 Thank you for all of your audience to attend this session. Then this is about the Chinese security. Actually, I come from Hong Kong, would like to share my personal experience on the kinds of censorship, to have kinds of East, West seminar, then talk and much, much sharing. Censorship is not just for China, but many countries or many nations have censorship. So that's reason I would like to trigger the research and trigger our ideas, how to protect our privacy. For me, I will talk about censorship overview, the tour and pictures from Jacob, and Green Dam and Geek Dambers from John. Okay, there's no national secret. Okay, look, is there any spies? Any China spy, Chinese spy, Taiwan spy, no worries. All things from the internet, search. I've got my objective right now, right? Be relaxed, okay. Encourage technical research and technologies in privacy protection and how we do the work out of the censorship and share my personal experience with you guys. Okay, let's start. I work on penetration test, like a co-audit and a training and do the merit analysis. If some of guys, some of you then attend my breadhead session about China made merit, then it would be hope you like it. And also I set up my research group, maybe study to explore, analyze malware. Yeah, and this is what I've done. Censorship. This is, I will go through this list in 15 minutes. Then in around 50 slides, then you will find it very, have a rhythm, okay? IP blocking. Actually, IP blocking is very, I mean, it's very easy one. It's a white listing, a black listing, or a black listing, not a brown listing, right? And you will find it in 202 and when you go to Google, then you will find it to the maze. You will find the excessive color of the, what? Sorry. Excessive color. This is the search engine in China, okay? The Google, the blue one, the same, the fonts is the same, the bar, the location is the same. Yeah, then we go to google.com, you'll go to teamwen.com. Yeah, these are the kinds of DNS points in it. And like, use points in the song file, use the packet ingestion, and another issue is about the root server issues. Especially for me, I tried to connect to some China proxy servers in Hong Kong or even I traveled to China. When I go to Facebook, actually we solved the IP 66.220, 153 and 15 is correct one. However, you'll find it here, the 93.46.89 actually is a false one. I mean, it's not exist. They would do this kind of DNS poisoning. There's a root server in the internet. However, there's a news just in March. It's about when you go to the YouTube Facebook and the Twitter, you redirect to the servers in China. And also, like after talking about DNS server, we're talking about China product, okay? Chinese product is great, man. You'll find the SMT server, SMTP server. You'll find it, there's a withholding policy. The policy here, right? Okay? And there's also like, how to, an audit email, audit emails. Then you could audit the username and also like the administrator. Could audit the email, right? And got to use the names, right? Very good filtering. And of the keywords, yeah, you put any keywords as you like. This is my first time to find a server, SMT server with this powerful censorship ability, capability. And some basic UDP and TCP weapon, like TCP traffic and UDP session hijacking and connection time and reset. This I will not go through, it's a basic TCP handshaking, right? Just handshaking. However, when I would like to do kinds of, go to this website, appleday.com.hk, it is broke in China. Once I visit them, they provide feedback me different resets. Here. Resets, resets, resets my connection. And go to the, it is a type in the Chinese, is about 1989 democracy campaign in Chinese. Then I got more resets. Yeah, powerful resets. There's a research paper about how to identify forged resets packet. And go to Shanghai, I go to the expo, the Royal Expo is a long queue. Anyone go to China expo? Wow, great. You need to have a queuing up or have a wheelchair. Then you could have a fast expressway into the, in the expo at the museum, okay? And I tried Facebook, Google services and Twitter, YouTube, I can't go there. But you can only get resets. Oh, this is the site. Actually you could check whether your site is broke in China. However, this site is broke in China. Okay, let's guess GFW. No, not BMW, okay? It's a quick firewall. Yeah. This is a GFW diagram, but not officially, it's guessed by the brokers. However, these diagrams are put in the, individual researchers in China. But they put it like that. However, they put, I mean, they put off in a few days. They've got a back list, content filtering system, keyword list, okay? And also permanent back list, okay? And there's a many, I mean, it's a very daily back list. There's a many human resources to spend on the time and to filter, to find the sensitive words. QQ, do you know what is QQ? Like MSN and like ICQ. However, very interesting. There's news from the internet, I got it. That's, once you install the QQ in a previous version, then it scan your machine. Yeah, it is an anti-rivers capability, maybe. It scan your executable and scan your document to see whether any embedded shell code. I don't know, but simply they put it like that. Scan all of them, yeah. QSCanner. And also it's a Skype, it's customized by China's lead by Tom.com. Actually it's in the Tom.Skype.com. Tom.com has a specialized edition of the Skype. If you want censorship, please go there. Download it, install it, you'll enjoy the Keras filtering. Yeah, and there are many 47 million gestured users in China using Tom's Skype, okay? However, they changed the code. The Tom.com changed the code with data authorization from Skype. The Skype PCO comes to here and say, oh, I'm sorry, we don't know, they changed the code. And also it's like another