BanThisURL: What worries you most about the filters from a security standpoint?
Matthew Strahan: From a security standpoint it’s that somebody would take over the box. Especially if they standardize the filter. Depending on how they set it up, an attacker could become the man in the middle of every single Australian home connection. Which is a huge thing.

BTURL: Can you explain man in the middle attacks quickly?
MS: Man in the middle attacks are when someone can intercept your connection to some server. So you’ve sent a HTTP connection to Gmail. If someone’s in the middle of that connection, then they can read your email. They can also prevent you from going on Gmail. They can modify what gets sent back from Gmail and pretend that you’ve got email that you haven’t really received.

Man in the middle attacks are pretty dangerous.

BTURL: Have you been able to set up a man in the middle attack on any of the filtering boxes you’ve had in your lab?
MS: Oh well, yeah. Definitely. One of the talks at Ruxcon was trojaning an appliance. They could do whatever they wanted to with that box, including launching man in the middle attacks.

and

BTURL: What are your other concerns about the filters?
MS: I’d say an issue would be someone doing a denial of service (DoS) attack on the filter, because someone could possibly bring down an ISP. The ISP has to reroute all of the HTTP packets through that filter. If the filter goes down, then all HTTP packets stop. The ISP is pretty much helpless against that.

For most DoS attacks in general, you send a packet which will require a lot of processing by the target. If you’re attacking a content filter, you’ll send it to a page that has a lot of parsing to do, so it’ll be a rather big page. If you send 200,000 of those requests within a minute, the filter will most likely be overloaded, which means the filter is going to go down and won’t be able to process any legitimate requests.

If you had a decent sized botnet, I would say it would be definitely possible to take down a filter, but if you find something that causes a lot of processing in the filter then even an ADSL connection might be able to bring it down.

There are other issues too. The pages that are returned when a site is blocked could be vulnerable to cross site scripting vulnerabilities.

Cross site scripting vulnerabilities are when someone can insert HTML or Javascript contents into the page. If the filter pages have those vulnerabilities in there, then there’s lots of attacks you can do with that.

For example, if you manage to get one of the pages on Facebook blocked, and there is a cross site scripting vulnerability in the page saying it’s blocked, then you could make that page grab the Facebook info of anyone that goes to it. Dan Kaminsky found an issue like that in a box that ISPs used to show ad pages instead of server not found messages.

BTURL: What exactly are the filters going to be? Are they extra pieces of hardware?
MS: Usually in this kind of situation you’d have a filter with its own box. It doesn’t have to be a piece of hardware, I mean Net Nanny is a filter and it does HTTP filtering. But in this situation it’d be a dedicated box. A lot of companies release filters, like F5 and Bluecoat do.

Want Sauce?

So what happens with all the people that do online banking that lose their money due to interception of data cause there is a flaw in said filter. Would make a great laugh if it was "Oops sorry... but we kind of screwed up" would there be enough impact is Stephen Conroy's banking details were stolen?

^ Got fail linking

$5 says his content would be "seperate"

Hermi I am pretty sure you could safely increase that $5 bet and never look in any doubt of losing.

HTTPS will save us

HTTPS will save us

^ heh

Everyone who wants to get around the filters, can. VPNs are not interupted or filtered by it. Oh and SSL isn't the perfect solution to this, its still possible to do a Man-in-the-middle hijack on ssl(its just hard to become that man in the middle).

Like everyone else is saying, this will only hurt the people doing legitimate things on the net by blocking normal sites, slowing speeds down by up to 85% and like the article says puts an avenue of attack against traffic that gets routed over these devices.

This is a bulls*** post on a bulls*** website. Do such adjectives as EXCLUSIVE and TEARS APART and WHITE HAT HACKER really make anyone believe this anti-filtering FUD campaign?

What's the real problem here is that people paying for their 150GB+ ADSL accounts with any number of months left on their contracts that cant break it without a significant exit fee fear this will bite at their downloading of movies on the usual suspect P2P port ranges.

