Slashdot Mirror
Australian Networks Block Community University Website
Peter Eckersley writes "At the EFF we were recently contacted by the organisers of the Melbourne Free University (MFU), an Australian community education group, whose website had been unreachable from a number of Australian ISPs since the 4th of April. It turns out that the IP address of MFU's virtual host has been black-holed by several Australian networks; there is suggestive but not conclusive evidence that this is a result of some sort of government request or order. It is possible that MFU and 1200 other sites that use that IP address are the victims of a block that was put in place for some other reason. Further technical analysis and commentary is in our blog post."
Probably a bunch of pedo terrorists. Fuck 'em!
If there are 1200 other sites using that IP, and they are blocking by IP, it would make sense that one of them got whatever your DMCA takedowns are called.
Next will be political web sites. What government wouldn't exercise the power to remove a critical opposition web site from the internet just before an election?
A site is blocked by various ISPs. Nobody knows for sure why. Some would like to pose the situation as a government conspiracy, or at least an example of why new regulations requiring ISPs to block certain sites is bad.
No one really knows what's going on, least of all the author. There's lots of hand waving and half hearted finger pointing.
Rabble unite?
Sadly, it doesn't even need to be maliciously abused ... just incompetently written and ineptly applied.
Like all laws applying to technology, the people writing them are usually incapable of understanding all of the side effects. So they get passed, and applied as written, which has the unfortunate effect of breaking lots of legitimate things.
If there's 1200 sites sharing that IP address, but they block all of them based on a single complaint, these fall into the category of collateral damage.
Sadly, I'm betting someone made an effort to point this potential out to them and got ignored.
Lost at C:>. Found at C.
Ok, yes, he was talking about politics, so gagging down dog cocks is kind of on topic, but its a far reach.
Also, its great when you can make a job out of your hobby.
Hmmm... which is more likely? An utterly inoffensive group providing free education materials on the internet is the victim of a shadowy government conspiracy, or that one of the 1,200 other sites on the same IP did something sufficiently stupid as to attract govt. attention.
I know that the summary and the article both mention that the latter is a possibility, but the headline, summary, and article, are all written as if the most likely possibility was that MFU was targeted directly.
I suspect that the ISP got a request from somebody about one of the hosted sites doing something very naughty, and the person who's job it was to pay attention to such requests didn't get them or ignored them, so an IP block was the next step.
Aren't I glad I left you.
Slashdot - News for Nerds, Stuff that Matters, in ISO-8859-1 Has just realised that beta makes this signature redundant
Julia? Is that you?
Slashdot - News for Nerds, Stuff that Matters, in ISO-8859-1 Has just realised that beta makes this signature redundant
I guess a major part of the problem might be, that there is no penalty for blocking too much. If there is a penalty for blocking too little but none for blocking too much, then there is little incentive to do accurate filtering. A discussion about whether blocking would have been appropriate in this case, had it been more accurately targeted, seems pointless, since we don't even know what content triggered the blocking. And that may actually be the largest problem with this sort of blocking.
Some do see it as a benefit though. How often have some country blocked the worlds largest sites on the excuse that one page on each site is offending their religion. The more coarse grained your filtering is, the easier it is to conceal what you were really aiming to censor and the easier it is to find a plausible excuse for applying the filter in the first place. A civilized country shouldn't accept censorship, and especially not when it comes with such collateral damage. I don't believe there exist a problem in this world, for which censorship is the best solution.
Do you care about the security of your wireless mouse?
What's the betting some paranoid national security types reckon that's a "jihadi forum"?
What law? There is no legal mechanism for the government to block websites in Australia...
And this kind of application is just what is needed to bring the issue to the attention of the public at large.
The real "Libtards" are the Libertarians!
Hi. Stephen Conroy here. Labor party member. You morons need to know that when we, the government, block sites, its for your own good. Sure, we don't tell you about it, and we've probably blocked things like a dentists website, but really, what about the children?
One person from your town committed a crime so let's throw the whole town in jail
by incompetence.