advanced censorship, upgrade your software. Actually another news is about a Beijing, some kind of people for human rights. However, when he locks, try to locks into the QQ and find there's a box like, please upgrade your QQ. However, his friend looks to lock in with, in his machine and with this one I can't, but there's no upgrade request. It's quite on one to one. Monitoring customer service. This is a phishing for censorship, right? Asking for the person for upgrade. However, the target's friend lock in again. No, no such upgrade prompt. Hopefully I will not get it. An ultimate censorship weapon is the 7-Eleven Korean store like the staff there to monitor the broadcast, monitor the forums in 10 seconds, a few minutes. If you talk about some sensitive thing, then we moved. Quite efficient, right? And this is what we are talking about, sensitive words. When you type in this Chinese word, means commemorative, this word is broke because maybe near the time of some sensitive theory for the government, we call these sensitive words. So this is a trendy China language. When your language, maybe your message is broke, it will place with these sensitive words. Then some China netizens make a joke with the government like I love Beijing, actually these words is tin almond. Then they broke it up. Then they put it sensitive words. I love Beijing sensitive words. Sunwises ad sensitive words. Our great leader sensitive words, guiding our community to progress. And another joke is like the China growth, 6.4% but it's his fault, the 6.4%. Okay, green damn. Okay, sometimes this is the one I like a lot because I do the viewers engineering in the, I mean in Hong Kong about to know how it's work and about filling back contents for the youth like the sex and some bad violence content. And however, some exploits fund and cooks are suspected from, I've not did Cybersitter, yep. However, the China government would like to install it but it is banned it. Okay, I put the baby face, I test it. It's nude and broke. I put, oh, here, I'm sorry. I here, you find it. I put some wordings about 64, 4th of June, then I waited like in the look pad, it's broke and cued, yeah. I put the chairman here and he said it is in appropriate pictures. Why? Why scan, why censor our China chairman? And also why censor our communist logo? And said, this is a bad pictures, you're highlighted here. And also I do some kind of very simple US engineering to find it. There's a loss of the executable they are monitoring. Right, QQ is there. Yep, different executables, email, look pad. The most which is about when you go to this internet cafe then you need to register your name, okay. And also the IPv6 will identify the location and address of the information of those lettuces. And another project is about a web chamber project, actually it's an open project for how to bypass the GFW in China and it applies to refer to the paper, research paper about insertion invention and the level of service. And it's very good for that they could manipulate the research paper and to do some work. Then what is the theory behind that is the send of thin packet from the kind to server and the GFW believes the kind has end, the connection. Then the server will load up thin and the packet send from the kinds will not be monitored by the GFW. And another point is the kind send an ARC packet with incorrect sequence number to server and server replies with RST packet to the client and GFW is cheat and also the server has terminate. The connection stops the monitoring and censorship. Okay, it's very good. I love this kind of research and application. Kind of load a research packet and send by server is no longer affected by the GFW. And set up the GFW DNS reply fingerprint. If there's a, the fingerprint is posted by the GFW, we simply feel it filtering out, right? At the normal GFW DNS reply will not be affected. This is the, I mean the diagram, the flow. We're like that. These are pictures captured from our local newspaper. Yeah, you'll find it's a battleship. And thank you to this Japanese adult star because there's a news about in the April in 2010 and actually he go to the Twitter. You could add him, add her right now. And there's over 40,000 netizens would like to go to Twitter and try to bypass them to, bypass firewall on that night. So, you have there at the star, radio star much maybe helpful to the, helpful to education. What are the, stand on the stage to talk about bypassing censorship or working on censorship. I would like to summary, then you do censorship. Sometimes you are more like to increase the workload. Okay, you increase the resources a lot. It may not solve the problem. And my summary is encourage research to inspect, I mean the creativity. And other countries may have the, I mean the censorship strategy, but we need to have a balance between the privacy and the censorship and build the business opportunities like the VPN. Most of the Chinese in business there is work on the VPN surface. I mean the VPN connection for in the company. Okay, it's straight spot. Thank you. So, before you get started here, Jake, why don't we throw out one of these guys? Oh yeah, sure. Anthony, you want to describe what the hell this is? This is a horse. But this horse is very, very great zoom-in piece this one. Because this horse is called Chou Li Ma. It's a grass wood horse. Which is it? In China, there's some kind of foul language like it's a mother fucker. Okay? However, the censorship broke it out. So they use grass wood horse in alphabet and use their communication in the forum. However, the China, I mean, their censorship also broke it out. So I'm now trying to throw this Chou Li Ma to you guys. Okay. So I want it. Want it? Yeah, hopefully you like it. But don't do this, don't speak like