“In meetings I had with Senator Conroy last year he indicated that they had no intention of banning non-violent erotica or X-rated material,” Patten said. “But that is not the case — the ACMA Web site lists the types of material that will ‘qualify’ for the blacklist. This includes material that would be rated X (18+).

“… They also state that the blacklist will only contain 10,000 sites. One wonders how they will choose from the millions of sexually explicit sites out there,” Patten said.

As for child pornography that is already deemed illegal, the Sex Party believes the filter will not reduce the amount of child abuse material out there because it is generally only available via P2P networks.

“I would like to see them spending more of their resources on catching the bastards that are creating this material,” Patten said.

Read more of this article here.

Australia

Crikey | The world smirks at Conroy’s censorship plan
Adelaide Now | Why Kevin Rudd’s internet censorship plan will not work
Brooklyn Law School | Filtering in Oz: Australia’s foray into internet censorship
News.com.au | Internet filtering plan may extend to P2P traffic
ABC News | Net filtering trial delay ‘another bungle’

The rest of the world

DailyTech | 2009: The year of the thought criminal
SMH | China threatens massive internet crackdown
AAP | Thailand blocks 2,300 web sites it says insults King Bhumibol
Huffington Post | Fair trade suffers when China censors the internet
PC World Canada | Beating internet censorship - the Canadian way
Belfast Telegraph | When internet censorship goes too far
APC | US dumps unpopular internet filter plan
Broadband Reports | UK eyes website rating system, filters
ZDNet AU | UK Wikipedia censorship easy to evade

At the centre of the debate is a secret report commissioned by the Howard Government and produced by the Internet Industry Association, which cited many reasons why internet filtering was “definitely not going to be workable” and “fundamentally just not viable”.

In the wake of the story, the secret report has been released on the Department of Broadband, Communications and the Digital Economy’s website.

In his press release, Senator Conroy goes to pains to point out that the report was not an analysis of ALP policy. Rather, he emphasises that it was commissioned by the previous Howard Government “at the instigation of the Internet Industry Association” and that “it involved no empirical testing of filtering technology”.

He reiterates his oft-quoted statement that the government is committed to a test to “provide evidence on the real world impacts of ISP content filtering” and still implies that internet censorship of some sort will take place.

The release also notes that the live trials, which were scheduled to start tomorrow (Wednesday 24 December), “will not begin until mid-January and an announcement regarding participants will be made at that time”.

Senator Conroy’s blog, which closes for comments at 3pm tomorrow (24th of December), made no mention of the Internet Industry Association’s report.

BanThisURL is currently reading the report and will have an analysis online shortly.

The list contains over 1200 websites with entries as eclectic as Hillary Clinton’s campaign videos on YouTube, 24 Charlie Chaplin videos and The Economist newsmagazine.

“It is obvious that many sites were blocked for quite different reasons. It would appear, in fact, that the judiciary did not examine most sites before issuing orders but instead rubber-stamped government requests,” said a Wikileaks spokesperson in a statement.

• Read the press statement
• Read the full list of blocked sites

The ban covers weblogs referencing Paul Handley’s unauthorised biography of Thailand’s King Bhumibhol, The King Never Smiles, and its translation into Thai, along with Thai Wikipedia entries.

The webpages of Thai Buddhist social critic Sulak Sivaraska, and Thai journalist Matthew Hunt, are also blocked.

Wikileaks called on Thailand’s new Minister of Information and Communication Technology, Ranongruk Suwanchawee, to be accountable for censorship.

“Typically, web censorship in Thailand is conducted in secret. We think there is a right to know inherent in a free society. We call for transparency and accountability in government and freedom of expression, freedom of communication and freedom of association as fundamental human rights.”

With thanks to Stephen Edgar for the link.

As the representative body for over 1,000 Australian system administrators, SAGE-AU represents “the poor bunnies who have to implement” the net filtering scheme, president Donna Ashelford told a conference last month.

With just days to go until closed testing begins, SAGE-AU’s letter to Senator Conroy comprehensively examines the technical issues that still haven’t been addressed by Senator Conroy’s office. Read on for the full text of their letter.

