Following the block of Twitter / Flickr / Live / Bing / Hotmail and  “the Chinese Website Maintenance Day”, Chinese government has ordered that every PC sold in Mainland China should be shipped with built-in censoring technology.

Called Green Dam Youth Escort Software | 绿坝-花季护航软件, it’s designed to block access to certain Web sites including pornography, illicit, and any “harmful” content. The official notice about the requirement by Ministry of Industry and Information Technology says it is aimed at “constructing a green, healthy, and harmonious Internet environment, and preventing harmful information on the Internet from influencing and poisoning young people.”

China’s existing, and extensive, Internet censor system (a.k.a Great Firewall), blocks access to a range of content at the network level, “and many users circumvent it,” the WSJ notes, stating the new method could give the government a way to tighten its control.

This morning, Adam J. Schokora from Fifty 5 shared me a bilingual summary on WikiLeaks called “A technical analysis of the Chinese ‘Green Dam – Youth Escort’ censorship software”. As Adam said, the Green Dam will have a significant impact on how the Internet is “seen” in China, and how Internet / computer companies do business in the PRC.

A Technical Analysis of the ‘Green Dam-Youth Escort’ Software

• Section 1: About

Green Dam is the informal name given to the expert system from Jinhui Technologies which blocks pornographic images and other “harmful” information.

Project Director: Zhao Huiqin
Technical Director: Zhou Hui
Chief Designer: Tang Huaili
Project Manager: He Hongjie
Project Engineers: Li Bicheng, Cao Wen, Peng Tianqiang, Zhong Sheng, Li Xiaohe, Li Yang, Zhang Wenzhong
Beta Testers: Mary Ma, Sharon Zhang, Dong Juan
Documentation: Zhang Chenmin, Liu Yu, Biddle Zhang
Systems Support: Wu Chaoyang, Xuan Juan, Liu Yishan, Ding Min
Http://www.zzjinhui.com ©2009 Jinhui Technologies. All Rights Reserved

1. National Ministry of Public Safety Information Security Product Sales License No. XKC30492
2. National Development and Reform Commission Approval (NDRC Circular[2004]#2040) as “Major Software Industrialization Project”, the only approved filtering software project of its kind nationwide
3. Ministry of Science and Technology (MOST Circular[2004]#449) Approval for “technological innovation project funding”
4. Ministry of Industry and Information Technology (MIIT Circular[2005]#9) Approval for “electronic information industry development project funding”
5. Only the China Internet Illegal Information Reporting Center (ciirc.china.cn) has officially recommended Green Dam.
6. Awarded first prize at the Ninth Chinese International Software Expo
7. First prize at the 2005 Zhengzhou Advanced Adaptive Technology Trade Fair
8. First prize in technological advancement from Zhengzhou City
9. Jinhui Marketing Service Center: 0371-63697160  Fax: 0371-63697171

• Section 2: Objectives and Functions

With the Ministry of Industry and Information Technology, Ministry of Education, Ministry of Finance and State Council Information Department as its partners, Greed Dam currently offers Family, Commercial, Organization, Internet Bar and Campus Editions.

Stated features: To protect minors from age 10-16 through the filtering of pornographic and violent images and content.

Latent features: To filter political content? To filter circumvention software (such as Wujie)?

• Section 3: Applicability

Current versions only support Windows; effective only when used in conjunction with Internet Explorer or Google Chrome, it has no effect when used with Firefox. The harmful information screened by the software includes politically-related harmful information, and the software relies on non-conventional methods to install, also ineffective within Firefox, closing the browser and adding the website address onto a banned list without confirmation. In Internet Explorer, the software’s ability to classify clearly political content as “harmful information” is unreliable; for pornographic content, Green Dam is able to make relatively accurate assessments. When used with Firefox, however, the software shows no response.

Compatibility list of currently supported projects:

I. Operation Systems

1. Windows 98, compatible, text screening not supported

2. Windows 2000, compatible

3. Windows XP, compatible

4. Windows Vista, compatible, updates and uninstall can only be performed through User Account Control.

II. Browsers

1. Internet Explorer 6.0/70, compatible

2. Opera 9.5, compatible

3. Firefox 2.0, compatible

4. Netscape 9.0, compatible

5. Tencent Traveler 3.0, compatible

6. Maxthon 2.0, compatible

III. Office Software

1. Microsoft Office 2003, compatible

2. Kingsoft WPS 2007, compatible

3. Evermore Office 2007, compatible

IV. Anti-virus Software

1. Kaspersky 6/7, compatible

2. Rising 19, compatible

3. Jiangmin 2008, compatible

4. Norton 2008, compatible

5. McAfee 2008, compatible

.

• Section 4: Technical Framework Analysis

All files within “Green Dam-Youth Escort” are installed to the system directory (windows/system32), and while no means to uninstall are provided in the Applications menu, the option to uninstall can be found in a menu within the main program. When launching Green Dam’s image filtering function, the software automatically clears the browser cache.

Within xstring.s2g, located in the Windows directory, there can be found all the installation paths for all the program’s files.

During operation, Green Dam installs the following modules:
Drivers: C:Windows\system32\Drivers\mgtaki.sys
Service: C:Windows\MPSvcC.exe
Launch: C:Windows\system32\xnet2.exe

After Green Dam converts the password using the MD5 algorithm, it saves it in text format within the kwpwf.dll file located in the C:\WINDOWS\system32 directory. When opened using Notepad, if the content is then replaced with “D0970714757783E6CF17B26FB8E2298F” and saved, the password can then be restored to the original “112233″.

