Friday, July 29, 2016

Wooyun management arrested in China for disclosing vulnerabilities to the gov

I blogged earlier that Wooyun was forced to shut down with rumors that the management was arrested for reporting vulnerabilities of government's assets.

This has been confirmed by Southern Weekly. This marks a huge step backwards for information security in China. Rather than rewarding white hats to submit issues to vulnerability disclosure platform, the government took the shocking approach to shut down the platform. Arresting the white hats for penetrating the system regardless of his intent might be justified in a legal sense, but shutting down a platform that itself doesn't perform any hacking is just ridiculous. Without the vulnerability disclosure platform, white hats, let alone black hats are more likely to sell the vulnerability in the grey markets.  Even if the white hats trying to contact the asset owner to patch the vulnerability, such notifications are commonly ignored in China. The end result is that many more vulnerabilities will be unpatched due to the government's hostile attitude.

In China, we have a saying that it's much easier to solve the people who raise the issues rather than the issue itself. You can see such attitude in many political events and I won't be surprised by this attitude at all. But this time, the gov takes one step further: The gov is not even solving the people who raise the issues, but the messenger. This is truly 掩耳盗铃.

Thursday, July 21, 2016

Wooyun,the most famous white-hat vulnerability disclosure website in China, forced to shut down

On July 20, Wooyun, the most famous white-hat vulnerability disclosure website in China cannot be accessed. Later in the day, the site posted a bizarre notice saying that Wooyun system is undergoing some update and that people should listen to Wooyun rather than rumors. 

As most Chinese know, system update or system maintenance very often times mean that the site is shut down temporarily or permanently by the government.  Rumors are the high level management of Wooyun were taken away by the police. Such rumors are censored on the sites such as Zhihu. 

But the reason for it is not clear and there are several guesses. 

Information analysis platform in the public security bureau 

On July 19, someone submitted a vulnerability regarding arbitrary code execution in the analysis platform of 公安部一所 (Ministry of Public Security research institute) 

The Baidu cache is reset by GFW indicating some possible government action

SQL Injection on the United Front Work Department

On July 18, someone submitted a vulnerability regarding SQL Injection of 中央统战部 (
the United Front Work Department.) 

This vulnerability disclosure page is not index by Baidu, indicating possible censorship.

SQL injection on Center for Disease Control and Prevention and hospitals in Beijing

On May 20, someone submitted a vulnerability regarding SQL injection of 北京疾控中心 (Center for Disease Control and Prevention and hospitals in Beijing). The hacker has obtained sensitive data on various hospitals as shown below.

Vulbox, another famous platform has stopped to receive new vulnerabilities. 

Thursday, June 30, 2016

China cracks down on mobile games

On May 24, 2016, State Administration of Press, Publication, Radio, Film and Television published new regulations requiring all mobile games to obtain license from the agency before publication.  On June 30, Apple notified Chinese game developers that they were required to fill in license number and date of approval when submitting games to App Store.

Obtaining a permit for game is a long and bureaucratic process. First, the applicant has to have a Internet publication license to even qualify for the process, which takes months to obtain and virtually disqualifies all individual developers and all foreign companies. Second, the game has to be be submitted to the government for approval. The game has to be submitted again if any content change is significant. After the game release, the applicant is required to provide stats about the game to the government as well.

This regulations basically banns all individual game developers and foreign games and creates significant obstacles to moderate large gaming companies. It lengthens the release cycle significantly and imposes strong censorship to games. Games that reference politics, history and any sensitive subjects basically have zero chance to get approved.

Friday, June 24, 2016

China's censorship order to Github caused Streisand effect

Recently, the Chinese gov sent a censorship order to Github demanding the removal of political content. Github complied and restricted the access from China. However, Github also posted the censorship request publicly, making it one of the few publicly available censorship order towards foreign companies.

The content in question was posted on March 9, 2016 and received little attention and no replies. However, after the removal order and the content being restricted from China, the content received 166 comments, some of which visited the content because of international exposure. The content is even translated into English.

Even though the content cannot be accessed in China, copies of the content is already made on other repo's (copy 1, copy 2, copy 3). Those copies are still accessible in China. Interestingly, those copies are hosted on repo that were DDOSed by Great Cannon last year. It remains to be seen whether China will send take down request to Github, DDOS Github, block Github or do nothing to prevent further Streisand effect.

Wednesday, June 22, 2016

Cyberspace Administration of China sent take down request to Github

What happened? 

According to Github official gov-takedowns repo, Cyberspace Administration of China send a take down request to Github on June 8, 2016. The request is reproduced below.

Cyber Security Association of China
To whom this might be concerned at GitHub:
The post at vilifies our President Xi as a murder suspect, which is a groundless and malicious slander. We hereby express our strong concern and request you to take it off your website at the earliest time possible.
Cyber Security Association of China
June 8, 2016
Address: No.190 Chaoyangmennei Street, Dongcheng District, Beijing. Zip Code: 100010

The content requested to be taken down is reproduced below.