December 18, 2008

The Hon. Senator Stephen Conroy

Minister for Broadband, Communications and the Digital Economy

Parliament House, Canberra

Dear Minister:

Re. SAGE-AU opposition to the proposed Internet filtering initiative

As the representative organisation for Australian system administrators, SAGE-AU is writing to state that it is unable to support the Federal Government’s proposed Internet filtering initiative
and to outline the significant concerns that inform SAGE-AU’s position on this issue.

The System Administrators Guild of Australia (SAGE-AU) represents professional system administrators across Australia. System administrators are the technical people behind commercial networks and computing systems, large and small. Accordingly, we believe SAGE-AU is in an excellent position to contribute to the discussion of the technical issues with your Department’s proposed network filter. Our Code of Ethics [1] requires that we communicate with users regarding computing issues likely to affect them; and thus we feel it essential that we explain these issues to you. We trust that you will find this letter helpful.

The proposed Internet filter cannot achieve its stated goal

In summary, the current proposals — to be trialled by commercial ISPs including Optus [2] for potential mandatory implementation — cannot and will not achieve the stated goal of providing safer Internet access for all Australians. Moreover, the trial, and any subsequent implementation, cannot and will not have any impact on any illegal activities being undertaken on the Internet.

There are several inherent flaws with the filters as proposed. The evidence of this is in the Australian Communications and Media Authority’s own report on the matter [3]. The ACMA noted that filters were incapable of dealing with traffic utilising communication protocols other than HTTP (traditional “web” traffic). However, several major Internet Service Providers report that HTTP
traffic now consists of less than 50 per cent of a typical day’s Internet use). There are also concerns with the performance of the filters, both in terms of reliability, and in terms
of speed.

Fast-functioning filters block one in 12 legitimate websites

The worst performing in terms of filtering capability were the fastest in terms of network traffic throughput; the fastest resulted in a two per cent slowdown under test conditions, but blocked eight per cent - or one in twelve - of the legitimate websites tested. This level of unreliability would result in every Australian Internet user being denied access to legitimate websites on a daily basis. This filter also failed to detect twelve per cent of the illegal content against which it was tested; an unacceptably large failure rate if the intention is to stop access to illegal or unwanted content.

Slow filters decrease Internet speeds by as much as 87 per cent

The converse is also true. The most effective filter decreases performance against the baseline by 87 per cent. This is an unacceptable performance reduction for modern Internet users. However,
even this filter was still unable to detect three per cent of the illegal content presented to it, and blocked one per cent of the legitimate websites presented to it.

An application of Bayes’ Theorem, shows that even for the most generous interpretation of the filters’ accuracy, the chance of a randomly selected page actually containing unwanted material when it is blocked is only 55%; the remaining blocked pages will be collateral damage and contain no such illegal material. [4]

DBCDE testing mechanisms do not reflect actual patterns of internet use

The testing mechanisms proposed [5] by the Department of Broadband, Communications, and the Digital Economy are also of concern. These methods do not reflect the use patterns of the regular
Internet-using population, so the results are unlikely to be unrepresentative.

The testing framework also explicitly ignores connection speeds above 12Mbps. This is troubling, as your Government’s own Next-Generation Broadband Network plans call for 12Mbps or faster
connection speeds to 98 per cent of Australians; failing to test the filter under these conditions is short-sighted at best.

The testing framework further fails to adequately address the following questions:

1. Exactly how much performance degradation, both in terms of added latency and reduced bandwidth would be considered “acceptable” for the purposes of the trial?
2. Exactly which protocols are to be inspected and potentially blocked by the filter, and under what circumstances?
3. During the trial, will there be any method of community oversight of the blocking lists to ensure that unreasonable
   overblocking is not occurring? If a plan for oversight exists, exactly who will be involved in this oversight?
4. What recourse will exist for businesses and other website holders who host legitimate and “wanted” content when it is found that their sites are being blocked?
5. For both the purposes of this trial and for any future filtering, will website owners be notified of their inclusion in the “unwanted” or “not safe for children” lists?
6. If a business or other website owner suspects that their website is mistakenly being blocked, is there (or will there be) a way to confirm it? Will there be a method to resolve matters such that such pages (if legitimate) are no longer blocked?
7. For any user trials, will there be a way to distinguish between a site being unavailable due to other issues and a site being unavailable due to it being blocked? Will there be a way for any user to request that a page that is being blocked be reconsidered for such cases where the page may be misclassified?
8. Can you define “unwanted content” and promise that any filter will not be subject to scope-creep where “unwanted content” expands to cover more and more things without public input?
9. What criteria will be utilised to determine the success or otherwise of this trial?