I'm sure most ISP's that pervasively promote themselves to the downloading hoardes with plans offering massive monthly quotas aren't worrying too much about the filter trials because it's mostly the standardised port 80 and 443 being looked at here.

Man-in-the-middle attacks are more FUD and nothing more than an extremely rare what-if type scenario unless someone off the street with a laptop packed with ready to go unpublished exploits was given the keys and an ethernet port to the rack cabinet and left unsupervised for say the whole day and asked to lock up on the way out. That sort of thing just doesn't happen without placing your soul in escrow.

parody where do you pull that magical 85% slowdown number from? It sure sounds like bulls*** too :)

it is actually a number out of their lab trials, but do carry on with your ill informed rant.

I'm not really sure where to even begin with trillion's post ...

Go on, have a go

MITM won't work on SSL and TLS ... and who banks using http ?

its still possible to do a Man-in-the-middle hijack on ssl

Only by stealing the private key cert or by hijacking the certifying authority ?

Go on, have a go

No thanks, your fact/speculation fraction is fairly low - so it would be a futile troll-feeding exercise.

Meh, you probably went to one of those anti-filtering rallies last weekend, talk about futile

you probably went to one of those anti-filtering rallies

Sure why not, if that will make you sleep better tonight (trolls need to sleep like everyone else!). If you are after the truth, no I didn't. But we shouldn't let truth get in the way of idle speculation and knee-jerking now shall we? That would go against your philosophy :)

so, are you for the filter trillion?

the only thing hackers tear apart are big bags of chips

MITM won't work on SSL and TLS ... and who banks using http ?

it will, just browsers will complain.

the only thing hackers tear apart are big bags of chips

and only after 5 minutes of trying

I gotta say, for someone like me who knows very little about computers in general and what the filter will mean for "the average user", it is interesting to read trillion's post. I am fairly naive to all this stuff, and I'm thinking that any sort of filter won't affect me at all? Is this wrong, or is trillion at least correct in implying that it won't affect non-net heads?

I gotta say, for someone like me who knows very little about computers in general and what the filter will mean for "the average user", it is interesting to read trillion's post. I am fairly naive to all this stuff, and I'm thinking that any sort of filter won't affect me at all? Is this wrong, or is trillion at least correct in implying that it won't affect non-net heads?

its wrong

read this page for more, but the basics are:

* it will probably slow down your browsing experience
* it will probably drive up costs as ridiculous amounts of infrastructure will be needed to provide the filtering system
* it will probably stop you from getting to pages you might want to that AREN'T infringing that are mistakenly blocked by the filter
* it will probably result in more and more of your tax dollars getting pissed away, instead of going to something useful like more police to actually investigate illegal computer activities
* it won't work anyway

*f*** censorship, im an adult who can make my own choices

* it will probably slow down your browsing experience
* it will probably drive up costs as ridiculous amounts of infrastructure will be needed to provide the filtering system
* it will probably stop you from getting to pages you might want to that AREN'T infringing that are mistakenly blocked by the filter
* it will probably result in more and more of your tax dollars getting pissed away, instead of going to something useful like more police to actually investigate illegal computer activities
* it won't work anyway

Your right it won't work. Cos the rockspiders already operate in "underground" systems. And this is why I am against it.


The probablies are all just probablies, and some of them are downright fanciful tinfoil hat stuff. (eg. singtel will spy on you for the singpore government)

The second last 1 I'd definately question because it should make it alot easier for police for the majority of users who can't work out things like TOR. The serious offenders will still have to be caught using what ever methods they use now, which seem to be catching people ?

As for slowwing down ? ... maybe it'll speed it up once the filter blocks all the public linux isos and "news" servers

All I want to know is some ASX stocks that sell SSL certificates. I know where to put my money this time.

Im all for filters at the ISP level given that the right hardware and software are used. It's interesting that they dont detail any of this lab hardware and software in the pdf from June.

It takes the burden off parents being made to feel responsible who may not know the ins and outs of Internet workings and offers them a peace of mind that when their kids are using the Internet unsupervised they are at least somewhat more intentionally buffered from the seedy realms of the Internet than they would be when using an unfiltered connection.