that into the Chinese, okay? Okay. Okay, so part of the thing that people generally want to do when they're in China is they want to get around the Great Firewall. The thing is that I want to make it, I mean, we're giving a talk about China, but I want to be kind of clear. This applies basically to everywhere in the world, including the United States. Depending on where you are, there's some guy sniffing the network, or some girl sniffing the network, and they're going to do some nasty stuff. So we have a couple of things we need in order to be resistant to these types of censorship attacks. And one of the things that Anthony talked about was the idea of detection, right? So like you have a keyword it goes through and when you have this keyword on the network, the network is able to sort of detect and react to you. So one of the things you want to have is confidentiality. If you don't have confidentiality, it makes it really like extremely easy for someone to like, especially if they're on the local network, they can intercept anything and they can send resets. Like they could be much better. They could imitate your TCP stack better. They could imitate your DNS responses better. Depending on the type of attacker, it's kind of varying. So if you're on a backbone, you have a different kind of capacity, and you have a different sort of memory, so to speak. But if you're on a local network and you have a very small segment, then there's almost no limit to what you can do. So it's important to not trigger that so you want confidentiality. You also want to make sure that when you send a request, the receiver of the request knows that it's exactly what you sent. And so you need integrity as well. And of course, since TCPIP is, I mean, about as open as you can get, you need to make sure that you don't directly connect to the thing that you want to connect to because if you do that, there's a pretty good chance that the thing you're connecting to if it's high profile, like for example, Facebook or Twitter or something like this, it's actual IP addresses for whatever services that they use for hosting their website. Those IPs will actually be in the block list. And so you want to have an intermediary in between. So the idea with Tor is that we sort of provide all of this and then some accidentally as part of being an anonymity system. So I guess some of you have probably used Tor. Any of you? Yeah? Okay. Who here has never used Tor? I guess is the question. Just like one guy in the front of two guys. Very cool. Sorry, it's low. I mean, you know, how fast do you want to die? So Tor, basically if we were to go through it, it would take quite some time. There are like hours along lectures where we can talk about circuits and we can talk about cells and we can talk about the crypto and stuff like that. But in short, it allows you to do most of the things you want to do on the internet anonymously where you get all of these things that I was previously mentioning, right? You want these different properties. You want a lot more than those properties but those are the most important ones. So you can make DNS queries through Tor but you don't get the ability to make arbitrary UDP packets. So there's a big difference, right? We have a DNS port which is like a DNS server and you can make DNS queries and those queries will allow you to connect to sites. So if you have to deal with DNS blocking, you can just use Tor for your DNS if that's the only filter and if you don't care about anything else, it will transport your DNS request just fine. And there's a guy who's here, his name is Colin Milner. We've been working on this project called TTDNSD and it allows you to make arbitrary DNS requests through Tor by making TCP connections to recursive DNS servers that are upstream and it uses the Tor network first. And that means that if you're only worried about DNS blocking, you don't have to worry about Tor being slow because you can do all your DNS resolves and then just connect directly. And unless the IP address is actually blocked or the content of the messages you're sending are blocked, you can sort of do a hybrid thing to get around some kinds of filtering. Anyway, in short, the way that Tor works is that you have this large network. It's essentially a peer-to-peer network with a series of directory authorities. All of our directory authorities are of course blocked in China. So at the moment, a client in China actually has some amount of trouble connecting to the Tor network, so we'll get to that. So the 60th anniversary of some guy making this country, the PRC, happened recently and when that happened, they blocked the Tor network. So what they did is they downloaded a list of relays which is the directory authorities give out a list of relays. That's how clients make routing decisions. It's a source-based routing protocol. So the source says, I want to route through three hops. These are my three hops and build a circuit. There's a cryptographic handshakes that happen in each step of the way so you know who you're talking to is who you think you're talking to. And the problem is that if you can't get that list, you can't build that circuit and you can't make your connection. So what the Chinese government did on the 60th anniversary or five days before is they downloaded that list and tossed it into the Great Firewall. So now we have this problem which is that if you want to connect directly, you need a new intermediary. You can't just use the normal Tor network as your intermediary to connect to, for example, Facebook or Java or whatever you want. So it's a problem like all that crypto, all that integrity and confidentiality you've got. It's totally like it doesn't matter because you're blocked. So we can't solve this problem very easily in