4、關於習正甯的母親,檔案中寫道:“郝明珠於1935年12月和當時的陝甘邊蘇維埃主席習仲勳結婚,共同生活九年之後,1943年10月,由於雙方性格方面的問題而離婚,此時28歲的郝明珠依然年輕美貌,但從此以後未嫁,獨自艱辛撫養5個孩子中倖存的3個子女。” 而習仲勳的第二任妻子,“齊心(1926- ),1943年4月與習仲勳相識。1943年冬天兩人論及婚嫁。兩人於1944年4月28日在綏德地委結婚,共育有四子女。”習仲勳還沒和郝明珠離婚時就和齊心勾上了,剛和郝明珠離婚馬上就娶了齊心,齊心比郝明珠要小10歲。用今天的話來說,齊心就是個小三,是小三上位。而郝明珠被拋棄後,僅28歲,獨自撫養三個子女,終生未嫁,這很不尋常,原因一方面是因為,她可能比較傳統,對習仲勳懷有舊情,另一方面的原因很可能是,她把希望寄託在和習仲勳生的三個孩子身上,特別是習正寧,希望他能承父業。
7、習正甯評價弟弟習近平“不但能吃苦,腦袋靈,會來事,而且跟上級下級的關係都處得非常好”, (見 ),說明習近平鑽營、拍馬的功夫很到家,搞些非法交易不在話下。

What does it mean? 

It is very very rare for CAC to send a taken down request to a foreign company. The reason for CAC to issue this take down request is probably the previous unsuccessful DDOS attack on Github by Great Cannon. Despite almost days of outage of Github, the company being attacked refused to take down content that was offensive to the Chinese government. It eventually employed various technical counter-measures including akamai to fend off the attack while keeping the offensive content up. 

The Great Cannon incident drew international attention and probably prompt the gov not to repeat such attacks, hence the take down request. 

As of this moment, the content, and in fact the entire repo cannot be viewed when accessing from China. It can be access normally when accessing outside of China.

GFW cannot selectively blocking this content without blocking all of Github because Github uses HSTS. 

The content is posted at Program Think's repo. Program Think is a very famous blogger in China remaining anonymous while posting about computer science, politics and philosophy. 

We will see Chinese gov's next move when they notice the content is not taken down and their take down request being posted by Github publicly. 

Saturday, June 18, 2016

WSJ Chinese and Reuters Chinese have zero coverage over Lam Wing-kee's story

When Lam Wing-kee's story is attracting international attention from media inside and outside of China, WSJ Chinese and Reuters had no literally zero coverage on the news.


In contrast, NYTimes Chinese, FT Chinese and SCMP Chinese all have great coverage on the story. Notably, FT Chinese is currently not blocked in China and should have the most incentive to self-censor and suppress the related reporting; SCMP Chinese is currently owned by Alibaba's Jack Ma, a famous entrepreneur in mainland. Despite such pressure, all those above media carried out candid reporting on Lam Wing-kee's news.

Perhaps more notably, even Chinese state media has reported about Lam Wing-kee's story. Global Times published an article stating Lam Wing-kee's story while criticizing that Lam Wing-kee doesn't provide any evidence. The article was deleted. Mainstream Chinese media also reported on the story and unsurprisingly all taking the government's side. But still they do have reporting on the story.

WSJ and Reuters international version in English both widely reported on Lam Wing-kee. It's unfathomable why WSJ Chinese and Reuters Chinese will have no coverage at all, if not for self-censorship.

Friday, May 27, 2016

All of Tumblr blocked in China because of a 29s porn

What happened?

Tumblr is officially blocked in China beginning yesterday, joining the long block list of similar services such as wordpress, blogspot, etc.  Blogger and Google sites has been blocked since 2009 and wordpress joined them in 2011. Almost all foreign web services that involves user generated content have been blocked in China, including Facebook, Twitter, Youtube, Instagram. GFW clearly has noticed political content on Tumblr years ago but somehow decided not to block all of Tumblr till now.  According to Alexa, Tumblr is ranked 153 in China, rather well for a foreign website.

I'm not shocked at all that Tumblr is finally blocked. In fact, the opposite is true, that I'm very shocked that Tumblr is not blocked till now. Many individual blogs on Tumblr has long been blocked for years., tumblr of famous circumvention tool fqrouter has been blocked since 2013;, or Corruption China, has been blocked since 2014.

Reason behind the block

Tumblr is probably blocked because of 陆家嘴不雅视频. It refers to a 29s porn video spreading like crazy on the Chinese social network and was later reported by major media and newspapers. The video was deleted by censorers on Chinese social network. But the original video comes from stalkeryan{.}tumblr{.}com (NSFW) and the tumblr supposedly hosted the full version of this video and many other videos like it. The blogposts on tumblr has been deleted.  But the video is still available if accessed directly.  vt{.}tumblr{.}com/tumblr_o40da56RLU1v5eoup_480{.}mp4 (NSFW)

This is the first time a major website is blocked for non-political reasons.

Technical details

Tumblr is blocked by 
1) connection reset based on blacklist. "" is blacklisted and any URL containing such word will trigger the blocking by GFW. 
2) DNS poisoning based on blacklist "" and exact match of "". Any subdomain of tumblr such as "" will trigger GFW to inject fake DNS response. 

Those are the most severe methods of blocking. GFW could have chose to block the specific subdomain of the offending tumblr like before, but GFW probably think enough is enough and decided to block all of it.