If the Government was working with ISPs at each stage of the filtering infrastructure design and build and gave them funding for the project rather than design and build the hardware and software required with an external party that possible don't have a great deal of interaction with the ISPs then I think it would turn out much better than just producing a product and forcing that into legislation for ISPs to implement.

It also works for those dummies who send off wads of loot to someone claiming theyve won some lottery scam or whatever the scam of the month/week/day is, and phishing sites and whatever other unknown nasty s*** that comes up that serves some group of criminals working out of somewhere in the world that are hostile to mainstream ideals we'd be comfortable with.

Its all about the data and it does need more protection from these threats if you can get past the idea that the Government and ISP's are moving to collaborate to spy on the data you pass to and from the Internet for some reason.

Sure there are ways around it but that is besides the point, that's like making an argument for the fact that there are ways to find an open stretch of road in a car and hit the accelerator if that's your thing.



last edited by trillion at 14:35:39 19/Dec/08

last edited by trillion at 14:38:02 19/Dec/08

Im all for filters at the ISP level given that the sauce hardware is used. It's interesting that they dont detail the lab hardware and software used and the processes they went through in trialing them.

That's about a billion times less interesting than the list being secret

It takes the burden off parents being made to feel responsible who may not know the ins and outs of Internet workings and offers them a peace of mind that when their kids are using the Internet unsupervised they are at least somewhat more intentionally buffered from the seedy realms of the Internet than they would be when using an unfiltered connection.

you shouldn't put your kid in front of the Internet and let them have at it any more than you should drop them off in a bar. This is parenting 101 s***. It's not a f***ing toy and trying to bubblewrap it like it is makes everyone look stupid.

If the Government was working with ISPs at each stage of the filtering infrastructure design and build and gave them funding for the project rather than design and build the hardware and software required with an external party that possible don't have a great deal of interaction with the ISPs then I think it would turn out much better than just producing a product and forcing that into legislation for ISPs to implement.

Our ISP prices are already high - I don't want them to be higher because of forced compliance to a thoroughly useless scheme that will do nothing.

It also works for those dummies who send off wads of loot to someone claiming theyve won some lottery scam or whatever the scam of the month/week/day is, and phishing sites and whatever other unknown nasty s*** that comes up that serves some group of criminals working out of somewhere in the world that are hostile to mainstream ideals we'd be comfortable with.

It does absolutely f*** all to stop any of this stuff that you're talking about. Absolutely, f***, all. That hasn't, afaik, even been mentioned as a possible side effect of this filter. To be clear, there is even less chance of this filter stopping this stuff than there is of stopping access to inappropriate material (no mean feat considering the tiny numbers we're talking about here)

Sure there are ways around it but that is besides the point, that's like making an argument for the fact that there are ways to find an open stretch of road in a car and hit the accelerator if that's your thing.

Car analogies for Internet usage are awesome

trillion, I think Churchill may have been talking about you when he said, “The best argument against democracy is a five minute conversation with the average voter.”

It takes the burden off parents being made to feel responsible who may not know the ins and outs of Internet workings

Parents are responsible for their children. Last time I checked you didn't need a Computer Science degree to put your computer in a lounge room if you don't want your kid looking at 'seedy' stuff, as you call it.

Software filters already exist. What's more the AU Gov't gives them out free: http://www.netalert.gov.au/

Im all for filters at the ISP level given that the right hardware and software are used.

So, what is the right hardware and software to use for this? You can be a PhD in Comp. Sci. and not be able to adequately answer this question without me being able to intelligently counter-argue any answer you have.

In a nutshell, that is why this Government initiative is a major fail. They have a good idea they know nothing about, and the only opinion they get about it is the guy that is receiving the cheques - i.e., whichever firm is involved in making the filter. And if I was in their position I would do the same.

It takes the burden off parents being made to feel responsible who may not know the ins and outs of Internet workings and offers them a peace of mind that when their kids are using the Internet unsupervised they are at least somewhat more intentionally buffered from the seedy realms of the Internet than they would be when using an unfiltered connection.