that you have 2000 IP addresses which you have to give to everyone so that they can use this system to be secure. And if you don't give those IP addresses to everyone, you have a partitioning problem which means that you can give one section of the network to one person and one section to another and you can't do that in an anonymity system because if you do, you start to be able to partition users' behavior and you start to be able to potentially de-anonymize them. So instead of partitioning, what we did is we came up with this idea which is called bridges. And I'll get to that in just a second. But first I wanna talk about single hop versus multi hop. So part of the reason that you want to have multiple hops when you're using the Tor network is that you don't want to have a privacy by policy system. So if any of you use a VPN, you know that what you're basically saying to the VPN provider is okay, you know who I am, you know where I'm connecting from and you knew everything I do online, but you promise you won't write it down. Okay, you wrote it down. You promise you won't tell anyone. Okay, you share it with your critical business partners but you won't share it with like, I don't know, law enforcement or someone that breaks into your systems. Okay, you share it with them for like specific things and like you see this path where it goes and we want to build something stronger than that because even if the proxy operator is 100% honest and everything is totally solid, they can still be monitored, right? Every machine on the internet is near another one that can be compromised. So you wanna make sure that you are not using just a single hop and you also wanna make sure that your traffic is mixed with other people so that it's extremely difficult to sort of like, decide which traffic is the most interesting and hopefully that can be helpful to you. And the way that Tor tries to avoid this type of surveillance is that we know that there's a correlation attack which is that incoming traffic and outgoing traffic can be correlated and then you can de-anonymize someone. So if it's just a very small network like a VPN provider, that's trivial. If it's a global network that spans every country in the world, that becomes very difficult to block and very difficult to surveil. And even if every country was cooperating legally, it's still technically very difficult but they're not cooperating legally so it's also very socially very difficult. So bridges are how we solve the Chinese blocking problem. This is also how we solve it in Iran and in a number of other countries. And I'm pretty happy to say and kind of proud, most of the bridges that I've seen are actually run by Americans and Germans. There are some people from Sweden, a lot of people from Sweden actually that run relays as well. But most of the bridges that I've seen are actually in the United States and in Germany which is pretty awesome. I mean people here really care about free speech. It's very inspiring to see that. So what a bridge is essentially a relay just like the relays that are in the directory authority. So you can do cryptographic operations with them and you can send them data and build circuits and attach streams. But the difference is they're not in the directory at all. So they don't exist basically as far as anyone else is concerned. So you need to connect to the Tor network but you don't wanna have a privacy by policy system. So what you do is you connect to a bridge that maybe I run for Anthony. Like if I ran one in California, I don't tell anybody about it but I tell him maybe by communicating with him in some other way over chat or something. He can connect to me but he doesn't wanna trust me with all of his sensitive information. So he connects to me and then from that Tor automatically uses that bridge to bridge into the Tor network and now he's in the Tor network and he doesn't have to trust me and the Tor network doesn't know he's coming from China anymore. So it's extremely difficult to target him. So interesting thing here is that when these blocking events happen with China, they harvest this information. So we have two types of bridges. We have public bridges and private bridges. Public bridges are essentially just like relays except instead of going to a directory they go to what's called the bridge authority or the bridge DB and we have a website bridges.torproject.org which will give you bridges. And the way that works is that we have this hash ring essentially and if you are coming from a certain set of IP addresses you're in one section of the hash ring and if you are sending an email to bridges.torproject.org you again enter the hash ring in a different position and every time you make a request you enter in the same position so you always get the same bucket of IP addresses. So no one party can easily harvest the entire hash ring of data. I mean it is of course possible for example if you have like 10,000 Gmail accounts to send 10,000 requests and get them. But what we're doing is offloading that work so that they have to break Google's caption instead of some caption that we spend months engineering or something. So it's possible but it just changes it a little bit, makes it a little bit easier for us. So like the Tor network is one geographic location and China is another geographic location and of course the interesting thing is the public bridges have actually all been harvested. So on a regular basis people go to bridges.torproject.org and bridges.torproject.org and they get all the bridges and put them into the Great Firewall. So they're actively harvesting things that take a great deal of effort to try to block access to the Tor network. And actually at the moment unless you have a private bridge there's a really good chance that