Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Security Government News

Security Flaws In Aussie Net Filter Exposed 182

Posted by ScuttleMonkey
from the let-your-government-do-your-thinking-for-you dept.
Faldo writes "There's a three-part interview with a computer security expert on BanThisURL that goes into the flaws in the Aussie net filtering scheme. In addition to SSH tunnels and proxies, more worrying problems like trojaning the boxes to set up man in the middle attacks (which the interviewee has done in his lab), cross site scripting and the Australian blacklist leaking are all discussed. Worrying and relevant, especially since Thailand's blacklist has just been leaked."
This discussion has been archived. No new comments can be posted.

Security Flaws In Aussie Net Filter Exposed

Comments Filter:
  • Poor Design (Score:5, Insightful)

    by Anonymous Coward on Monday December 22, 2008 @01:28PM (#26203367)

    The concept itself is flawed. Centralized filters will never work, and any filtering system is imperfect. The best we can do is have individuals ascribe a reputation to a particular resource and based on trusting others' ratings we can tailor the firehose to our liking.

    Anything else is just a way for some fearmongers to stay in office and/or make a quick buck.

    • Re:Poor Design (Score:5, Insightful)

      by Hatta (162192) on Monday December 22, 2008 @01:41PM (#26203539) Journal

      The concept itself is flawed. Centralized filters will never work

      Anything else is just a way for some fearmongers to stay in office

      Sounds to me like it will work just fine then.

    • Re: (Score:3, Insightful)

      I disagree; what it mainly will do is give the illusion that Australia's children are being protected from the Big Bad 'Ol Intarwebs -- which is to say that it'll make some busybody politicians look good to their constituency.

      Don't they have anything better to do over there than screw with the internet? Don't they have some crime problems to solve or something?

      • Re:Poor Design (Score:4, Insightful)

        by Starayo (989319) on Monday December 22, 2008 @06:09PM (#26206315) Homepage
        Exactly - it won't protect children at all, except the very young who shouldn't be using it without supervision anyway. Take any high school student that's been using their school's computers and they'll have a rather better than average knowledge of web-based proxies, which every one of them has been using to get around the DET's blocking of facebook, myspace, various flash games, etc. It's only a small leap from there to using a software-based solution, and I know I'll be distributing a couple of choice ones to the few people I still know in high school. >:3

        Besides, it has an added benefit - if I somehow get caught and charged under whatever law for circumventing the filter, I'm taking someone down with me!
        • by Nazlfrag (1035012)

          There's the irony - most kids would have a less than average knowledge of the trivial ways to bypass their filters if the filters weren't so overzealous in what they block. You might be able to keep porn off your network, but not porn + social networks + flash games + whatever else (some block wikipedia!)

          • by mpe (36238)
            There's the irony - most kids would have a less than average knowledge of the trivial ways to bypass their filters

            The real irony is that "The Internet" is probably one of the safest activities known to man. In terms of the risk of death or injury downloading a movie is considerably safer than going to the cinema or buying a DVD from a shop. Many risks which exist in the physical world simply don't exist here. Indeed many of the things about which a big fuss is made only happen when people choose to intera
          • by Hucko (998827)

            The Queensland Education filter blocks the Bureau Of Meteorology site. They block the websites that teachers use to teach the students. They make us return to 80's edutainment software because a lot of schools cant afford the better quality education software. (I am a grunt tech for EdQ.)

  • by thewils (463314) on Monday December 22, 2008 @01:28PM (#26203373) Journal

    I've played with a lot of these boxes and the chances of having no security vulnerabilities at all is extremely low. In our testing we haven't actually found a box that we've been happy with the security of, except for little dedicated and extremely cut down boxes, but nothing of this type.

    Disagree, they could just use a Windows box for this, as long as they keep it up-to-date with patches they'll be fine, right?

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      As long as Microsoft can keep up-to-date with their current security holes, then yes. However, with it taking them weeks to release patches for some of the biggest holes (recent IE flaw) that plan gets shot to shit fast. Even with all the latest patches, any system, be it Windows, your favorite linux distro or OS X, there's always holes waiting to be found and exploited. It's not how well the user is at running system updates, but how well the OS developers respond to critical security flaws.