Problems with filter list maintenance

SAGE-AU also has concerns about how the filtering list will be maintained. On one hand, illegal website owners are suspected of changing their internet information regularly to avoid being found by law enforcement, so the list will need to be updated daily - in some cases, hourly - in order to be effective. On the other hand, due to the list’s exemption from Freedom of Information requests and other public review, no mechanism exists to ensure that legal and child-safe sites are not accidentally blocked. In fact, website owners will be unable to confirm whether website issues are due to the filter or other technical reasons.

The test framework refers to the blacklist as containing a “majority of [...] material that would likely be classified RC by the Classification Board”, but does not state whether the Classification Board will have input into the filtered content’s actual classification level.

SAGE-AU suggests alternative use of funds allocated for proposed Internet filtering system

None of these issues have, to date, been addressed by the Department of Broadband, Communications, and the Digital Economy, by the Australian Communications and Media Authority or by Enex TestLab as appropriate. As such, SAGE-AU cannot support the proposed trial or any future implementation of this style of mandatory filtering scheme.

We instead suggest that a better use of public monies earmarked to fund any trial or future implementation, would instead available to the Australian Federal Police, specifically the Online
Child Sex Exploitation Team and/or the Australian High-Tech Crime Centre.

Rather than unsuccessfully attempting to filter undesirable material in transit, it would be a more effective use of public funds to support law enforcement in preventing the creation and consumption of this material at its end points, just as is the case for all traditional carriage services.

We, and our members, look forward to your reply.

Yours faithfully

Donna Ashelford

on behalf of SAGE-AU and the SAGE-AU Committee of
Management

SAGE-AU Code of Ethics. Accessed Sunday, 7 December, 2008 from SAGE-AU web site:

http://www.sage-au.org.au/display/SAGEAU/Code+of+Ethics

To read the interview from the beginning, click here.

BanThisURL: How hard is it for a machine to pick what if an image is or isn’t pornography?
Matthew Strahan: Usually you’d just look at the context of the site. Most porn images have words like “hot” or “porn” around them. If someone simply removes that context though and doesn’t use any of those words, which would probably be the case for the illegal images, image detection becomes an extremely hard thing to do. One of the best ways of doing image detection is through a neural network, which is basically having a computer that learns — you show it existing images and say “that’s good or bad” and the computer will slowly learn from your example. What it comes down to though is that there is absolutely no automated way of determining if a picture is a child pornography picture without having someone previously seeing a copy of that picture and classifying it. Computers can’t reliably tell how old a girl is.

Even then, here the analysis has to be extremely quick.

BTURL: How long does analysis normally take?
MS: It depends how fast the computer you’re scanning it with is. But most quick pornography detection systems use skin tones. They try to see how much bare flesh there is in the picture and then flags it as a possible pornography picture if it’s over a certain amount. That obviously can’t work on the internet because, for instance, a girl in a bikini would be showing a lot of skin. It’s definitely a process that requires human verification. It’s not feasible to do automated image processing here.

BTURL: Has there been any progress in video detection?
MS: I’m sure there are good detection algorithms out there, but there’s no way that they’ll be able to do it in the ten milliseconds required.

Say you’ve got a streaming video: the video has to stream. The video detection has to be done within the time it takes to buffer the video, which is maybe half a second. Less. I’d say after half a second users would definitely start complaining. It’s a huge issue that’s not going to be solved. So the chances of them doing image processing or video processing — they’re not going to do it.

BTURL: How do you think they would do it, because this is what’s being proposed for the second tier filter?
MS: I would say that the only way that they could do it at the moment at the speed required is to do a hash of the images, which is easy. They’d probably use an MD5 hash.

BTURL: So what does this mean?
MS: It basically means that they have a repository of images that they find bad and have a representation of each bad image in a database.