you can't use Tor in China right now which is really extremely disappointing but it's not because of protocol filtering. It's just because of IP port and IP address blocking in the firewall. So unfortunately because they are able to adapt and to grab this information it's sort of, it's kind of a cat and mouse game but we did take it from something we can never win which is a public list that we give to everyone and we reduced it to a private list that sometimes is given to some people but in some cases like private bridges they're not given away at all. The private bridges always continue to work the public ones don't. So some people will have access to this network and some people won't because they're spending lots of someone's taxpayer dollars to do that. An interesting side effect of this is that when they harvest, so I run one of the Tor directory authorities they connect to me potentially or to someone else and they pull down that list of IP addresses and then they put that into the firewall. Does anybody see a problem with that? Like this is kind of a funny, like an unintended consequence here would be that if all of the Tor network decided to do this all the directory authorities could for example put in the IP addresses of every place where you request a visa to leave the country and then all of a sudden none of the sites work anymore because they're all blocked. Right, so there's a kind of funny thing here when you know that you are the source of information for censorship you couldn't affect the outcome of that censorship. We have not done that and I think it's probably not a wise thing to fuck with the bull unless you're willing to get the horns. But I guess those of you that know me know that I probably don't have a problem with that. In the future, I can imagine that you might see something like that. Although I don't think the Tor project wants to do that so it probably won't happen. But how much does what cost to pay me off? Dying of fire. Sorry to all of those that have actually died in a fire. So here's the deal, if you run a bridge you can actually help someone, right? You can help someone directly right now. I mean, I hate to sound like, you know, to save the children woman or something, but you know. Unfortunately censorship is a really big problem and it's not trivial to make it go away because it's socially very successful. A lot of people really believe that they should not have access to information and they should not be able to make decisions on their own and that someone else is better making decisions for them and that they don't need autonomy or agency in order to make changes in the world. I say fuck that straight up, right? If you're not clapping, I'm a little disappointed. And if you are clapping, you can run a bridge and you can also do this, right? It doesn't take anything special. It's a peer-to-peer network. It's as easy as clicking an install and checking a box and you'll literally help people. And while in some cases China is harvesting it, interesting enough the Chinese government isn't sharing their block list with other countries. So everybody else has to reproduce this effort which means that since they're not doing that your bridge is still useful in a lot of other places like Iran or Canada or here or wherever you happen to be that does some sort of network censorship. Hey, anyway, that's it. Check that single box and you can do it automatically. And you have no liability. If you do this, they can only connect to the rest of the Tor network. So there's no harm that can possibly come to you unless Tor were to become illegal which it's not going to. Thanks. We'll do Jacob. In this last part we'll be talking a little bit further detail on the technical operation of the Green Dam software that Anthony hinted about. And I think it makes a good transition from Jake's slides the fact that the success of these Tor bridges in the Tor network in general has really sort of changed the game in terms of censorship. A lot of these entities whether they're governments or other organizations trying to impose the censorship software sort of have this fine balance that needs to strike. Obviously if China really wanted to crack down on their network they could go with a whitelisting approach where they're only going to allow certain websites but that would make for a lot of angry citizens and also a lot of outrage. So when they kind of play this, this whack-a-mole game where they're going after Tor bridges or trying to harvest these addresses of the bridges to block this, it turns out to be this sort of leaky sieve where these bridge IPs can be passed around privately and distributed in sort of a peer to peer social fashion. So I think that when these entities or these governments are looking at this problem, they think, hey, why don't we push the same functionality that we have down to the end host where we'll have more control, we'll actually be able to inspect upon the processes that the guest is running, have more flexibility and have more protection against a user potentially trying to evade or remove the censorship functionality, excuse me. So, whoa, sorry about the formatting there. I think some open office nuances. GreenDamn is the host-based censorship software that was introduced by the Chinese government. This was, I think, early last year is when they first announced it and originally they were saying, hey, all PCs that are sold in China are going to come with this GreenDamn software and there was a bit of a hoopla around that announcement and they kind of slowly backed down as more and more information came out about this GreenDamn software and how port was built and some of the components that were stolen to build it. The Chinese government kind of backed down and I think now it's