  • by hack slash (1064002) on Monday December 22, 2008 @01:33PM (#26203439)
    ...it will only serve to piss off those that can't circumvent the firewall (or unskippable anti-piracy adverts in the case of legit DVDs)
  • by NoobHunter (1090113) on Monday December 22, 2008 @01:35PM (#26203455)

    that things are unhackable.

    "If you code it, it will be hacked!"

    The Titanic was an example of what should be called Cockyisms. (The beliefe that one is better or their product is better than it truly is.) in this case, Unsinkable...and we all know how THAT turned out!

    DVD encryption, DRM and now Net Censorship...the tighter the grip, the faster they will lose control.

  • Not really news? (Score:5, Interesting)

    by Corpuscavernosa (996139) on Monday December 22, 2008 @01:37PM (#26203497)
    An amazing story would be "NO SECURITY FLAWS IN AUSSIE NET FILTER WHATSOEVER". I'm just sayin'. There are flaws in everything.
  • by MightyMartian (840721) on Monday December 22, 2008 @01:40PM (#26203529) Journal

    The Australian government seems to have gone pretty crazy over this thing, and is taking one of the classic paths when meeting resistance; that is to make the plan even bolder and more sweeping. There seems no recognition of the fact that this won't do a damned thing to prevent the production and distribution of child pornography, but will cause no end of problems for legitimate users. But this government clearly feels it's back is against the wall, and rather than simply taking the more sensible path and admitting that filtering is flawed, and in its own way dangerous, and that any attempt to screw with various P2P and secure protocols is going to real harm to legitimate users, is basically saying "We know better than the ISPs and technical experts."

    Politics tends to attract the insanely vain, but these guys are way out to lunch. I have no idea who their technical advisers are, but either these guys are morons or simply being paid to tell the government what it wants to here.

    But as anyone who has dealt with any kind of Internet security can tell you, it's always a game of catch-up. Whether it's viruses, root kits, DRM, firewalls, and so on, there's always someone willing, for good or ill, to crack systems, and believe me, if they actually go through with this nonsense, the desire to crack the filters, and more dangerous and delerious attempts to bust encryption and P2P is simply going to be met with better innovations to overcome them.

    But it does go to show you that the intellectual tyrannies are not simply the product of political tyrannies, but any government so sure in its own righteousness can play the part of the tyrant, simply by repeating the mantra "it's for their own good".

    The Enlightenment has died in Australia, and it's sad that the people aren't marching on Adelaide demanding the government's resignation and Rudd's forced expulsion. Western Civilization has lost its balls. We've fought world wars, sacrificed our young on countless battlefields, beat back the Communists by even the most questionable means, for what? So some religious nut can make decrees as to what law-abiding citizens of a so-called free country can view on the Internet?

    What a sad, fearful, pathetic lot the West has become.

    • by dgatwood (11270) on Monday December 22, 2008 @01:47PM (#26203599) Journal

      Politics tends to attract those who want power, and those who want power are seldom in the best interests of those who are being led. Therefore, an ideal political structure would include a benevolent dictator randomly chosen from the population, who would be deposed if another group of a dozen randomly chosen people decide to throw him/her out. It would then have a mock electoral process to elect fake leaders. The resulting political body's sole purpose for existence would be bringing politicians out of the woodwork and keeping them isolated from polite society.

      I hereby nominate CmdrTaco as the first benevolent dictator. All in favor, say aye!

      • by Drakkenmensch (1255800) on Monday December 22, 2008 @02:00PM (#26203753)
        This concept is central to the galactic government in the Hitch Hiker's Guide to the Galaxy where the galactic president is chosen to be a figurehead, a distraction whose sole purpose is to wo wthe media with his moronic antics. This explains why Zaphod Beeblebrox was so succesful in the role. The people really in charge knew well that anyone wanting power was always a menace to the people they sought to represent, so anyone manifestin gthe slightest desire to be president was kept away from real power by any means possible. The true leader of the galaxy was in reality a man who had no idea about anything that happened outside his isolated wood cabin, and whose biggest preoccupation was keeping his cat happy. The whole system worked as good (if not better) than anything else the galaxy had ever seen.
        • by jgtg32a (1173373)
          Didn't he order the destruction of Earth?

