,' and then there's a long list of things that aren't allowed," MacKinnon adds.
    "There is a much broader scope of public discourse happening on the Chinese Internet now than there was in the public sphere before the Internet existed in China," MacKinnon says. "The thing is, it's circumscribed."
    China's statement advertises itself as "providing an overall picture to the Chinese people and the peoples of the rest of the world of the true situation of the Internet in China." It is a synthesis of long-understood positions: China "energetically advocates and actively supports the development and application of the Internet across the country" and sees it as crucial to economic expansion, but also reserves the right to "administer" the Internet.
    "Frankly, I think China is Exhibit A for how authoritarianism will survive the Internet age," MacKinnon says. "I think Americans have this assumption that nondemocratic regimes can't survive the Internet, and I think that's naïve. The Chinese Communist Party fully intends to survive in the Internet age and has a strategy for doing so. So far, it's working."

    credit : technology review

    Giving Hackers a Printed Invitation


    Credit: Technology Review


    Add one more device to the list of things you need to protect from hackers: The humble printer.
    In two separate presentations scheduled for the Shmoocon hacking conference in Washington, D.C., next week, researchers will show how hackers can use printers to compromise a company's computer network. One presentation will reveal how poorly secured printers can even be grouped together to act as online storage for cybercriminals.
    Over the past decade, many ordinary office devices have gained surprising new functionality—nowadays, some printers can send and receive e-mails, and even browse the Web. But Deral Heiland, an independent security consultant who will give one of the presentations, says manufacturers haven't given security nearly the attention it deserves in light of all the new features. "These devices have gone from being standard, simple printers that got on the network to the point where they are totally integrated in the business environment," Heiland says. "And that heavy integration is what makes them a premium target."
    Heiland, who works as a "penetration tester," or someone who attempts to hack in to a company's network under controlled circumstances, was inspired to look for printer flaws and configuration issues.
    At Shmoocon, Heiland will demonstrate a program called "Praeda" (Latin for plunder) that uses a collection of common security flaws and configurations issues—such as default passwords—to gain access to printers from outside a company's network. Vulnerable printers can then be used to compromise the network. Once the tool gets inside the network, it can steal passwords and files, giving it even more access to servers and other devices.
    Heiland says simple configuration issues often make printers vulnerable in this way. For example, many manufacturers do not force users to set a new password to access their device. That means many printers have default passwords that can easily be found in manuals posted online. In addition, printers that can be accessed via a Web browser often run insecure Web server software, allowing a knowledgeable attacker to find usernames and passwords.
    "We have found out that with a lot of printers, that data is not obfuscated very well," Heiland says. "Where it stores the username and password, we can go into the source and find a field with the information in plaintext."
    Mining printers for valuable information is likely to be used real attackers, says Steve Stasiukonis, managing partner with consultancy Secure Network Technologies (SNT), which also conduct penetration tests against firms. "We never leave any printer unturned," he says. "There is enormous amount of wealth resident on those devices. There is data that sits inside the machine that is useful to us."
    Security issues with one brand of printer allowed Ben Smith, another independent researcher, to use the storage space on the devices to create a distributed cloud for storing files. Smith, who asked that the company who makes the printers concerned not be named, will present a program dubbed Print File System, or PrintFS, that automatically finds vulnerable printers via the Internet or in an internal network and turns them into a distributed storage network. The storage space could be used by hackers as a store for malicious programs or other material. Smith found that scanning the Internet for the communication ports used by printers turned up more than enough devices to create a large storage network.
    "PrintFS scans all the devices and determines whether a given printer is capable of supporting storing data," he says. "Depending on the devices, most of the time, you can find 20 to 30 unsecured devices [on a local network] and you can get a gig of storage to 30 gigs of storage."
    Heiland says that "even the printers you have at your house, these multifunction printers, have an ability to do a lot over the Web. They don't integrate as much, but they can do remote printing and remote scanning."
    Both manufacturers and users should take a hard look at any network device, says SNT's Stasiukonis. "If it carries an IP address on your network and it carries an interface on your network, then it should be looked at from a security standpoint," he says.