still deployed in internet cafes where users might not have full control of their computer and I think they might be rolling it out to schools and stuff too or other government organizations. Actually, they are out of funding but they have target to move this product to sell in Taiwan. Yeah, there was an announcement recently that they lost their government funding in the company that was developing the GreenDamn software which is not surprising because they did a pretty poor job. So again, no titles, I apologize for the formatting here but these are the features of the GreenDamn software what Anthony briefly went over. They have a content filter which looks at the actual content you're creating in these applications like if you're writing a Word document or writing a text file as Anthony showed the screenshot for it will actually pop up that nice little warning which I don't know, what does that translate to Anthony? The Chinese message? Yeah. This message is inappropriate. It will be filtered. Okay. Yeah. And there's also these network-filting capabilities that are deployed on the end host but filtered network connections coming out of it and they actually did steal some software or some blacklist from the Cyber City Company just straight up pulled down their blacklist and included them in the software which was pretty blatant and I think there were some lawsuits over that. Also the image pornography filtering using the OpenCV package which looks for these skin tones in the picture so that baby picture that Anthony showed has a lot of skin tone colors so that's why it was considered inappropriate but the bonus features are the interesting ones where there were some very, very poor programming practices once you start digging into the GreenDamn software trivial stuff like some of my colleagues at the University of Michigan like the first thing they tried they had a long URL that you click on that URL is actually inspected by GreenDamn and it's just a straight smack, a stack smash just with a long URL this is like 1990s programming mistakes. So those features are not necessarily what we're gonna focus on today but we're gonna look at how GreenDamn actually operates and how it actually hooks into your host and sort of the techniques we use to actually unhook those hooks. So there's a wide range of interposition mechanisms that GreenDamn employs. The one that you guys might be most familiar with if you're familiar with any sort of root kits or sort of ring three root kits. They can hook these, there's an API called setwindowshook which allows you to be notified of certain activity like window messages or keyboard activity so you can, some poor keyloggers will use setwindowshook in order to get your keystrokes. It also uses the Winsock LSP which is mostly a headache for normal users by the layered service provider of functionality by Winsock when people install LSP's and then try to remove them usually ends up working the entire Winsock stack. These guys hooked a number of your traditional Winsock socket calls to inspect on the traffic that's going in and out of your system and that's in one of the DLLs that's injected into all the processes on your machine. And lastly, there was a number of API hooks they use which we'll talk a little bit about the techniques that are used to inject the DLLs and also hook the API calls and there's a list of these I think processes I think Anthony showed a screenshot of particular processes by name that are targeted so a lot of this stuff if you change your process name you won't be targeted but you might not be able to do that without administrator privileges. So traditionally if you're familiar with rootkits or API hooking there's sort of two ways to go about it you can go about it the good way and actually write a kernel driver which will actually protect the integrity of your hooks in the user space applications or you can go to lazy route which is what these guys did with the ring three rootkits or ring three hooking which is when you actually implement these API hooking functionality in user space in memory of the process so you're sort of on this even ground so traditionally how this happens is you can either patch the important address table when you're actually injecting yourself into different processes on the system or you can actually do sort of the trampolines where you will overwrite the first few bytes of each function or to jump to your hooking code and then rewrite the instruction that used to be there and jump back and this is what's used in fairly poorly written rootkits in spyware so what you would do is you inject into all the running processes on the system using this create remote thread functionality in the Windows platform which is awesome functionality for rootkits and malware authors but it can also be used I guess for good purposes we're gonna use it but essentially it allows you to actually like it says create a remote thread in a process allocate memory in that process put your executable code into that process and then execute it within the context of that remote process so by doing this you can inject into all the running processes hook the create process call inside each of those processes such that when they launch further processes you're able to sort of spread virally into those new processes as well so how green that works is it injects itself into this list of processes whether it's Firefox or notepad and then we can actually go in and just uninject all of the green damn code that's been put in there so that's what I did I wrote a tool called Damburst which I think is interesting from the standpoint that us security researchers don't usually get to use our skills for good purposes so to speak the same techniques that Damburst uses are good for writing rootkits