Software theft hits Solid Oak
Brian Milburn, founder of Santa Barbara-based Solid Oak Software, thought it was going to be a slow Friday, that he might take off early. Instead, he ended up in the middle of an international debate over Internet censorship in the world’s most populous country.
On June 12, Milburn learned that fragments of his company’s software, CyberSitter, had been found in Green Dam, an Internet filtering program that the Chinese government will require to ship with all new personal computers sold there starting July 1.
“I knew about the Green Dam thing and thought to myself, ‘Gee, that would have been a good contract to get,’ ” Milburn told the Business Times. “I came to find out we got the contract. We just didn’t get paid.”
Solid Oak has 15 employees. A team of researchers at the University of Michigan uncovered the chunks of stolen code in a study showing serious security concerns with Green Dam, which will hit a country with 250 million Internet users. The Chinese software included proprietary lists of banned sites from Solid Oak and even references to the Santa Barbara firm’s update servers.
J. Alex Halderman, an assistant professor of electrical engineering and computer science at the university, said it doesn’t appear Solid Oak’s code is the source of Green Dam’s security vulnerabilities. But the pilfering was clear, Halderman said. Often even the file names were identical.
“There’s even a file that must of have looked like a blacklist but was actually a newsletter,” Halderman told the Business Times. “This is almost a little press release from CyberSitter, but it appears in a file that must have looked like a blacklist. It appears verbatim in the Green Dam program.”
There are other signs the code was stolen, Milburn said.
“One of the filters in Green Dam is an old one that we no longer distribute. It was for [Japanese cartoon character] Pokémon,” Milburn said. “Some of the Pokémon sites weren’t really Pokémon sites — they were anime porn. We had Japanese parents who didn’t want their kids searching for Pokémon, and the filter was only provided because they requested we do that for the Japanese market.”
Milburn said he spent the better part of Friday and Saturday with one of his engineers, trying to make sure the Green Dam similarities weren’t an honest mistake.
“Within three hours of seeing what was done, I couldn’t believe how blatant it was,” Milburn said. “We wanted to make darn sure this wasn’t an error on their part, but it wasn’t. It was just blatant piracy.”
Milburn said he hasn’t contacted Jinhui Computer System Engineering Co., the Chinese maker of the Green Dam software, because after seeing the company’s public comments, he doubts it would have much effect. When the Wall Street Journal confronted the firm with Milburn’s allegations, its founder replied: “That’s impossible.”
The computers slated to ship with Green Dam will probably be manufactured in China and only sold in China. That places any claim from Solid Oak in the Chinese legal system, said Steven Sereboff, an intellectual property attorney with Westlake Village’s SoCal IP Law Group.
“It’s definitely challenging to pursue pirates in China,” Sereboff said. “Certainly for smaller companies, with less resources, it’s all the more challenging.”
For his part, Milburn is mulling his legal options.
“We’re just a small company,” Milburn said. “We’re not equipped to sue China, nor do we want to waste our time. We’ve got to make a living.”
But Milburn said he’s received offers for free legal representation from Chinese lawyers connected to that country’s democracy movement.
“One of the things that works in our favor is that [Green Dam] is a tremendously unpopular idea in China,” Milburn said. “It’s ironic that the Chinese government is trying to make the computing experience healthy for its people but they’re stealing to do it. A lot of the proponents of free speech in China see this as a big opportunity to embarrass the Chinese government and get them to back down from this. Someone told us in an e-mail that we would be heroes in the Chinese democracy movement.”
Political implications aside, Green Dam poses a serious security threat, said Halderman, the University of Michigan researcher. The program’s holes would let any Web site take control of the user’s computer, potentially enlisting it in a botnet, an army of computers infected with clandestine code that directs them to attack. Given the size of China’s markets, that could be enough machines to wreak global havoc on the Internet, and the program requires deeper fixes than the two weeks until its launch can allow.
“The thinking about this is that if the [Chinese] government wanted a back door into peoples’ computers, they’d want one only they could access, not one that common criminals could access,” Halderman said. “Green Dam weakens computer security in China. That’s why we’re concerned.”