Slashdot Mirror
Security Flaws In Aussie Net Filter Exposed
Faldo writes "There's a three-part interview with a computer security expert on BanThisURL that goes into the flaws in the Aussie net filtering scheme. In addition to SSH tunnels and proxies, more worrying problems like trojaning the boxes to set up man in the middle attacks (which the interviewee has done in his lab), cross site scripting and the Australian blacklist leaking are all discussed. Worrying and relevant, especially since Thailand's blacklist has just been leaked."
The concept itself is flawed. Centralized filters will never work, and any filtering system is imperfect. The best we can do is have individuals ascribe a reputation to a particular resource and based on trusting others' ratings we can tailor the firehose to our liking.
Anything else is just a way for some fearmongers to stay in office and/or make a quick buck.
Disagree, they could just use a Windows box for this, as long as they keep it up-to-date with patches they'll be fine, right?
Once I was a four stone apology. Now I am two separate gorillas.
...it will only serve to piss off those that can't circumvent the firewall (or unskippable anti-piracy adverts in the case of legit DVDs)
To do something right, you often have to roll up your sleeves and get busy.
that things are unhackable.
"If you code it, it will be hacked!"
The Titanic was an example of what should be called Cockyisms. (The beliefe that one is better or their product is better than it truly is.) in this case, Unsinkable...and we all know how THAT turned out!
DVD encryption, DRM and now Net Censorship...the tighter the grip, the faster they will lose control.
So Jesus, Mohammed and Abraham walk into a Bar....
An amazing story would be "NO SECURITY FLAWS IN AUSSIE NET FILTER WHATSOEVER". I'm just sayin'. There are flaws in everything.
We figured out a long time ago that it's easier to elect seven judges than to elect 132 legislators.
The Australian government seems to have gone pretty crazy over this thing, and is taking one of the classic paths when meeting resistance; that is to make the plan even bolder and more sweeping. There seems no recognition of the fact that this won't do a damned thing to prevent the production and distribution of child pornography, but will cause no end of problems for legitimate users. But this government clearly feels it's back is against the wall, and rather than simply taking the more sensible path and admitting that filtering is flawed, and in its own way dangerous, and that any attempt to screw with various P2P and secure protocols is going to real harm to legitimate users, is basically saying "We know better than the ISPs and technical experts."
Politics tends to attract the insanely vain, but these guys are way out to lunch. I have no idea who their technical advisers are, but either these guys are morons or simply being paid to tell the government what it wants to here.
But as anyone who has dealt with any kind of Internet security can tell you, it's always a game of catch-up. Whether it's viruses, root kits, DRM, firewalls, and so on, there's always someone willing, for good or ill, to crack systems, and believe me, if they actually go through with this nonsense, the desire to crack the filters, and more dangerous and delerious attempts to bust encryption and P2P is simply going to be met with better innovations to overcome them.
But it does go to show you that the intellectual tyrannies are not simply the product of political tyrannies, but any government so sure in its own righteousness can play the part of the tyrant, simply by repeating the mantra "it's for their own good".
The Enlightenment has died in Australia, and it's sad that the people aren't marching on Adelaide demanding the government's resignation and Rudd's forced expulsion. Western Civilization has lost its balls. We've fought world wars, sacrificed our young on countless battlefields, beat back the Communists by even the most questionable means, for what? So some religious nut can make decrees as to what law-abiding citizens of a so-called free country can view on the Internet?
What a sad, fearful, pathetic lot the West has become.
The world's burning. Moped Jesus spotted on I50. Details at 11.
If stopping 100% of the users from getting indie music is the goal, then it fails. However, if stopping or impeding 50% of indie music perhaps it could be labeled a success? Becaue that's what this is about - stopping the use of a legal and legitimate product to destroy an industry's independant competetion.
The industry isn't afraid of Fergie being downloaded, it's afraid of The Station being downloaded.
Free Martian Whores!
doesn't the govenment publish the blacklist? this isn't like other countries where they just pretend like there is no filtering going on at all.
--
Stay tuned for some shock and awe coming right up after this messages!
While projects like this might hit their modest targets initially, they're totally doomed in the long term.
If 1% of users can get around it with highly technical trickery, it's not going to be long before one of those 1% packages the workaround up into a nice one-click piece of software that everyone can use. Just look at CSS. It only took one DVD-Jon to figure it out and now CSS is effectively useless.
That's why I think lots of people argue that it's either 100% or don't-bother.
I bet the filter isn't ipv6 capable... I just can't see the lawmakers being that tech savvy.
That could be just the boost the protocol needs, in Australia at least.
If you set the goal very low, like stopping 50% of bad data, but accept blocking 50% of good data as well, then it's almost impossible to fail. simply deleting 50% of traffic would satisfy that goal, and doesn't even need any filtering at all.
Making a filter that stops more bad traffic than good traffic is very difficult, especially when the amount of good traffic is very large.
If a proposal is only going to stop a small proportion, stomps all over civil liberties, could potentially break important protocols, can be circumvented by the technically savvy (which tends to include the very people who the proposal alleges it can stop) and introduces dangerous new security flaws, then I'd say the proposal ought to be rejected.