How sweet it is for governments around the world that can't legally censor opposing views that with the consequences of virtual hosting all they have to do is find some alleged infringing site somewhere in the stack of sites hosted at the same IP as some news or political site they want to shut down. Hell, they could set up the site themselves and then order that IP blocked. Legal censorship unlocked and all they have to do is say, "whoops, we didn't mean to do that."
I guess a major part of the problem might be, that there is no penalty for blocking too much.
Did you miss that this block is on one IP address? That there are 1215 virtual hosts running at this one address? How can you block less than one IP address at a router? You'd have to do deep enough packet inspection to look at the virtual hostname header in any HTTP request, and the RCPT TO in any SMTP transaction. Should there be packet filtering at that level?
since we don't even know what content triggered the blocking. And that may actually be the largest problem with this sort of blocking.
That's right, we don't know which of the 1215 domain names hosted the content that justified the block. But we can know that the fact that YOU personally don't know what the content was isn't really the largest problem with blocking things.
Site is working OK for me
I'm guessing IPv6 eliminates any need to share IP addresses? or is there remaining technical reasons to do so? (I'm guessing a server class physical machine host 1200 unrelated IPv6 addresses)
Is it just me, or does this sound like the perfect motivation for governments to encourage IPv6 adoption?
Yair, my ISP runs through Telstra and it doesn't load. It's no problem, though - I just switched my proxy on and viewed it through Tor. I don't know why they bother.
Should there be packet filtering at that level?
Hell yes. It's not that hard.
A successful API design takes a mixture of software design and pedagogy.
Completely off-topic question regarding your sig:
Do you care about the security of your wireless mouse?
Did you ever solve your mousey dilemma? If not, Bluetooth v2.1 solves it by default (if you're careful about avoiding interception during the pairing process.) The bigger question is how you determine which version of Bluetooth stack a vendor's mouse supports?
John
yes, there is. the ACMA maintains a (secret) black-list of domain names and IP addresses which contains "prohibited content" which is used in filtering software. Some ISPs voluntarily use that list to block access.
The ACMA's secret blacklist has leaked on at least one occasion in the past.
In Nov last year, the Australian Federal Police started sending mandatory block notices to ISPs.
more info here:
http://www.acma.gov.au/scripts/nc.dll?WEB/STANDARD/1001/pc=PC_90102
http://en.wikipedia.org/wiki/Internet_censorship_in_Australia
I don't think the internet filter laws got passed. I thought the ISPs jumped in and said they would voluntarily use the Interpol Worst of list. I think the compromise seems reasonable. If the list is abused then it can be voluntarily not used. To be on the list you need to host porn of kids that are under 13 and this needs to be verified by multiple member countries.
I'm guessing that this has been implemented as a BGP blackhole list from TFA. An easy way for the ISP to go. They will already be running black lists for things like bogons and performance impact will be low.
The obvious fault with this is that when some kiddie porn domain gets blacklisted the domain becomes useless so the domain admin points their A record at some popular hosting company and takes them off line as well. If your going down take somebody with you.
Being on a black list sucks if there is no way to get off. Many years ago the company I worked for was on a net block that was on an outdated bogon list used by the US military. The military is really bad at keeping things maintained, something gets installed, the person who did it gets posted elsewhere every few years so all knowledge about what, how and why it was done is lost. The military don't update their contact information so even if your email server wasn't black holed you couldn't contact them anyway. Frustrating when there were treaties requiring this communication.
For example a couple of local restaraunts have there web sites at a site that McAfee chooses to block, because apparently it things the address is a dangerous one. The web sites in question just display menus and hours and the like.
It's nothing to do with censorship, it's the usual anti-DoS behaviour implemented by some US backbones and pretty much all Australian ISPs.
I don't know if it's just you, but to me it sounds like a reason for governments to discourage IPv6. The way it is now they don't need to reveal which of those sites they really wanted to block, which means any fabricated story will work.
I think we've pushed this "anyone can grow up to be president" thing too far.
