Friday, July 29, 2016

Wooyun management arrested in China for disclosing vulnerabilities to the gov

I blogged earlier that Wooyun was forced to shut down with rumors that the management was arrested for reporting vulnerabilities of government's assets.

This has been confirmed by Southern Weekly. This marks a huge step backwards for information security in China. Rather than rewarding white hats to submit issues to vulnerability disclosure platform, the government took the shocking approach to shut down the platform. Arresting the white hats for penetrating the system regardless of his intent might be justified in a legal sense, but shutting down a platform that itself doesn't perform any hacking is just ridiculous. Without the vulnerability disclosure platform, white hats, let alone black hats are more likely to sell the vulnerability in the grey markets.  Even if the white hats trying to contact the asset owner to patch the vulnerability, such notifications are commonly ignored in China. The end result is that many more vulnerabilities will be unpatched due to the government's hostile attitude.

In China, we have a saying that it's much easier to solve the people who raise the issues rather than the issue itself. You can see such attitude in many political events and I won't be surprised by this attitude at all. But this time, the gov takes one step further: The gov is not even solving the people who raise the issues, but the messenger. This is truly 掩耳盗铃.


Thursday, July 21, 2016

Wooyun,the most famous white-hat vulnerability disclosure website in China, forced to shut down

On July 20, Wooyun, the most famous white-hat vulnerability disclosure website in China cannot be accessed. Later in the day, the site posted a bizarre notice saying that Wooyun system is undergoing some update and that people should listen to Wooyun rather than rumors. 


As most Chinese know, system update or system maintenance very often times mean that the site is shut down temporarily or permanently by the government.  Rumors are the high level management of Wooyun were taken away by the police. Such rumors are censored on the sites such as Zhihu. 

But the reason for it is not clear and there are several guesses. 

Information analysis platform in the public security bureau 

On July 19, someone submitted a vulnerability regarding arbitrary code execution in the analysis platform of 公安部一所 (Ministry of Public Security research institute) 

The Baidu cache is reset by GFW indicating some possible government action

SQL Injection on the United Front Work Department

On July 18, someone submitted a vulnerability regarding SQL Injection of 中央统战部 (
the United Front Work Department.) 

This vulnerability disclosure page is not index by Baidu, indicating possible censorship.

SQL injection on Center for Disease Control and Prevention and hospitals in Beijing

On May 20, someone submitted a vulnerability regarding SQL injection of 北京疾控中心 (Center for Disease Control and Prevention and hospitals in Beijing). The hacker has obtained sensitive data on various hospitals as shown below.






Vulbox, another famous platform has stopped to receive new vulnerabilities. 







Thursday, June 30, 2016

China cracks down on mobile games

On May 24, 2016, State Administration of Press, Publication, Radio, Film and Television published new regulations requiring all mobile games to obtain license from the agency before publication.  On June 30, Apple notified Chinese game developers that they were required to fill in license number and date of approval when submitting games to App Store.


Obtaining a permit for game is a long and bureaucratic process. First, the applicant has to have a Internet publication license to even qualify for the process, which takes months to obtain and virtually disqualifies all individual developers and all foreign companies. Second, the game has to be be submitted to the government for approval. The game has to be submitted again if any content change is significant. After the game release, the applicant is required to provide stats about the game to the government as well.

This regulations basically banns all individual game developers and foreign games and creates significant obstacles to moderate large gaming companies. It lengthens the release cycle significantly and imposes strong censorship to games. Games that reference politics, history and any sensitive subjects basically have zero chance to get approved.

Friday, June 24, 2016

China's censorship order to Github caused Streisand effect

Recently, the Chinese gov sent a censorship order to Github demanding the removal of political content. Github complied and restricted the access from China. However, Github also posted the censorship request publicly, making it one of the few publicly available censorship order towards foreign companies.

The content in question was posted on March 9, 2016 and received little attention and no replies. However, after the removal order and the content being restricted from China, the content received 166 comments, some of which visited the content because of international exposure. The content is even translated into English.