Let's be clear here. All this plan may do, at the very best, is catch the technically challenged pedophiles. That's a best case scenario, and basically undermining an entire country's Internet access to catch this group is rather like a sniper sitting on an overpass randomly shooting at cars because some of those cars may be driven by drug dealers. Yes, it's true, some small number of drug dealers may actually be killed, but if that's your idea of policing, then we might as well declare everyone guilty, take away their computers and call it a day.
The plan is idiotic, it's proponents are at best naive, and international child abuse won't be dented by it.
The world's burning. Moped Jesus spotted on I50. Details at 11.
The industry isn't afraid of Fergie being downloaded, it's afraid of The Station being downloaded.
They should be. But I don't think the industry, that didn't even see P2P coming, has that much collective intelligence or foresight.
I think what they're really afraid of is a generation of potential consumers who give no thought to the copyright status or label affiliation of an album, who don't care if their downloads are legal or not. They're afraid of a culture which doesn't even consider paying for music. They're afraid that their role as musical gatekeepers will become obsolete. They're afraid that their product will have to compete with all others on a level playing field. And they should be.
... and that's when the C.H.U.D.'s came at me.
Comment removed based on user account deletion
Let's not forget that, if a big important router was compromised (such as the one in charge of the carrier pigeon link between Downunderland and the rest of the world), the same things could be done.
These aren't new problems introduced purely by a porno filter. These are problems introduced by lack of encryption and made easier by insecure porno filters.
If they try to MITM a TLS connection, certificate warnings will pop up. As is supposed to be guaranteed. All the bullshit lately should go a long way to convince people that YES, we need widespread encryption NOW.
I stand by previous statements that Firefox's multi-click certificate override is the Right Thing. But more and more, I'm beginning to think we need an 'httpe' as some people suggested which operates on SSH's "ohhh shits teh key changed!!" model. Push it out in the new Firefox and WebKit. Have a nice, plain-language warning on first visit and a big scary multi-click override when the key changes. And here's something new...
Define a means by which a link, such as from a secure Google search results page, can include the expected key. No need for a warning - you now have a key for that domain if expected agrees with what you get. The reason is simple - big brother can't see your conversation with Google or some other secure/pseudo-trusted authority, but they CAN try to MITM you with a key other than the expected one. Google can lie about the expected key, but you'd get a different one (either the real one or one from aussieland's gov). If either party could do BOTH you'd be screwed anyway, because Google's certs would at that point mean jack shit.
"Strangers have the best candy" -Me
Right, because American gun ownership has obviously done wonders for stopping its government from harassing its citizens. Or maybe you'd just rather keep on thinking it has.
"We have buttiduously canvbutted the industry, buttessed what is available and buttembled the finest selection of contractors for this buttignment. The filters will buttociatively clbuttify all communications and filter then, I can butture you, rebuttemble them with surpbutting exacbreastude in any quanbreasty. Consbreastuents can be rebuttured that a mulbreastude of industry compebreastors will butture quality and keep our clbuttrooms safe. EDS Capita Goatse will not embarbutt us."
The plans have attracted wide criticism. "It will only give supersbreastious rebutturance to medireview thinkers," said EFA. "Automated systems won't solve human problems like loveual harbuttment. Mbuttacring the written word into a Picbutto painting is not the anbreastank missile of Internet safety."
Unions also butterted that such close buttessment of staff in the workplace would hamper efficiency and could verge on workplace harbuttment. "Watermeloning cranberries."
The government was unfazed. "Butterting free speech is one thing, but a triparbreaste committee considers that that does not justify mere pbuttive breastillation at the expense of others."
The first filtering offices will be set up in Arsenal, Penistone and Scunthorpe.
http://rocknerd.co.uk
Another reason it works is because of the general fear of surveillance. The PRC will regularly do strange things like mandate a specific operating system for Internet cafes. Maybe they're spying, maybe they're not, the key is the Orwellian notion that you never know whether you're being observed or not. That is ingrained in the Chinese people after sixty years of Communist rule.
The real question here is not whether a people, most of which have lived their lives under a watchful tyranny, can be cowed by real and imagined Internet surveillance, but whether a free society made of people who were raised with the ideas of personal liberty can ultimately be pushed into the same state of paranoia. Will Australians in general be convinced that this their government can meaningfully prevent them from viewing certain kinds of material, or will they see this for what it is, pandering to Australian religious extremists with little really technical way to prevent anyone with even a modicum of prowess from viewing nasty things.
In a way I'm fascinated by this. I wonder whether it will be tolerated as one of these easily avoidable public morality laws like drug and prostitution prohibitions, or will the people of Australia say "No, it's my right to watch one or more consenting adults doing peculiar sexual things to each other."
The world's burning. Moped Jesus spotted on I50. Details at 11.
It won't stop pedophiles at all. It'll stop those seeking child pornography on the internet, but it won't do crap to stop the actual abuse of children.