Fight against China's Web filtering software grows

A U.S. company that says its code was copied by a Chinese Internet filtering program has ordered more PC makers not to distribute the Chinese software.

Solid Oak Software has sent cease-and-desist orders to Lenovo, Acer, Gateway, Sony and Toshiba, following similar orders sent to Hewlett-Packard and Dell earlier this week, Solid Oak spokeswoman Jenna DiPasquale said in an e-mail Thursday.

The move added pressure over intellectual property theft to concerns that the Web filtering software, called Green Dam Youth Escort, could be used to bolster China's censorship of the Internet.

China last month ordered PC makers to distribute Green Dam with all computers sold in the country after July 1. The program blocks both pornography and some political content, including Web sites that mention Falun Gong, the spiritual movement banned as a cult in China. China has said the program is meant to protect children and can be disabled or uninstalled.

Solid Oak last week found that the Chinese software used code written in the proprietary format used by CyberSitter, the company's online content filter targeted at parents, DiPasquale said. The Chinese program contained blacklists and files apparently obtained from CyberSitter, according to a report by researchers at the University of Michigan.

An update distributed through the Chinese program has since disabled the copied blacklists, but the version available for download online does not yet reflect the changes, the researchers said in an addition to their report yesterday.

No one at the main company that developed Green Dam, Jinhhui Computer System Engineering, was immediately available for comment.

Solid Oak has not yet heard back from the PC makers it contacted, DiPasquale said. Its next steps could include seeking a U.S. court injunction to stop the companies from distributing Green Dam in China, she said.

An HP spokeswoman said the company is seeking more information regarding Green Dam in cooperation with the Information Technology Industry Council (ITI), a U.S. trade group. She confirmed HP had received Solid Oak's cease-and-desist order, but declined to comment further on its response.

Lenovo said it is closely monitoring developments involving Green Dam and will continue to obey the law in the countries where it does business.

Industry groups including the ITI have called on China to reconsider requiring distribution of the software, and Chinese state media yesterday said foreign companies might not be able to comply with the mandate on time.

"All domestic PC makers are ready to include the software by July 1, but some foreign PC makers, such as Dell, might not be able to meet the deadline," the China Daily quoted an unnamed official as saying.

Chinese Internet users have also filled Twitter streams and online forums with opposition to Green Dam.

Programming errors that left Green Dam vulnerable to some attacks have been patched since the University of Michigan researchers revealed them last week, their updated report says.

But a properly designed IP (Internet Protocol) address could still take control of a user's computer through holes that remain in the patched program, the report says.

The researchers again advised uninstalling the program, calling it unlikely that all of its security problems could be fixed before the deadline for its distribution with PCs.

One patch also updated Green Dam's help file with a license statement for OpenCV, an open source computer vision package developed by Intel, the report said. Green Dam's image recognition tool for pornographic images draws on the package, according to the report.

Earlier versions appeared to violate OpenCV's license by leaving out its text, the report said.

A Chinese foreign ministry spokesman defended China's support for the program and declined to answer a question on its use of copied code at a press briefing Thursday.

"China has the responsibility and the obligation to protect its youth from violation by harmful online information," the spokesman said.

DHS names key cybersecurity staff

U.S. Homeland Security Secretary Janet Napolitano tapped Philip Reitinger as director of the National Cybersecurity Center (NCSC), replacing Rod Beckstrom, who quit the post earlier this year citing turf battles with other agncies.

Reitinger will be responsible for collecting, analyzing, integrating and sharing cybersecurity information among federal agencies, the DHS said in a statement Monday.

Reitinger, a former Microsoft Corp. cybersecurity executive, will also continue in his current role as deputy undersecretary of the National Protection and Programs Directorate at the DHS.

His appointment was one of three key personnel announcements made by the DHS on the cybersecurity front. Napolitano also picked Greg Schaffer to be assistant secretary for cybersecurity and communications (CS&C), and Bruce McConnell as counselor to the deputy undersecretary at the NPPD.

McConnell will be a senior adviser to Reitinger on "strategic and policy matters" related to the NPPD, the DHS said. The NPPD includes the CS&C, the office of infrastructure protection and the US-VISIT program, which provides visa-issuing posts with biometric identification technology. He was also part of the Obama-Biden transition team and was involved in information policy and technology-related matters.

Schaffer, meanwhile, will be in charge of coordinating cybersecurity efforts across the NPPD and in ensuring that public and private sector organizations and international partners work together to mitigate threats to U.S. interests in cyberspace. He replaces Gregory Garcia who was the first to be appointed as assistant secretary of the CS&C by former DHS Secretary Michael Chertoff in 2006. Schaffer was previously a cybersecurity executive with Altell Communications and PricewaterhouseCoopers.

The DHS appointments come at a time when there are growing questions about what the agency's appropriate role should be on cybersecurity. The DHS continues to be the lead agency on cybersecurity matters, but it has been criticized for its inability to live up to that role.

When Beckstrom resigned as director of the NCSC in February, he lifted the lid on an ongoing turf war between the DHS and the National Security Agency over cybersecurity. He cited as reasons for his decision to leave the NSA's growing interference in domestic cybersecurity matters and the DHS' unwillingness to lend the needed financial support and other resources to the NCSC.

Many agree that the DHS needs to be empowered to take an operational role in cybersecurity. But they have also argued that the task of developing and enforcing a comprehensive national cybersecurity strategy belongs in the White House. Over the past few months, several groups have lobbied for the creation of a high-level cybersecurity post within the executive offices of the president.

It was against this backdrop that President Obama last week announced the creation of a White House level cybersecurity coordinator to oversee governmentwide information security efforts. Obama has yet to make the appointment and it remains unknown how the official will work with the DHS and other government agencies in pulling together a national cybersecurity strategy.