but when we can actually use this functionality and our skills to help users who are facing this censorship it's kind of a win-win it's good to do something that's technically interesting but it also has a good side effect on society so while there were these interesting vulnerabilities in the green damn software which would allow us to own all of China it's always good to try to help the users as opposed to infecting them so a few properties about Damburst which we tried to make more friendly for users who might be in restricted environments it doesn't require administrative privileges obviously if you have administrative privileges you can remove or uninstall the green damn software but in many of these cases where you're in internet cafe or other public computers you might not have the, you don't own the box so you might not have admin rights and you might not be able to remove the software and we also made this a very transient functionality such that it doesn't leave behind a lot of evidence that you were running it so if you were in internet cafe and you bursted a few of the processes on that box in order to evade the censorship and someone else came to that box later to look at it they wouldn't know that you had done this and you can kind of get away scoffery and on the last of course it actually by un-injecting the Damburst routines that are vulnerable it actually increases the security of your computer because you're sort of cutting off these vulnerable code paths for being executed so the injection process works like so as I mentioned these are all standard parts of Win32 which allow you to allocate memory in the remote processes and actually write your code into that process and then start a thread based out of that DLL that you just loaded and similarly for the patching of the Winsock LSPs once we're actually running code inside the process of the same process that's been infected with GreenDAMM we can simply overwrite the LSPs since removing them are paying the ass we can simply overwrite them with no ops and just make sure that its functionality is effectively neutered so we pop into each process we patch out the functionality of GreenDAMM and then we unload it lastly to make sure that the vulnerable routines are no longer in there and I wanted to show you guys a demo but I don't have the VM on this laptop but this is what it would look like you're searching for porn or whatever you really want to find down there immediately when you hit enter nothing happens the connection's interrupted and GreenDAMM has filtered that because it recognizes it as an offensive word and you can see that in the little screenshot near the bottom there you see the handler, inject lib, db filter, surfguard those are all DLLs that GreenDAMM has injected and in the GreenDAMM snapshot you can see the applications that are specifically targeted by GreenDAMM in red so you see Firefox and notepad there have full, have all of the DLLs injected into the process address space and some of the other ones are just partially injected they don't have all the same filtering routines injected into those processes but you can select any process that you want to burst it or you can just click burst all our code will go in there and burst all those processes such that this is disabled and you can search for your porn successfully or your politically motivated material whatever you're looking for that GreenDAMM does not approve of so getting back to the sort of the theme of this GreenDAMM was a initial attempt at this host-based sensor where and as I mentioned the news report that was recently released took all the government funding from this company that was developing GreenDAMM and from this first attempt we can see that they did a pretty poor job they didn't hire the right company they didn't cross their T's and dot their I's before releasing this and I don't think they were really aware of the backlash they would get and the quality of the code that they were releasing so it is kind of scary to think that in the future they're definitely gonna do a much better job I mean they're not gonna make the same mistakes and I think that the success of the tools that Tor is providing and that Jacob is providing will only drive more entities and government organizations to approach this censorship problem from the host-based level so I think we'll undoubtedly see more of this host-based censorship software and I did see just a few weeks ago an article about a new GreenDAMM or a host-based censorship software in Vietnam and I haven't looked into that at all but it's not surprising I think we'll see a lot more of this in the future and with that, Anthony, you wanna conclude? Yep. Thank you, John actually for presenting and I would like to just end on so Jake also presented like a short brief of a conclusion actually I suppose the internet censorship happens everywhere, okay so however we need to have a balance between them the monitoring and privacy and three-fourth information and we are now target, I'm not target to take our 18 hour flights to here to bring my country however the problem is we have the issues we have some areas to improve the technologies, okay so how to get more, I mean more for step forward from the research and so my friends to Jacob, John and also to give this censorship, I mean this talk with us then and also I'm thankful to my teammates, Sam, Jackie and Charles and my professor and Rocky and he gives me a lot of insights in the censorship and the network monitoring and my Chinese bloggers like Iset and Digital Boy then the Chou Li Ma is purchased from Digital Boy in $100 in 10 Chou Li Ma and also my wife and my dog's family this is my head of army and this is my elder sister and the Gigi is the head of Hester's wife then thank you