Schneier on Security
A blog covering security and security technology.
« Dutch Biometric Passport Cracked |
| The Failure of US-VISIT »
January 31, 2006
Bug in Google's Censorship
Seems that the censorship service that Google has set up at China's request suffers from a trivial bug: if you type your searches using capital letters, you bypass the censor.
This'll be fixed real soon, I'm sure.
Posted on January 31, 2006 at 3:00 PM
• 19 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
If you want to believe in the non-evilness of Google - you could spin that as a feature too.
Has anyone else wondered if Google agreed to abide by the Chinese government restrictions but is putting in the minimum effort possible to meet the restrictions, allowing several easy ways around the restrictions?
I think that the powers that be at Google intentionally allowed this to slip through - where the usefulness of the "bug" to the moral cause dwarfs its limitatations / potential embarassment. In spite of the positive impact to the revenue stream, I am sure the best engineers at Google are ashamed at having to bend backwards for the Chinese nonsense. This is a fitting reply.
I'm curious to see how quickly the Chinese will respond, and how long it will be before the relationship sours. I do believe Google is a different sort of company, and unless the Chinese show a pliable side, it is only a matter of time before there is a rift.
Those Google guys have a sense of humor too. Do a Google search on:
french military victories
Click the "I'm Feeling Lucky" button.
You realise that Google has nothing to do with that? The albinoblacksheep people put up the page and then enough people linked to it that they got top pagerank for that phrase...
(it's looking a bit dated, too — Google has evidently updated their look since they did the parody)
Remember that Google logs IP addresses for each search query they process. So this little "bug" does not mean it is safe for a chinese citizen to exploit it to bypass the filters.
In fact, it can even make them more vulnerable if the government know the bug asks for IP addresses for which the "bad" search terms where queried.
I can't get to the article you linked to, but a few simple searches on google.cn pretty quickly debunks the concept that caps fixes things.
For instance, "tiananmen" and "Falun Gong" show no difference based on capitalization.
How do the filters fare with misspellings? Spammers use this tactic all the time to bypass junk email filters. Google can't possibly cover every permutation. The only thing is that "Frreedomm" won't produce as many hits as the real thing.
@Dave - follow Bruce's link. Use the two image search URLs provided on that page. There is indeed a difference (at 07:00 GMT).
@Z and Dave:
I can see no difference there, too. But I get my reply form google.COM. Guess I am redirected to a non-censored version on the base of my (European) IP or Browser setting.
I get a completely different result when I use a anonymizer such as
Then it is Families with a t and Tanks with a T...
Bruce, you have often discussed the ethics of publishing security vulnerabilities. What you are doing here is revealing a hole in the security mechanism Google has built for the Chinese government. (We can leave aside the question as to whether this hole is a deliberate act, or merely carelessness.) Do you think that publishing this vulnerability will result in the Chinese government putting pressure on Google to close this security hole, and would you regard this as a good outcome?
In this instance, Bruce is not the one who is disclosing the vulnerability (as the original publisher) -- rather, he is reporting that which has already been disclosed. So, *I* would not consider this an "irresponsible" disclosure.
Oh, and I think the bug disclosed is in fact a bug, and not a "security vulnerability".
BTW, I think that the debate around "publishing" vulnerability information in fact refers to disclosure -- once it is in the public arena, it is silly and futile to ignore it and hope nobody will notice.
And now the perpetual disclosure controversy ensues again; if only you could inform the citizens and not the watchers...
I've had pretty good luck on goole.cn by mispelling words. I don't get as many hits as I do using google.anything_not_cn, but I do get some pretty good stuff. Due know evel.
"I think that the powers that be at Google intentionally allowed this to slip through"
Of course they did. And if it'd been micro$oft you'd be ranting about their lack of ability to code something correctly.
Don't forget Google IS an american multinational company. They are driven by shareholders to screw rest of the world over in the chase for $$$$
I'm sure this was a mistake, but it does put Google in an interesting position.
Essentially, every time something like this happens, the threat will come from the Chinese to fix it - to increase the effectiveness of the censorship - or be cut off. Every time, Google will give in, of course. It puts Google in the position of developing ever-more-effective and easy-to-use tools for government censorship. Censorship isn't a one-off, it's a process, and Google just got heavily involved in it - I'm not saying, ultimately, for good or ill - just that they are in that business now.
"But is Google censoring content in the US also?"
Apparently not. They're allowing Google Video users to choose which countries their videos can be viewed in.
Is Google censoring in the US also? Google de-indexed SpaceWar.com for a number of days for an as yet unknown reason(to me).
SpaceWar reports on the latest publicly available info about military/aerospace technology worldwide and pays some particular attention to Chinese advancements in this area. As of Feb. 25, 2006 it has been re-indexed by Google maybe in part due to public uproar over the matter. Infowars.com tipped me off to this little news item and I am pleased to have confirmed its validity.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.