That's exactly what we need in this fast paced, ever changing world. less burden on parents to feel responsible for their children. an isp level filter will only make the root of the problem worse. if parents think their children are automagically protected from everything "harmful" (read - pertaining to real life) on the interwebs they'll be even less inclined to supervise or even care what their children are doing online. slippery slope.

Sure there are ways around it but that is besides the point, that's like making an argument for the fact that there are ways to find an open stretch of road in a car and hit the accelerator if that's your thing.

this is an extremely specious analogy.

trillion, if you feel you are noob enough to require a filter to move around the internet safely or that you need the help of the government or some other entity to protect your kids then that is fine, isp filters for that kind of things are already available. run off to one of these noob friendly isps and ask for it and the rest of us can look out for themselves and don't have to pay for your noobness.

obes, yes, it is such a tin foil hat idea that telcos would spy on their customers for their government.. as if that would ever happen.

oh, and of course there is nothing like that going on in any other countries, especially not in Australia.

I am sorry tillion but your comment about making parents feel responsible is quite possibly one the stupidest things I have ever read on the net. You are right nothing should make a parent FEEL responsible because they ARE f***ing responsible ... it goes with the f***ing territory of being a parent. The problem with parenting these days is to many f***ing morons see taking responsibility as a parent as being some kind of option... it's not.

It's no wonder the government wants to stamp all over decent citizens freedoms when their are moronic pinheads getting around that want take no resposibility anything.

I wouldn't mind the problem if you could opt out/in to the filtering. Also that if you opted out you bypass the slowing process and not be affected by it. Also if you opted out you don't have to pay the extra $'s for all the filtering equipment.

I am so angry I made this interpretive art. The GIMP again. Can't afford Photoshop and don't believe in pirating something when there is a good OSS alternative. Good on me for being a role-model citizen.

http://img341.imageshack.us/img341/8569/stephenconroyfailnp9.jpg

trillion, you are an idiot

I wouldn't mind the problem if you could opt out/in to the filtering. Also that if you opted out you bypass the slowing process and not be affected by it. Also if you opted out you don't have to pay the extra $'s for all the filtering equipment.

yep... it'd still be a colossal waste of money but if you could opt out noone would give a s*** about it

The numbers I posted about the slowdown being up to 85% is actually from the feasibility study done by a 3rd party IT firm for the filter project. Link to the article http://www.acma.gov.au/webwr/_assets/main/lib310554/isp-level_internet_content_filtering_trial-report.pdf .

There may be people here who know me from QGL's and other lans. I'm a security analyst at IBM Internet Security Systems. We've seen what these devices are capable of, we support these types of filters for corporations. I do support the idea of trying to protect the kids and uneducated online, but this is a failure of a method to do it. Everyone doing dodgy stuff online is using methods to evade detection which will not be stopped by this.

Its essentially putting up a big iron gate with a planted hedge and no fence around it. People operating things normally and as expected will use the gate. Those who don't care will just jump the hedge.

Every content filter I've had the pleasure of dealing with has been a detriment to the network(s) it's been deployed on. Some are nice and only increase latency for that protocol, others will pwn your network and limit packet size and connection counts to ridiculously small numbers across all protocols. The main device I play with at work is the ISS Proventia platform and ISS said no to it being used for this scheme.

With MitM attacks against SSL/TLS, everyone assumes you're having to need access to the private certs. If you're the MitM, you intercept the cert going out and substitute your own and proxy the ssl session. Self signed certs that mimic the description of a legitimate SSL cert is easy to create, how many of you know what a real cert would look like compared to a fake one with the same company name in it? How many of you spend a minute to inspect a cert when you get a popup from IE/FF/Op asking about the cert and just click OK? Only the very paranoid spend time to inspect the cert.
Plus I've seen websites that mistakenly publish the private cert instead of the public one, easy mode hijack.


last edited by pARODY at 19:37:15 19/Dec/08