Filter Vendor Agrees Aussie Censorship Can't Work As Promised

Acidspew writes "The Australian Government's plan to filter the Internet has caused furore and has been met with vehement objection. Many people have put their opinions forward regarding this matter, but this time around, M86 Security — the vendor that provided many ISPs equipment during the initial filter trials — has finally weighed in on the discussion. Six of the nine ISP participants in the URL-based Internet filter trial last year used M86's R3000 filtering kit. According to ARN: 'Internet filtering won't prevent people deliberately looking for inappropriate material from accessing blocked content, according to security vendor M86 Security.' The company continues by saying its filter gear was designed to be implemented into schools and enterprise businesses, not for an entire country. The article also touches on M86's views on censorship."

Re:Confusion

[thegrassyknowl]

As someone who used to work in a filtering company...

The point of a filter to nanny kids is not to stop kids finding porn. It's to stop them wasting their time in school using sites like Facebook, MySpace, etc. This kind of nannying is also useful for keeping an eye on your employees and making sure they don't spend all day on Facebook. Quotas can be enforced, access patterns allowing certain sites during certain times can be configured.

The filter does a reasonable job of ensuring things like Google's safe search are always forced to on and stopping users accidentally stumbling on things they shouldn't. We had filter categories like 'porn', 'hate speech' and 'terrorism' which could be used to block a fair amount of stuff but that kind of automated decision making is not perfect and stuff slips through - even without a sufficiently determined attacker trying. It's just not possible to automatically block everything bad. The more accurate your automated blocking, the more intensive the CPU and memory requirements.

It is possible, and reasonably cheap to block access to a number of known bad URLs. This is only possible if the blocker also controls the gateway firewall and only allows HTTP traffic to pass through it. If any other traffic is allowed to pass through the gateway we have immediate back doors (SSL, VPNs, SSH tunnels, TOR, etc) available to us.

SSL-based traffic can be snooped with an intermediate key, but you also need to get a wildcard certificate to match. That's been proven fairly easy to do. If you control all machines behind your filter you can also have them trust your dodgy CA and issue your own certificate. What's interesting enough is that most users simply click away at SSL warnings until they get to the site anyway. No matter how annoying the browser is about it users just want their content.

I see the most serious point of contention here is that people's banking and other fairly personal details will be inside the filter/proxy UNENCRYPTED. This means that a 3rd party has access to that and if the system is exploited so does any number of evil parties. I lost interest when I stopped being in the industry to an extent, but Conroy had initially wanted to disect SSL traffic as well. Did he go ahead with that requirement?

Censorship on a whole country level is silly idea; there's too many back doors unless the country wants to restrict information flow to HTTP-only, which would have a devastating effect on the Internet. Even China isn't that strict and there exist dissidents who use technology to get around the Internet filters there.

Re:Keep up the pressure

Well, let's take the usual example of child pornography. This material is clearly illegal under current Australian law, and as such it's a criminal offence to produce, possess or distribute it.

So if that material is blocked, that's "blocking illegal material". It's censorship, yes, but if the process is subject to public oversight, no big deal - so long as a process exists by which it can be guaranteed that all the material that is blocked is illegal, there's no big deal, it's just a government enforcing the law.

Now if material is "refused classification", that's slightly different. That then becomes a matter of state law - in some states, it's illegal to possess, whilst in others it's only illegal to sell. For instance, if a resident of Western Australia were to possess an uncensored copy of Left 4 Dead 2, that would be illegal, whilst the same act is legal here in New South Wales.

This IS censorship, and the whole idea of refusing a work classification is offensive. This is material which hasn't broken any laws, but which has been deemed offensive by a review board. For films, this isn't a problem - there's an X18+ classification which covers anything which is offensive but not illegal (well, usually. Some of our laws are pretty vague). But notably, games don't have such a rating, so we can't have Left 4 Dead 2, or any game which mentions the name of real drugs, or any number of other things (Aliens Vs Predator was recently refused classification here, but, for the first time in nearly 2 years, won an appeal on the grounds that the violence was justified within the fantastical Science Fiction setting).

The whole system is riddled with problems. Material which is offensive but not sexual in nature (ie. violence) can be awarded R18+. Material which is offensive but not violent in nature (ie. porn) can be awarded X18+. Material which happens to be both (ie. porn with a plot), even if the violence is not of an offensive nature, is eligible for neither classification.