珍惜自由和生命，请远离“绿坝”

在对“绿坝”进行了测试之后，美国密歇根大学计算机科学与工程部的Scott Wolchok, Randy Yao和J. AlexHalderman发现“绿坝”软件存在由于编程错误导致的严重的安全漏洞。任何网站都可以利用这些漏洞控制安装了“绿坝”的计算机，用来偷窃私人数据、发送垃圾邮件或用作僵尸网络的机器。此外，黑客也可以利用这些漏洞，在“绿坝”自动更新时安装恶意程序。这些漏洞是在仅对该软件进行了不到12小时的测试之后就发现的。研究人员相信这只是冰山的一角。由于“绿坝”软件频繁使用不安全的和过时的编程技术，很容易引入许多其他的漏洞。要纠正这些问题，必须对该软件进行重大的改写，并做仔细的重新测试。研究人员建议用户立即卸载“绿坝”以保护自己。 如果“绿坝”软件按现在的版本安装，将会严重削弱中国计算机安全性。虽然他们发现的这些具体漏洞很容易打上补丁，但是这些已知的漏洞反映的是系统性的错误，要纠正全部问题，需要对程序做大规模的改写和全面的测试，这是在7月1日开始预装之前难以完成的。研究报告的全文见：Summary We have discovered remotely-exploitable vulnerabilities in GreenDam, the censorship software reportedly mandated by the Chinesegovernment. Any web site a Green Dam user visits can take control ofthe PC.According to press reports, China will soon require all PCs sold inthe country to include Green Dam. This software monitors web sitesvisited and other activity on the computer and blocks adult content aswell as politically sensitive material.We examined the Green Dam software and found that it containsserious security vulnerabilities due to programming errors. Once GreenDam is installed, any web site the user visits can exploit theseproblems to take control of the computer. This could allow malicioussites to steal private data, send spam, or enlist the computer in abotnet. In addition, we found vulnerabilities in the way Green Damprocesses blacklist updates that could allow the software makers orothers to install malicious code during the update process.We found these problems with less than 12 hours of testing, and webelieve they may be only the tip of the iceberg. Green Dam makesfrequent use of unsafe and outdated programming practices that likelyintroduce numerous other vulnerabilities. Correcting these problemswill require extensive changes to the software and careful retesting.In the meantime, we recommend that users protect themselves byuninstalling Green Dam immediately.……ConclusionOur brief testing proves that Green Dam contains very serioussecurity vulnerabilities. Unfortunately, these problems seem to reflectsystemic flaws in the code. The software makes extensive use ofprogramming techniques that are known to be unsafe, such as deprecatedC string processing functions including sprintf and fscanf. Theseproblems are compounded by the design of the program, which creates alarge attack surface: since Green Dam filters and processes allInternet traffic, large parts of its code are exposed to attack.If Green Dam is deployed in its current form, it will significantlyweaken China’s computer security. While the flaws we discovered can bequickly patched, correcting all the problems in the Green Dam softwarewill likely require extensive rewriting and thorough testing. This willbe difficult to achieve before China’s July 1 deadline for deployingGreen Dam nationwide.<div id=[/img]