Even though the content cannot be accessed in China, copies of the content is already made on other repo's (copy 1, copy 2, copy 3). Those copies are still accessible in China. Interestingly, those copies are hosted on repo that were DDOSed by Great Cannon last year. It remains to be seen whether China will send take down request to Github, DDOS Github, block Github or do nothing to prevent further Streisand effect.

Wednesday, June 22, 2016

Cyberspace Administration of China sent take down request to Github

What happened? 

According to Github official gov-takedowns repo, Cyberspace Administration of China send a take down request to Github on June 8, 2016. The request is reproduced below.

Cyber Security Association of China
To whom this might be concerned at GitHub:
The post at https://github.com/programthink/zhao/issues/38 vilifies our President Xi as a murder suspect, which is a groundless and malicious slander. We hereby express our strong concern and request you to take it off your website at the earliest time possible.
Cyber Security Association of China
June 8, 2016
Address: No.190 Chaoyangmennei Street, Dongcheng District, Beijing. Zip Code: 100010

The content requested to be taken down is reproduced below.

習近平有重大殺人嫌疑

在查閱習近平的檔案時我們發現,習近平有一同父異母的哥哥習正寧(原名習富平),關於習正寧的情況卻語焉不詳,能查到的資料是,中國科技大學自動控制專業畢業,在陝西戶縣山溝某國防研究所工作過13年,後進入陝西省委組織部任副部長工作,後調海南省任政法書記兼司法廳長(有說其死時的職務是海南律師協會會長),1998年11月27日年因心臟病突發去世,享年57歲。
我們懷疑習正寧因心臟病死亡是偽造的,真相是習近平謀殺了他同父異母的哥哥。疑點如下:
1、心臟病一般都有先天性的家族遺傳因素,但習正甯其父習仲勳活了89歲,其母郝明珠是農村婦女,活了90歲,家族沒有心臟病史。而資料使用“突發”二字,也表示習正寧過去沒有心臟病史。
2、習正寧中科大自動控制專業畢業,生活樸素,為人正派,無吃喝嫖賭習慣,怎麼會50多歲就得心臟病?如果是他為黨勤懇工作、過勞而死,怎不見黨媒對其事蹟宣傳紀念?
3、從身體外形來看,習近平比習正甯更不健康,如果要得心臟病,習近平發病的可能性反而更高。