BTURL: They’d have to examine every single photo manually and log them as inappropriate and compare requests to a database?
MS: Yes. That’s really the only way of doing it. If they’re doing any other automated image processing in the content filtering, the number of false positives will be enormous, and so [will] the number of false negatives. Image processing is not really feasible.

BTURL: I remember seeing some image detection software flagging a photo of a Halloween pumpkin as porn.
MS: And that’ll be because of the orange in the picture. It’d be mistaking the orange for skintone.

So basically, for instance, China does its filtering by a blacklist of URLs. And the content filtering is just through text, not images — it might have changed recently, but it was like that the last time I checked it out.

BTURL: Do you think that there’s any feasible way that this system can be implemented?
MS: And work?

BTURL: Yes, and work.
MS: Well, the best case of filtering is China. The filter we’re implementing is pretty much the same sort of system as China’s great firewall. China’s one works to an extent. If you are in China and really want to get something from the outside the filter won’t be able to stop you. Any of the stuff I’ve talked about, like proxies or SSH tunnels, will get past the Chinese filter.

The Chinese filter only works as well as it does because the people think that the filter is a good thing. Say for instance you’ve got a group of Chinese children. They won’t know anything about Tiananmen Square. They won’t even want to know anything about Tiananmen Square, because they think that that’s unpatriotic to know. It’s self-censorship in that regard. The Chinese firewall works because the citizens don’t attempt to bypass it — even though there’s so many ways to.

Now I don’t think you’ll have this situation in Australia. In fact I think it’ll be the opposite — you’ll have normal people learning all the ways to bypass it just because they can. Especially children. I mean you had the NetAlert software that took, what, 45 minutes to disable from a kid just wanting to wanting to know how to turn it off. And that was just disabled through taking down the process. It’s a pretty simple thing.

This is also a pretty simple thing to bypass. You’re going to have kids wanting to bypass it just because they can.

BTURL: What kind of performance impact have you seen on the net filters that you’ve tested?
MS: There’s no set performance impact. If you get the specs to the filters, then they’ll have the latency, so a more expensive filter will have a lower latency. It’d just be higher bandwidth on either pipe coming out and a faster computer. But usually they’re trying to aim for under something like ten milliseconds.

BTURL: Is there anything else you’d like to say before we end the interview?
MS: If they’re doing blacklisting of the domains and URL filtering then that can be easily bypassed by changing the URL or changing the domain. If they’re doing content filtering, that can be easily bypassed by even subtly manipulating the content.

For instance, for antivirus scanning there was a competition called “Race to Zero” that was at Defcon this year. It wasn’t really all that difficult for them to manipulate the viruses so they would pass the anti-virus scan. Again it wouldn’t be very difficult to manipulate the content so that it passes the content filters.

BTURL: So if you had an image that didn’t pass a content filter, all you’d have to do it change a pixel for the hash to differ and for it to pass the content filter?
MS: Yeah, pretty much. Or if it has image processing, then all you need to do is to keep subtly changing the image until it passes. Or simply crop it. Any of these things will be able to pass the filter.

The filtering will not ever be able to be comprehensive. Anyone can change the address or the content of their internet site so they will to get past the filters.

Just having the blacklist at every single ISP is an idea I don’t like.

BTURL: Does it put too much risk on the ISPs?
MS: It puts too much risk on the Government. If the blacklist is released, and let’s face it, there would be so many people who would want to publish the blacklist — there would be news organisations who would want to publish the blacklist — then there would be a big backlash. And then you can think of it as a list of everything that is deviant about the internet. A lot of people want that list. So the list is something that would be at a huge risk of leaking.

Content filters aren’t easy to implement for a connection as large as Australia’s outgoing connections to the rest of the world. You’re talking about terabytes per second. When I was saying latency, I was talking about Gigabytes per second. I think that an ISP might have a 100TB/s pipe. Putting a content filter on that is not something you do in your spare time.

To read the interview from the beginning, click here. The final part will be posted tomorrow.

BTURL: Let’s get back to the filter boxes. There are two tiers at the moment, one of which is going to filter against a blacklist, and the other will filter by content and examine web pages dynamically. What hardware would these boxes run on, and would they just be a Red Hat distribution with proprietary software on them?