          (note I haven't read the book, and only saw that part of the movie)
          • by Drakkenmensch (1255800) on Monday December 22, 2008 @02:45PM (#26204267)

            Didn't he order the destruction of Earth?

            No, that was the psychiatrist association because they didn't want the meaning of life to become widespread knowledge and thus relieve people of their bread-winning anguish and angst. So they hired the Vogon constructor fleet to blow it up for them, under the pretense of clearing up the path of a hyperspace bypass.

          • by kent_eh (543303)

            Didn't he order the destruction of Earth

            Nah, the earth was destroyed as a beurocratic expediency. It was in the way of a hyperspace bypass, so it had to be demolished. Much like Arthur's house was in the way of a highway bypass, and had to be demolished.
            Nothing personal. It's just in the way, you see.

          • by Eskarel (565631)

            In one version yes, but that version doesn't have the bit under discussion.

            The movie does not follow the plot of the books, which do not follow the plot of the tv series which does not follow the plot of the radio series.

            Douglas Adams only really required that the earth be destroyed and that Arthur be Arthur between different incarnations, pretty much every other character changes pretty drastically between different versions.

        • by mpe (36238)
          The true leader of the galaxy was in reality a man who had no idea about anything that happened outside his isolated wood cabin, and whose biggest preoccupation was keeping his cat happy.

          All hail the feline overlords.
      • by shermo (1284310)

        "Solar lottery" by Philip k Dick was based on this premise.

        Randomocracy.

    • Re: (Score:3, Informative)

      by Kalriath (849904) *

      The Enlightenment has died in Australia, and it's sad that the people aren't marching on Adelaide demanding the government's resignation and Rudd's forced expulsion.

      Being Australians, they probably are. They'll find it pretty ineffective though, considering the government is situated in the Capital - Canberra.

    • With this, expect P2P to move to dynamic DNS. The P2P payload in the TXT DNS replies, MIME encoded perhaps.

      If they are this draconian, why don't they just mandate VCR type screen recording of everyone's screens. Isn't that the only way they can truly accomplish their goals? Tampering would result in life imprisonment, by law.

      Geez.

    • by tonyray (215820)

      The don't have to be 100% effective to be effective. If they can say we are stopping 99%, then they can claim victory. Protecting the childern just means doing something 99% of the children find too difficult to circumvent. No law or technology is ever 100% effective in achieving its purpose.

      • The don't have to be 100% effective to be effective. If they can say we are stopping 99%, then they can claim victory. Protecting the childern just means doing something 99% of the children find too difficult to circumvent. No law or technology is ever 100% effective in achieving its purpose.

        Yeah mate, but if my own childhood is any indication, you only need to find the one child that got around X prohibition and ask him how. In my times it was pr0n betamax movies.

        They may prevent 99% of children from stumbling upon some of the truly horrific stuff that exists on the intratubes BUT it is bloody hard to sutmble upon it to begin with. Most of the stuff you have to *actively* search for.

        Back before the web I searched alt.pictures. out of curiosity and it was very hard to find the stuff. Around 9

    • The Enlightenment has died in Australia, and it's sad that the people aren't marching on Adelaide demanding the government's resignation and Rudd's forced expulsion.

      If they did march on Adelaide, then the enlightenment would have died in Australia. The capital is Canberra. :-)

      Maybe it's died somewhere a little closer to home?

    • by dangitman (862676)

      The Enlightenment has died in Australia, and it's sad that the people aren't marching on Adelaide demanding the government's resignation and Rudd's forced expulsion.

      I disagree. It would be much more pathetic if the Aussies were to march on Adelaide. Who the hell sold them those defective GPS units, anyway?