4、關於習正甯的母親,檔案中寫道:“郝明珠於1935年12月和當時的陝甘邊蘇維埃主席習仲勳結婚,共同生活九年之後,1943年10月,由於雙方性格方面的問題而離婚,此時28歲的郝明珠依然年輕美貌,但從此以後未嫁,獨自艱辛撫養5個孩子中倖存的3個子女。” 而習仲勳的第二任妻子,“齊心(1926- ),1943年4月與習仲勳相識。1943年冬天兩人論及婚嫁。兩人於1944年4月28日在綏德地委結婚,共育有四子女。”習仲勳還沒和郝明珠離婚時就和齊心勾上了,剛和郝明珠離婚馬上就娶了齊心,齊心比郝明珠要小10歲。用今天的話來說,齊心就是個小三,是小三上位。而郝明珠被拋棄後,僅28歲,獨自撫養三個子女,終生未嫁,這很不尋常,原因一方面是因為,她可能比較傳統,對習仲勳懷有舊情,另一方面的原因很可能是,她把希望寄託在和習仲勳生的三個孩子身上,特別是習正寧,希望他能承父業。
在中共黨內,名分不正是最忌諱的,習近平姐弟幾個,都是小三生的兒子,名聲非常不好聽,習近平視自己為習仲勳的接班人,不會允許自己家族旁出一脈。
5、習仲勳反對子女靠關係、走後門,曾親自取消過習正寧的北京調令,習正寧工作一向比習近平穩重踏實,為人正直,如果習正寧不死,習仲勳死後習正寧很可能上調北京,那樣的話習近平的大權夢就沒戲了。因此,除掉自己的哥哥習正甯就是不二選擇,而且必須趕在父親死之前。習正甯死後,習近平絕對會得到重視。習仲勳2002年去世,1998年時身體應該已不行了,那時正好是習近平下手的良機。
6、習正甯、習近平兄弟倆在上世紀80年代差不多同一時期南下,1998年時,習正甯在海南擔任司法廳廳長,而習近平已在福建工作了十多年,是時任省委副書記、福建高炮預備師第一政委、之前任福州軍分區政委,有軍方背景。福建離海南很近,又有軍方關係,想除掉他哥哥,他有這個能力和手段。
7、習正甯評價弟弟習近平“不但能吃苦,腦袋靈,會來事,而且跟上級下級的關係都處得非常好”, (見http://www.boxun.com/news/gb/china/2010/11/201011030518.shtml ),說明習近平鑽營、拍馬的功夫很到家,搞些非法交易不在話下。
8、習近平文革時陪父親挨過整,下鄉時為了防臭蟲咬,在席子下撒666粉,習近平的弟弟習遠平去看他,只睡了一晚就渾身起水皰,回到家後全身皮膚潰爛。習近平當年是吃過共匪苦頭的,年少時的非人折磨會讓人內心扭曲。
9、香港5書商被跨國跨境綁架回中國的事,習近平肯定是幕後黑手。這充分表明習近平做事不循常理、無法無天,只要手上有權利,做事會不擇手段。
10、可對照的一個案例是,已倒臺的前中共領導人薄熙來,薄縱容老婆毒殺了英國商人,事後偽裝成飲酒過度而死,而王立軍也說如果不逃走薄會殺他,說明這些領導人心黑手辣。習近平在某種程度上,同薄熙來很像。1998年刑事檢測技術還不夠完善,習近平讓人謀殺了習正寧後,偽裝成心臟病的假像是很可能的。
11、習正寧死亡的時代背景,是改革開放中後期,89學運9年後,是時,太子党依靠家族權勢,在南方經商官倒,胡作非為,習近平家族在南方沿海地區擁有大量公司資產,兩個姐姐也是外籍,這說明習近平家族十分腐敗,有做非法勾當的可能。
12、習近平執政後,似乎很焦慮,急於收權,表現同一般領導人很不一樣,他在害怕什麼?是否因自己曾犯下殺人案子惶惶不可終日?
13、習正寧死的事,習家一直瞞著習仲勳,直到02年習老爺子歸西。說是“擔心習仲勳承受不住打擊”,實際上反而說明這家人互相之間的關係,習仲勳應該是很器重他的大兒子的,畢竟是他的骨血,但習近平及由齊心所出的一干姐弟,與他們那個同父異母的哥哥不和。
14、沒有查到習正甯有結婚成家的記錄,若習正寧是單身的話,死時將沒有家人在場,死無對證。
15、香港書商集體被中共跨國綁架,歸根結底還是他們出版了一些揭露習近平家族的書。如果任由他們深挖下去,習近平當年的罪案很有可能敗露,因此習近平下令不惜代價要打掉他們。
16、進一步搜索習正寧的資料後發現,習正甯年輕時被安排在習仲勳的老家陝西,是作為重點對象來培養的。作為親人,習近平家族沒有發表過關于習正寧的隻字片語,網上只有個別習正甯的舊同事朋友發表的回憶錄,如,http://www.huxianbbs.com/thread-56560-1-1.html
綜上,習近平殺害同父異母兄長的嫌疑很大。我們推測,習近平當時應該是雇請軍方人士去海南,兇手中有軍醫,習正甯為人老實規矩,不會有防備心,其職位也不高,身旁無警衛。兇手進入宅中並制服習正甯後,向習正寧體內注射了某種藥物,致使其心臟停跳,偽裝成心臟病突發的現場。
令計劃是很精明的人,任中辦主任時,如果他注意到上述疑點,或許調查過習近平,掌握習近平當年殺人犯罪的證據。
如果王歧山真心反腐的話,首先應該徹查習家貪腐問題,將習近平當年因權鬥弑兄的疑案查個水落石出!


What does it mean? 