MS: Pretty much yes. At Securus Global, we’ve done a lot of testing of these sorts of appliances. They tend to be quite old Linux boxes. And because they’re appliances — and by appliances I mean a branded box given to the people by the manufacturer — they’re usually not patched by the people who are running them since they don’t understand the appliances are just Linux boxes. So they tend to have really, really stupid security vulnerabilities.

BTURL: So we’re essentially looking at a single purpose computer that’s running behind on its Windows updates?

MS: Some don’t even have a way to update them.

BTURL: But they’re still addressable as computers?

MS: They are computers. Usually it’ll be just an Intel box.

BTURL: And the intelligence of them is the software that runs on them that’s been written by the manufacturer?

MS: Yes. They might have special hardware in them like four network ports in them or redundant power or something like that, but all in all it’s just a computer. You can, if you want, just make your own Intel box with the same hardware that’s inside the appliance and run the software through that.

BTURL: Given that these boxes are essentially computers running old unpatched operating systems, are you worried that the blacklist will leak?

MS: It probably will. If you’ve got a blacklist, by its nature it has to be at every ISP — even the small regional ones. If they don‘t have it at every ISP then they have nothing to filter. They could have some sort of fancy updating mechanism, but I’ve seen a lot of the updating mechanisms and they’re usually not very good. Probably the whole technical staff at each ISP would be able to access the blacklist, and if you’ve got what could be a few thousand people being able to access the blacklist, that’s a huge risk that you’re taking.

I’ve played with a lot of these boxes and the chances of having no security vulnerabilities at all is extremely low. In our testing we haven’t actually found a box that we’ve been happy with the security of, except for little dedicated and extremely cut down boxes, but nothing of this type.

The boxes that would have to be used would presumably have to filter the blacklist and do content live filtering as requests came through them. This means that the complexity of the boxes would have to be pretty major.

BTUTL: Does this mean that more complex filters have more security vulnerabilities?

MS: It would definitely mean that. See, the content filters have to be extremely fast. A good example of a content filter is a virus scan. We have in the past recommended that virus scanners not be used on a mail server, because historically virus scanners have had some extremely bad security vulnerabilities in them. A mail server isn’t a very complex thing. But when you’re adding virus scanning software to it, you’re increasing the complexity by an enormous amount, which, in turn, increases the opportunities for flaws to be exploited.

It’s the same sort of thing with content filters. Filtering through a blacklist isn’t very difficult, and it’s possible to do it without opening yourself up to attack, but filtering through content is an incredibly complex thing.

If you’re writing it in C or another lower level language, then most likely you’re going to have some sort of buffer overflow because it’s such a complex task and requires such a large and complex amount of memory management.

If you’re writing it in some higher level language, chances are you’ll be able to do a denial of service attack on the box. Higher level languages have some functions that require a huge amount of processing. If it’s using regular expressions, for instance, there are ways to trick the box into processing a huge amount of data. So like I was saying before if you make it filter through some specially crafted content you might be able to bring it to its knees.

So most likely they’ll be written in C or C++, chances are someone will make a mistake there’ll be a buffer overflow somewhere in the content filtering. In which case all you’d need to do is make a site which exploits that buffer overflow and make a connection to that site. The content filter will analyse the site and be taken over.

BTURL: And at that point the box has been cracked wide open?

MS: At that point the attacker can do whatever they want. They’ve got the entire ISP’s HTTP traffic being routed through these boxes.

BTURL: If this happened is there any way an attacker would be able to access the rest of the ISP’s network?

MS: Well of course if you’ve got one box at the ISP, then you can use that box to attack the rest of the network. Hopefully they’ll have some firewalls between the filters and the rest of the network, but you can’t guarantee that.

BTURL: Is there a chance that users’ private data would be accessible because of the filters being insecure?

MS: Definitely. You’re routing all the HTTP traffic through these boxes. They’ve got content filtering on them, which means that if you own the box you can exploit that content filtering to do your own manipulation of the data. For instance, if somebody makes an HTTP connection to any account, you’ be able to intercept that and grab the user credentials.

Not only that, but for instance Gmail can go over HTTPS but it doesn’t by default. Usually it just goes over HTTP, which means that any Gmail account can be compromised. Which means that anyone who’s sent their passwords to a Gmail account can be compromised. And that happens with a lot of websites.