Good point. I was thinking that they could block sites without nearly as much backlash if there weren't many other sites blocked as collateral damage.
If you don't even get your own IP address it's not much of a surprise that somebody else's actions can turn your little bit of the cloud dark.
Bring on IPv6.
this has more to do with politicians finding out that they have the following kind of lectures online and simply want to shut this kind of thing down before students actually get educated:
"Aurélien Mondon, Do people really want what politicians are offering?, The National Times, 8 July 2010,[6]"
In this case it can't be a mandatory government block, because the site is still accessable from iiNet (an Australian ISP), for example. It's only blocked by "some" Australian ISPs.
You can see all the sites on the IP address on one page here - http://viewdns.info/reverseip/?host=198.136.54.104&t=1 Easier than sameid.net.
I'm using Exetel which is a small ISP that relies on some of the much larger ISPs for infrastructure. My particular plan routes data via Optus, whereas the Exetel example given by the EEF blog post is by someone using a plan routed via AAPT. I can access the website without issue. iiNet at work is also fine.
I suspect this is not a request by the government to ISPs to block a particular site, mainly because I've read that Optus was happy to voluntarily block content - and they're not doing it. Not yet, at least.
It's GNU/Linux dammit!
so the question is..
what's the really good site that was the target here?
No.
No.
If you can implement blocking which only blocks content found to be illegal by a court of law, then that is fine. But accepting any collateral damage and accepting any blocking without the content being found illegal by a court of law is just wrong. What I am saying is, stop doing filtering, and go for the root of the problem.
What makes you think I am special? There are billions of people who don't know either. If all of them just assume it must have been bad enough to justify this amount of collateral damage, then that is a free pass for those who want to apply censorship.
I don't believe that there could exist content so bad, that simply seeing it could be worse than living in a society of censorship.
Do you care about the security of your wireless mouse?
I for one never liked name based vhosts. I have started moving my own domains to IP based vhosts on IPv6. I still have one IPv4 address with name based vhosts for those users who don't have IPv6 yet. Configuring a vhost such that it was name based when accessed over IPv4 and IP based when accessed over IPv6 was slightly tricky. But I got it working.
I do like the idea of using this as an argument for deploying IPv6. Even though there are plenty of arguments for IPv6 already that doesn't stop some people from denying there is any need at all. So to me every argument I can find for deploying IPv6 is seen as a good thing. The more arguments we have, the harder it gets to deny the need for IPv6.
So the way it would have worked would be as follows. Hosting provider has one IPv4 address shared between many vhosts, but each vhost has their own IPv6 address. If one vhost is to be blocked for hosting illegal content, one IPv4 address and one IPv6 address can be blocked. If a user tries IPv4 first and gets a connection reset, their browser would switch to IPv6.
Then we can turn the story around and say MFU should have hosted on dual stack, then they wouldn't have been blocked. The opponents of IPv6 deployment will have many arguments to pull up, but I have an answer ready for each of them. They say: "But the users don't have IPv6, so they won't be able to reach the site anyway", and I say: "If those users had choosen an ISP with IPv6 support, they would have been able to reach the site". They say: "But there isn't any ISP with IPv6 support in that area", and I say: "If the ISP hasn't deployed IPv6, then they cannot justify IP based blocking, and they must instead route traffic to that IP through a router capable of doing DPI to only block the forbidden host-name".
Of course none of this is truly great arguments, because it is sort of accepting censorship. Even if you can target only a single domain, it is still censorship. And in case a domain contains both legal and illegal pages, and the domain uses https, then blocking without collateral damage is not technically possible.
Do you care about the security of your wireless mouse?
On my desktop computer I got a keyboard with a USB hub. A cable between keyboard and mouse is slightly less annoying than a cable from the mouse to the computer. On my laptop I am just using a trackpad. With training I have gotten more used to trackpads, and when I am travelling with my laptop, I often use it without access to a flat surface where I can put the mouse.
I'd still like a wireless mouse with strong cryptography and key exchange while it is charging. I think it would be feasible to use a one-time pad along with a provably secure message authentication code.