It is very very rare for CAC to send a taken down request to a foreign company. The reason for CAC to issue this take down request is probably the previous unsuccessful DDOS attack on Github by Great Cannon. Despite almost days of outage of Github, the company being attacked refused to take down content that was offensive to the Chinese government. It eventually employed various technical counter-measures including akamai to fend off the attack while keeping the offensive content up. 

The Great Cannon incident drew international attention and probably prompt the gov not to repeat such attacks, hence the take down request. 

As of this moment, the content, and in fact the entire repo cannot be viewed when accessing from China. It can be access normally when accessing outside of China.


GFW cannot selectively blocking this content without blocking all of Github because Github uses HSTS. 

The content is posted at Program Think's repo. Program Think is a very famous blogger in China remaining anonymous while posting about computer science, politics and philosophy. 

We will see Chinese gov's next move when they notice the content is not taken down and their take down request being posted by Github publicly. 





Saturday, June 18, 2016

WSJ Chinese and Reuters Chinese have zero coverage over Lam Wing-kee's story

When Lam Wing-kee's story is attracting international attention from media inside and outside of China, WSJ Chinese and Reuters had no literally zero coverage on the news.


 


In contrast, NYTimes Chinese, FT Chinese and SCMP Chinese all have great coverage on the story. Notably, FT Chinese is currently not blocked in China and should have the most incentive to self-censor and suppress the related reporting; SCMP Chinese is currently owned by Alibaba's Jack Ma, a famous entrepreneur in mainland. Despite such pressure, all those above media carried out candid reporting on Lam Wing-kee's news.


Perhaps more notably, even Chinese state media has reported about Lam Wing-kee's story. Global Times published an article stating Lam Wing-kee's story while criticizing that Lam Wing-kee doesn't provide any evidence. The article was deleted. Mainstream Chinese media also reported on the story and unsurprisingly all taking the government's side. But still they do have reporting on the story.


WSJ and Reuters international version in English both widely reported on Lam Wing-kee. It's unfathomable why WSJ Chinese and Reuters Chinese will have no coverage at all, if not for self-censorship.

Friday, May 27, 2016

All of Tumblr blocked in China because of a 29s porn

What happened?

Tumblr is officially blocked in China beginning yesterday, joining the long block list of similar services such as wordpress, blogspot, etc.  Blogger and Google sites has been blocked since 2009 and wordpress joined them in 2011. Almost all foreign web services that involves user generated content have been blocked in China, including Facebook, Twitter, Youtube, Instagram. GFW clearly has noticed political content on Tumblr years ago but somehow decided not to block all of Tumblr till now.  According to Alexa, Tumblr is ranked 153 in China, rather well for a foreign website.

I'm not shocked at all that Tumblr is finally blocked. In fact, the opposite is true, that I'm very shocked that Tumblr is not blocked till now. Many individual blogs on Tumblr has long been blocked for years. fqrouter.tumblr.com, tumblr of famous circumvention tool fqrouter has been blocked since 2013; fubaichina.tumblr.com, or Corruption China, has been blocked since 2014.

Reason behind the block

Tumblr is probably blocked because of 陆家嘴不雅视频. It refers to a 29s porn video spreading like crazy on the Chinese social network and was later reported by major media and newspapers. The video was deleted by censorers on Chinese social network. But the original video comes from stalkeryan{.}tumblr{.}com (NSFW) and the tumblr supposedly hosted the full version of this video and many other videos like it. The blogposts on tumblr has been deleted.  But the video is still available if accessed directly.  vt{.}tumblr{.}com/tumblr_o40da56RLU1v5eoup_480{.}mp4 (NSFW)

This is the first time a major website is blocked for non-political reasons.

Technical details

Tumblr is blocked by 
1) connection reset based on blacklist. ".tumblr.com" is blacklisted and any URL containing such word will trigger the blocking by GFW. 
2) DNS poisoning based on blacklist ".tumblr.com" and exact match of "tumblr.com". Any subdomain of tumblr such as "randomstuff234123.tumblr.com" will trigger GFW to inject fake DNS response. 

Those are the most severe methods of blocking. GFW could have chose to block the specific subdomain of the offending tumblr like before, but GFW probably think enough is enough and decided to block all of it.