BTURL: Like Yahoo mail and others?

MS: I would say yes, but you’d have to check each service. It’d be an enormous thing, which is why you have to be very careful.

Having content filtering be secure is a big ask. Fionnbharr Davies, one of the guys I work with, had a good quote in his Ruxcon presentation: that “These companies aren’t security companies, they’re software companies.” The company that’s making the filter most likely wouldn’t be aware of the security risks that they’re undertaking.

Click here to read the final part of the interview.

Over the course of the discussion, we addressed various ways to sidestep the filter, how a hacker could use the filters to intercept personal data from any Australian and how a few simple commands could bring the internet to a screeching halt.

As this interview is quite long and detailed, we will be releasing the second part tomorrow, and the final part on Friday. Do feel free to add our RSS feed (above) to your reader to be kept up to date.

BanThisURL: What worries you most about the filters from a security standpoint?
Matthew Strahan: From a security standpoint it’s that somebody would take over the box. Especially if they standardize the filter. Depending on how they set it up, an attacker could become the man in the middle of every single Australian home connection. Which is a huge thing.

BTURL: Can you explain man in the middle attacks quickly?
MS: Man in the middle attacks are when someone can intercept your connection to some server. So you’ve sent a HTTP connection to Gmail. If someone’s in the middle of that connection, then they can read your email. They can also prevent you from going on Gmail. They can modify what gets sent back from Gmail and pretend that you’ve got email that you haven’t really received.

Man in the middle attacks are pretty dangerous.

BTURL: Have you been able to set up a man in the middle attack on any of the filtering boxes you’ve had in your lab?
MS: Oh well, yeah. Definitely. One of the talks at Ruxcon was trojaning an appliance. They could do whatever they wanted to with that box, including launching man in the middle attacks.

Given enough time and enough access to those appliances you can get your own code running on any of them.

BTURL: What are your other concerns about the filters?
MS: I’d say an issue would be someone doing a denial of service (DoS) attack on the filter, because someone could possibly bring down an ISP. The ISP has to reroute all of the HTTP packets through that filter. If the filter goes down, then all HTTP packets stop. The ISP is pretty much helpless against that.

For most DoS attacks in general, you send a packet which will require a lot of processing by the target. If you’re attacking a content filter, you’ll send it to a page that has a lot of parsing to do, so it’ll be a rather big page. If you send 200,000 of those requests within a minute, the filter will most likely be overloaded, which means the filter is going to go down and won’t be able to process any legitimate requests.

If you had a decent sized botnet, I would say it would be definitely possible to take down a filter, but if you find something that causes a lot of processing in the filter then even an ADSL connection might be able to bring it down.

There are other issues too. The pages that are returned when a site is blocked could be vulnerable to cross site scripting vulnerabilities.

Cross site scripting vulnerabilities are when someone can insert HTML or Javascript contents into the page. If the filter pages have those vulnerabilities in there, then there’s lots of attacks you can do with that.

For example, if you manage to get one of the pages on Facebook blocked, and there is a cross site scripting vulnerability in the page saying it’s blocked, then you could make that page grab the Facebook info of anyone that goes to it. Dan Kaminsky found an issue like that in a box that ISPs used to show ad pages instead of server not found messages.

BTURL: What exactly are the filters going to be? Are they extra pieces of hardware?
MS: Usually in this kind of situation you’d have a filter with its own box. It doesn’t have to be a piece of hardware, I mean Net Nanny is a filter and it does HTTP filtering. But in this situation it’d be a dedicated box. A lot of companies release filters, like F5 and Bluecoat do.

BTURL: Are these the same companies that supply filter boxes to companies so that employees can’t look at porn on the job?
MS: Pretty much. The Department of Education definitely uses filters so the Government has experience in this.

BTURL: How would you scale these boxes up to ISP levels of traffic?
MS: You can do it in parallel. The main problem with having everything go through a single box is that, for instance, it can go down. If that happens you’re stuffed. The latency on a single box could be quite high — so usually what you’d do is get a couple of load balancers and then maybe five or ten filter appliances for this kind of situation.

BTURL: Are there are ways you could bypass these ISP filters?
MS: There are a huge number of ways. The first way is using a proxy. Proxying is like proxying for votes: you’re just getting someone to do your work for you.