    • The Australian government seems to have gone pretty crazy over this thing, and is taking one of the classic paths when meeting resistance; that is to make the plan even bolder and more sweeping. There seems no recognition of the fact that this won't do a damned thing to prevent the production and distribution of child pornography, but will cause no end of problems for legitimate users. But this government clearly feels it's back is against the wall, and rather than simply taking the more sensible path and admitting that filtering is flawed, and in its own way dangerous, and that any attempt to screw with various P2P and secure protocols is going to real harm to legitimate users, is basically saying "We know better than the ISPs and technical experts."

      Politics tends to attract the insanely vain, but these guys are way out to lunch. I have no idea who their technical advisers are, but either these guys are morons or simply being paid to tell the government what it wants to here.

      But as anyone who has dealt with any kind of Internet security can tell you, it's always a game of catch-up. Whether it's viruses, root kits, DRM, firewalls, and so on, there's always someone willing, for good or ill, to crack systems, and believe me, if they actually go through with this nonsense, the desire to crack the filters, and more dangerous and delerious attempts to bust encryption and P2P is simply going to be met with better innovations to overcome them.

      But it does go to show you that the intellectual tyrannies are not simply the product of political tyrannies, but any government so sure in its own righteousness can play the part of the tyrant, simply by repeating the mantra "it's for their own good".

      The Enlightenment has died in Australia, and it's sad that the people aren't marching on Adelaide demanding the government's resignation and Rudd's forced expulsion. Western Civilization has lost its balls. We've fought world wars, sacrificed our young on countless battlefields, beat back the Communists by even the most questionable means, for what? So some religious nut can make decrees as to what law-abiding citizens of a so-called free country can view on the Internet?

      What a sad, fearful, pathetic lot the West has become.

      Huh? I know Nick Xenophon has been exercising a little of his balance-of-power lately but last time I looked Kev'07 was from Queensland and the parliment was located in Canberra, WTF has Adelaide got to do with it?

  • If stopping 100% of the users is the goal, then it fails. However, if stopping or impeding 50% perhaps it could be labeled a success. In general the argument against most of these proposals seems to follow the line of, 'it wont stop me so why bother.' However, for every one you can't stop there are scores of those you do. Does that make the effort less worthy? For every one that gets by, there are dozens of 14 year old girls who will now be denied the latest Fergie album on their ipod. This is really what t

    • by mcgrew (92797) * on Monday December 22, 2008 @02:26PM (#26204033) Homepage Journal

      If stopping 100% of the users from getting indie music is the goal, then it fails. However, if stopping or impeding 50% of indie music perhaps it could be labeled a success? Becaue that's what this is about - stopping the use of a legal and legitimate product to destroy an industry's independant competetion.

      The industry isn't afraid of Fergie being downloaded, it's afraid of The Station being downloaded.

      • by johnsonav (1098915) on Monday December 22, 2008 @03:00PM (#26204395) Journal

        The industry isn't afraid of Fergie being downloaded, it's afraid of The Station being downloaded.

        They should be. But I don't think the industry, that didn't even see P2P coming, has that much collective intelligence or foresight.

        I think what they're really afraid of is a generation of potential consumers who give no thought to the copyright status or label affiliation of an album, who don't care if their downloads are legal or not. They're afraid of a culture which doesn't even consider paying for music. They're afraid that their role as musical gatekeepers will become obsolete. They're afraid that their product will have to compete with all others on a level playing field. And they should be.

      • by houghi (78078)

        The industry isn't afraid of Fergie being downloaded, it's afraid of The Station being downloaded.

        You have a URL for that?

        • by mcgrew (92797) *

          thestationmusic.com

          There's a link on their site to an archive.org collection of live shows.

    • Re: (Score:3, Insightful)

      by danpat (119101)

      While projects like this might hit their modest targets initially, they're totally doomed in the long term.

      If 1% of users can get around it with highly technical trickery, it's not going to be long before one of those 1% packages the workaround up into a nice one-click piece of software that everyone can use. Just look at CSS. It only took one DVD-Jon to figure it out and now CSS is effectively useless.

      That's why I think lots of people argue that it's either 100% or don't-bother.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      If you set the goal very low, like stopping 50% of bad data, but accept blocking 50% of good data as well, then it's almost impossible to fail. simply deleting 50% of traffic would satisfy that goal, and doesn't even need any filtering at all.