Within Green Dam installation file xnet2_lang.ini, one line reads: “AOption0_1117=Upon discovery of harmful information, report automatically to Jinhui Corporation.” Located in system32 in the file filtport.dat, the default content is “FreeGate/8567/tcp Urf/9666/tcp”, suggesting that this is Green Dam’s filtering file.

Green Dam updates automatically online, and the update address is: http://www.zzjinhui.com/softpatch/; found therein is a pretty woman picture http://www.zzjinhui.com/softpatch/Image0.jpg although its purpose is unknown. Following analysis by Internet users, it was discovered that the file http://www.zzjinhui.com/softpatch/kwupdate.dat is related to the filtering of keywords and URLs. Connected to that are two IP addresses: 211.161.1.134 and 203.171.236.231; the second of the IP addresses belongs to Zhengzhou Giant Computer Network Technology Co. Ltd. in Henan province. (zzidc.com.cn)

• Section 5: Performance Test and Algorithm Analysis

5.1 Image filtering
The process of image detection begins when visual data is obtaining as the image is in queue to be screened, first normalizing the image’s size, then separating areas of skin tone from those without skin tone; analysis of the relationship between areas of skin tone is followed by removal of noises, then extraction of the area’s characteristics, which are then input into a trained SVM classifier. Once the image has been deemed pornographic it is sent to a human face detector; if a human face is not the primary component, the image is then classified as pornography. The main problem with this algorithm is that recognition of pornographic images relies heavily on skin color and shape, and the final use of a human face detector in a weighted judgment is only a manual patch aimed at preventing the problematic occurrence of large faces being identified as pornography, but also the reliability of empirical weighting lacks verification.

From XFImage.xml it can be observed that Green Dam uses OpenCV’s Haar classifier in undergoing human face detection. Included with Green Dam, cximage.dll, CImage.dll, xcore.dll and Xcv.dll, also library files from OpenCV. This all suggests that Green Dam primarily uses OpenCV to process images. However, as is done with much of domestic Chinese software, Green Dam has disregarded OpenCV’s BSD license.

Jinhui Corporation has committed to an accurate image detection rate of higher than 90%, and a false detection rate of less than 7%, with the detection rate=accurate detection rate*proportion of pornographic images＋(1-false detection rate)*(1-proportion of pornographic images); with 1% of images being pornographic, the detection rate would be 93%.

5.2 Text filtering
An analysis of political content, including the filtering of Falun Gong-related content, shows that used is Beijing Dazheng Language Technology Co. Ltd.’s text filtering engine, HncEng.exe, HncEngPS.dll and SentenceObj.dll, and within data file HNCLIB/FalunWord.lib, in UTF-32LE code, aside from Falun Gong there can also be found a large glossary related to political and pornographic content.

pornographic keyword list：https://docs.google.com/View?id=ah27xz4pbz6s_22cgwh6xf7
other (mainly political) keyword list：https://docs.google.com/View?id=ah27xz4pbz6s_24c6dw27g6
government featured keyword list：https://docs.google.com/View?id=ah27xz4pbz6s_25fpx2qkhp

5.3 Application control and filtering
Green Dam controls the time minors spend online, using QQ or MSN, and playing games; by preventing overindulgence of the Internet, Green Dam effectively eliminates Internet addiction.

Testing has shown that if any word resembling “Falun Gong” is entered into either Notepad or WordPad, the application will shut down; however, typing the same characters into Paint or MSN Messenger bears no response, illustrating the incompleteness of the the program.

Possibly monitored programs (found in injlib.exe, offset 89e8H). It seems that nearly all text editors on the market (EditPlus, UltraEdit, EmEditor), office software suites (WPS, MS Office), e-mail clients, instant messaging clients and browsers, are being monitored:

editplus.exe
uedit32.exe
emeditor.exe
wordpad.exe
notepad.exe
wps.exe
wpp.exe
et.exe
powerpnt.exe
frontpg.exe
excel.exe
msaccess.exe
outlook.exe
winword.exe
mailmagic.exe
popo.exe
qqmail.exe
aixmail.exe
imapp.exe
incmail.exe
msimn.exe
dm2005.exe
foxmail.exe
googletalk.exe
miranda32.exe
imu.exe
ypager.exe
tmshell.exe
start.exe
uc.exe
icqchatrobot.exe
qq.exe
msnmsgr.exe
gsfbwsr.exe
greenbrowser.exe
touchnet.exe
theworld.exe
maxthon.exe
ttraveler.exe
netscp.exe
ge.exe
firefox.exe
opera.exe
netcaptor.exe
myie.exe
iexplore.exe
mmc.exe
regedit.exe
taskmgr.exe

5.4 Internet filtering
“Green Dam” utilizes the Winsock2 SPI port to obtain data from both sender and recipient, and through analyzing these data, obtains http data. Having obtained http data protocol and run through a URL detector, a harmful URL detector and a keyword detector, Green Dam decides based on those results whether or not image detection is needed, and through image detection, addresses of websites containing harmful information are delivered to system management.

For more information, please go to WikiLeaks to read the full document.