Say you’re trying to access www.whatever.com, or any other site that’s on the blacklist. Usually you’d send the traffic to www.whatever.com, but if you’re using a proxy somewhere else in the world (say America), you’d ask the proxy for www.whatever.com. The proxy would then grab that site and then send it to you. So to the content filter, you’re not going to www.whatever.com, you’re going to your proxy, which isn’t blocked. And you could have an encrypted connection to your proxy.

You’d do that with an SSH tunnel, which can be used like an encrypted proxy. That’s an oversimplification, but it works that way. You have an encrypted SSH connection to an SSH server that you can send all your traffic through, and SSH will handle all your connections for you. You would have an SSH connection to maybe a server in America, and through that server in America, you can grab whatever websites you want and it will be unfiltered because it’s going through the Australian content filter encrypted. The content filter will only see an SSH connection to a server in America, which it won’t see as a big deal because SSH is such a commonly used protocol.

BTURL: Are there any filters that you’d be confident enough deploying in an ISP level filtering system?
MS: I wouldn’t be confident enough in any of them.

BTURL: So they’re basically doomed to have security vulnerabilities?
MS: Well, yeah. There are ways that you can try and limit the risk, but even then you just have to make a single mistake. To send out the blacklists you might have some fancy update mechanism. Which means that you’d have to standardise what boxes are put in the ISPs. If you standardise what boxes are put in the ISPs, all of them will be vulnerable to the same security vulnerabilities. Which means if somebody makes a single mistake — say the software manufacturer has a buffer overflow — then someone would be able to use that to take over all the filters in Australia.

Meanwhile, the boxes will most likely not be specific to the Australian filtering scheme and it’d be public what type of boxes they are. Which means that people would be able to analyze them themselves. So if someone finds a single security vulnerability it allows them to take over the box. They can then either terminate all of Australia’s outgoing internet traffic, or they can man in the middle all of Australia’s web traffic.

That’s a doomsday kind of scenario, but apart from that you’ve got other extremely bad security risks. You’ve got someone adding something to the blacklist. That can be something as simple as a social engineering attack.

BTURL: By adding, say, the government’s site to the blacklist?
MS: I’d be more concerned about adding their competitor’s sites to the blacklist. Industrial espionage is something that everyone knows is happening but people rarely talk about, because it’s something that pretty much everyone is doing. Be it simply clicking on somebody else’s advertisements to waste money or doing an actual attack on a competitors network.

Social engineering is where you manipulate or con someone into giving you their password or into doing something that helps you. I would say yes, it’s a pretty big risk. Someone will work out a way to add things to the blacklist and then sell the opportunity to put companies’ competitors on to the blacklist. And if that happens, there’d be chaos because anyone could add their own things to the blacklist and people would notice.

So if it’s being manipulated for commercial purposes it’s an extremely big thing.

Click here to read the second part of the interview.

Ban This URL has reported on this before, however since then there have been more rallies organised in other cities.

Protests have been planned at Sydney’s Town Hall Square from 12pm; Brisbane Square, Brisbane at 11am; State Library, Melbourne at 12pm; Parliament House, Adelaide at 12pm; Stirling Gardens, Perth at 12pm; and Parliament Lawns, Hobart at 11am.

Additionally, a protest has been organised in Canberra, at City Walk at 12pm.

The protests have been organised by the Electfonic Freedom Project.

The most accurate censorship filters have been shown to incorrectly censor 1 in 100 sites.

Ban This URL will be there.

More information on the censorship scheme, including the background, technical feasibility, politics and more is available on this site.

Initially sparked by a tip-off from Brazilian police, Interpol has identified more than 200 potential offenders in 70 countries.

Australian Federal Police have apprehended 19 men, including a retired Victorian QC and a New South Wales police officer.

The Sydney Morning Herald reports that:

“Australian Federal Police officers say they uncovered 500,000 images and 15,000 videos of child abuse that were allegedly shared between members of a peer-to-peer online network.”

It is not known if the material in question was traded exclusively over the internet, however the material that was could not have been prevented by the Government’s proposed internet censorship scheme.

This is because the trading vector used by the criminals was a peer-to-peer network, not web pages that could have been added to any sort of blacklist.