      Making a filter that stops more bad traffic than good traffic is very difficult, especially when the amount of good traffic is very large.

      • actually, a blacklist approach does quite well in blocking more bad than good, but it does so at the cost of either a *large* upkeep cost on the list (and still a moderate amount of bad getting through to determined people), or a large amount of bad being let through.

    • by MightyMartian (840721) on Monday December 22, 2008 @02:37PM (#26204183) Journal

      If a proposal is only going to stop a small proportion, stomps all over civil liberties, could potentially break important protocols, can be circumvented by the technically savvy (which tends to include the very people who the proposal alleges it can stop) and introduces dangerous new security flaws, then I'd say the proposal ought to be rejected.

      Let's be clear here. All this plan may do, at the very best, is catch the technically challenged pedophiles. That's a best case scenario, and basically undermining an entire country's Internet access to catch this group is rather like a sniper sitting on an overpass randomly shooting at cars because some of those cars may be driven by drug dealers. Yes, it's true, some small number of drug dealers may actually be killed, but if that's your idea of policing, then we might as well declare everyone guilty, take away their computers and call it a day.

      The plan is idiotic, it's proponents are at best naive, and international child abuse won't be dented by it.

      • Re: (Score:2, Insightful)

        by TheSeer2 (949925)

        It won't stop pedophiles at all. It'll stop those seeking child pornography on the internet, but it won't do crap to stop the actual abuse of children.

    • by danzona (779560)
      In general the argument against most of these proposals seems to follow the line of, 'it wont stop me so why bother.'

      That is not the general argument. The general argument is that it will not stop someone who is sufficiently motivated because the effort to circumvent the restriction is trivial. This goes for gun control, child pornography, DRM, abortion, prostitution, border fences, drinking ages, etc.

      if stopping or impeding 50% perhaps it could be labeled a success

      Stopping or impeding 50% (of
    • by bane2571 (1024309)
      The intent is supposedly to "protect the children" Though the scope of the project is creeping somewhat.

      Everyone in my highschool had to go through the government mandated internet filter. Guess what that caused? Stupidly slow internet and every student with access to hardcore porn while the teachers thought the net was safe for them to be left alone with.

      What the government is trying to do is be able to say "nothing illegal going on there, we have the filter" while not actually ever having to check to m
  • by Punto (100573) <puntob AT gmail DOT com> on Monday December 22, 2008 @02:32PM (#26204117) Homepage
    doesn't the govenment publish the blacklist? this isn't like other countries where they just pretend like there is no filtering going on at all.
    • by Qzukk (229616) on Monday December 22, 2008 @02:44PM (#26204263) Journal

      doesn't the govenment publish the blacklist?

      I searched for it online but every time I tried to view the list, I got a page that said the site had been blocked.

    • by arctanx (1187415) on Monday December 22, 2008 @03:00PM (#26204405)

      Minister Conroy posted a response to this question [dbcde.gov.au] on his blog yesterday.

      Basically he says that the blacklist will not be published because it will primarily contain child pornography and therefore publishing it would be equivalent to distribution of illegal material. I don't think this is going to alleviate the System Administrators' Guild's concerns [itwire.com] about how they're going to deal with their own servers being blocked, erroneously or otherwise.

      • by mpe (36238)
        Minister Conroy posted a response to this question on his blog yesterday.
        Basically he says that the blacklist will not be published because it will primarily contain child pornography and therefore publishing it would be equivalent to distribution of illegal material.


        Which translated means "It will mostly contain perfectly legal material. But we need to prevent the world from laughing at us."
    • by Swampash (1131503)

      doesn't the govenment publish the blacklist?
      Incredibly enough, no. Even MORE incredibly, the AU government's position on the filtering plan is something like "even though for this plan to work hundreds of ISPs have to have a copy of the blacklist, and every one of those ISPs will have somewhere between tens and thousands of employees, all of whom hate this plan that depends on the obscurity of the blacklist, we are certain that the list will never get leaked and become public".