Do you care about the security of your wireless mouse?
As a firewall administrator, unless I am being attacked from a specific IP, I will block hostname in preference to IP precisely because of this sort of problem.
Trying to become famous by taking photos. Visit my homepage please.
That's right, we don't know which of the 1215 domain names hosted the content that justified the block.
Which, really, is irrelevant. I see 1214 domains ripe for a class action lawsuit, possibly with slander/libel/restraint of trade/... mixed in. If each (or just a lot) of them ponied up $100 down payment (plus kickstarter?), that'd keep a lawyer going for a while.
"Tongue tied and twisted, just an Earth bound misfit
Cool Cool Cool ...mate.
gosgog: That's me!
I was given to understand, the origin of the internet, was for various universities, colleges, etc., to freely communicate & exchange ideas and that this eventually (fairly rapidly) became open to the public world!
Now, it seems that as life progresses, Gov'ts have decided that they should have rules about it. This is theoretically being disputed, but in practical terms, various countries, the U.S., included, have put into effect some rules and have others being discussed and pending. NOW, GOV'TS ARE RUN BY POLITICIANS....THE VAST MAJORITY OF WHOM THE WORLD WOULD BE BETTER OFF NOT HAVING, AND WHO FOR THE MOST PART MAKE RULES WE COULD WELL LIVE WITHOUT.
hi i am salma mir. :0 :)
i have a blog today i updated it. visit my blog maybe you like it
if you like my work for appreciation like my posts. if any one want to know about my blog and any query you can contact me through my blog
http://kmasoftware.blogspot.com/
Bluetooth v2.1 security is likely more than adequate for your requirements.
The risk of key interception occurs only once, during pairing, and you can mitigate that by pairing the devices in a Faraday cage or in a remote field, and never pairing them again without taking similar precautions. The E0 algorithm used as the stream cipher to carry the data has a couple of published weaknesses, all of which require substantially more data than is allowed in a single Bluetooth session, so decryption is still not possible.
And all of this desire for security is based on your suspicion that an eavesdropper could glean information that would harm you from just your mouse movements, with no other context like what screens or windows you might be clicking on. Part of building a secure system is to look at the whole threat picture rationally. Who would perform such surveillance? What could they gain? What could you lose?
In this case, the most likely information an attacker would be able to gather is traffic analysis - your mouse is communicating, therefore you must be physically present and using your computer. And they would get that info from any wireless mouse, regardless of how strong the cryptography is. So the rational question is Boolean: should you own a wireless device that transmits when you are physically using your computer? Leave crypto out of that decision. If the answer is yes then Bluetooth meets your other requirements.
John
You are assuming cryptography is all about protecting the confidentiality of data. That is a common mistake to make. But in this particular case I did point out in my initial post, that authenticity is also important. In fact in most cases authenticity and integrity of the data is more important than confidentiality.
Instead of asking what you can learn from observing mouse movements, consider what you can do if you control mouse movements. Most UIs have buttons located in predictable positions. Click on some of those to take control over the computer. All you need to be able to do is to navigate a browser to a malicious website and click yes on a few confirmations that you want to download some executable and run it. Sounds like a quite feasible task to achieve using a mouse.
Next ask if the receiving end of the wireless connection actually cares if it is a mouse or a keyboard. If it accepts keyboard input as well, then the attack is much easier to carry out, even if I didn't use any wireless keyboard myself.
As for the confidentiality, mouse movements used to be the primary source of randomness for use in cryptographic protocols. That certainly adds to the risk from somebody being able to observe all mouse movements.
Do you care about the security of your wireless mouse?
That statement makes no sense to me. The only sort of attack mentioned in the story is the DoS attack performed by another network blocking legitimate packets. There is no additional blocking that the server administrator could perform to solve that. And even if the server was under some other kind of attack (such as flooding), the only hostnames potentially involved are those assigned to the server itself. Blocking those hostnames, just means you are DoSing your own server. The attacker doesn't have a hostname, you can block them on.
Do you care about the security of your wireless mouse?