      I for one am waiting for the f

  • ipv6 (Score:5, Interesting)

    by Tony Hoyle (11698) * <tmh@nodomain.org> on Monday December 22, 2008 @02:33PM (#26204143) Homepage

    I bet the filter isn't ipv6 capable... I just can't see the lawmakers being that tech savvy.

    That could be just the boost the protocol needs, in Australia at least.

  • Could be a router (Score:3, Interesting)

    by lord_sarpedon (917201) on Monday December 22, 2008 @03:54PM (#26204927)

    Let's not forget that, if a big important router was compromised (such as the one in charge of the carrier pigeon link between Downunderland and the rest of the world), the same things could be done.

    These aren't new problems introduced purely by a porno filter. These are problems introduced by lack of encryption and made easier by insecure porno filters.

    If they try to MITM a TLS connection, certificate warnings will pop up. As is supposed to be guaranteed. All the bullshit lately should go a long way to convince people that YES, we need widespread encryption NOW.

    I stand by previous statements that Firefox's multi-click certificate override is the Right Thing. But more and more, I'm beginning to think we need an 'httpe' as some people suggested which operates on SSH's "ohhh shits teh key changed!!" model. Push it out in the new Firefox and WebKit. Have a nice, plain-language warning on first visit and a big scary multi-click override when the key changes. And here's something new...
    Define a means by which a link, such as from a secure Google search results page, can include the expected key. No need for a warning - you now have a key for that domain if expected agrees with what you get. The reason is simple - big brother can't see your conversation with Google or some other secure/pseudo-trusted authority, but they CAN try to MITM you with a key other than the expected one. Google can lie about the expected key, but you'd get a different one (either the real one or one from aussieland's gov). If either party could do BOTH you'd be screwed anyway, because Google's certs would at that point mean jack shit.

    • Let's not forget that, if a big important router was compromised (such as the one in charge of the carrier pigeon link between Downunderland and the rest of the world), the same things could be done.

      Let's not forget that I use SSL to protect my banking and other details when logging into sites. The (dis)honourable Conroy wants to MITM SSL connections. Your average schmuck won't think twice about the certificate warnings when that happens. They'll take the path of least resistance ("let me in") and have their bank details decrypted in the proxy (not that they know that). Of course Joe Hacker has leveraged a known security exploit that went un patched because the proxy vendor charges for updates and

  • by David Gerard (12369) <slashdotNO@SPAMdavidgerard.co.uk> on Monday December 22, 2008 @05:13PM (#26205751) Homepage

    "We have buttiduously canvbutted the industry, buttessed what is available and buttembled the finest selection of contractors for this buttignment. The filters will buttociatively clbuttify all communications [today.com] and filter then, I can butture you, rebuttemble them with surpbutting exacbreastude in any quanbreasty. Consbreastuents can be rebuttured that a mulbreastude of industry compebreastors will butture quality and keep our clbuttrooms safe. EDS Capita Goatse will not embarbutt us."

    The plans have attracted wide criticism. "It will only give supersbreastious rebutturance to medireview thinkers," said EFA. "Automated systems won't solve human problems like loveual harbuttment. Mbuttacring the written word into a Picbutto painting is not the anbreastank missile of Internet safety."

    Unions also butterted that such close buttessment of staff in the workplace would hamper efficiency and could verge on workplace harbuttment. "Watermeloning cranberries."

    The government was unfazed. "Butterting free speech is one thing, but a triparbreaste committee considers that that does not justify mere pbuttive breastillation at the expense of others."

    The first filtering offices will be set up in Arsenal, Penistone and Scunthorpe.

  • The Aust. Gov. has already planned how to stop these security vulnerabilities, effectively immediately this article and videos will be filtered.
  • Internet filters won't work: ISP [abc.net.au]
    Don't bother clicking unless you want to hear audio.

    Two of the country's major internet providers say the Government appears unlikely to meet its own deadline for trials of mandatory internet filtering.

    The Government planned to begin the trials before Christmas, but iiNet and Optus say they have not heard back from the Government about their applications to take part.

    iiNet's chief operating officer Mark White has told Radio National he is sceptical about plans to filter the

No user-servicable parts inside. Refer to qualified service personnel.

Working...