Internet filtering may be exploited by hackers

A brilliant argument, but let's face it, the gov won't listen. They'll just shrug it off and push on with their communist scheme,

It is sad to see the CEO of a security vendor who has no idea what he is talking about...

The Australian filter is URL based, not website based. You cannot bring down a site unless all URLs are categorised RC.

Tom Reilly sells a different solution, which is fine, as long as he is basing his claims on fact and not on fiction.

Right now he is talking like he has never heard of URL filtering, or is afraid of it and wants it to go away...

The whole current ISP filter proposal is URL and not site based.

Typical USA CEO....

Looks like ARN is exercising some reverse censorship of their own... No comments published here?

There are a few misinformed comments here.

The URL actually tells you two things:
1) the domain - this resolves into an IP address that tells you where the web server is. This request is sent to your ISP.
2) the URL - this is sent by your browser directly to the web server to ask for the page/image/whatever

Yes the filter is URL based, but to filter the URL it uses DNS poisoning to send ALL traffic to any site on the list through a proxy. Once that traffic is sent to the proxy it is able to look at the HTTP page requests and send you back an error page for the listed address.

That is why youtube cripples the filter - there is an absolute boatload of data that is transferred between youtube and it's clients but to filter one video you need to proxy all of that traffic.

The massive amounts of traffic applies to CDNs like Akamai or Amazon S3. But what happens when people start doing their hosting on azure or other cloud services where their addresses resolve to virtual servers scattered around the world? This filter is doomed to fail mainly because it is based on filter the internet as it was in 1999.

The filter has nothing to do with protecting the public, but rather
is an attempt to reign in the internet and quash information that
would otherwise lead to dissent.

Lets face it, the net has broken the back of corporate, paid to talk media and the real power in the world doesnt like that.

Sooo, lets trot out a thinly guised, draconian and Stalinist control freak filter to curtail the freedom with which responsible adults
can access information.

To WTF, actually the filter simply does an exact comparison of individual URLs on the blacklist with addressed URLs.

That could be a webpage, it could be a single object such as the http://www.somesite.com/badimage.jpg you have mentioned.

It is an urban myth or pretty ordinary FUD from some people to suggest whole websites will be blocked....

That would not help and it does not work that way. You will probably read such claims often but they are falsifications.

If a whole website consists of only a single page and that is categorised RC, then that page will be blocked irrespective of what else is or is not connected to to it.

That is a question for the website owner to answer.

If you google euthanasia, over 3,300,000 results are returned. If some of those pages detail a "how to" guide and eventually get banned, EG 5 URLs, that leaves you with over 3,300,000 webpages to research.

That leaves you with massive resources to research, and I dare say you will never get through all of them in any case.

There are loads of things we cannot do, every day, because governments and politicians disagree with them.

That is how we get laws.

That is quite normal. But it is not a single pollie that makes that decision, it is governments, and has always been governments.

If hackers could hack security gear like the filters so easy as suggested by some, why are they not hacking ISPs all the time? There would need to be chaos in ISP-land all day and night?

Is it that easy to hack ISPs? I thought most ISPs knew what they were doing?

There is a huge difference between DDOSing a website and actually gaining admin access to a non public facing security appliance, otherwise ISPs would be falling over continually.

"Gain control of the filter system? Fantasy stuff mostly. As said, otherwise they would already be controlling half the ISPs on the planet. Some people seem to think that ISPs have no idea of security? "

Yes actually they do, what they DON'T do is put in a system that leads to a single point of failure that can bring the entire system down. ISP's, hosting companies and the websites they host are being attacked all the time, and rarely does it bring the ISP down, but when it is legislated that they install single point of failure system, against ther desire and better judgement it becomes a problem.

I do seem to recall one of the governments own website being brought down by an attack recently, of what a short memory we have. The fact is, hackers are smart lot, and a single point of attack can be tackled in many different ways, and likely in ways we don't even imagine at the moment, would you really implement a system nationwide that has never been tested at the pointy end of the internet before?

Arguments that half the ISP's on the planet would be pwnd if this were the case are flawed logically. In most democracies the filters are voluntary and they have procedures in place for problems with the filter, if the filter box get hacked they just pull it out of the system and pass all communication through the uncompromised base system unfiltered until they fix it, as happened with the Wikipedia debacle in the UK, many ISP's just pulled the filter out of the system. In Australia it will be illegal to pull the filter out of the system, if they do fines start at $11,000 per day and go upward, they will more than likely just pull the entire system offline, cutting off 100,000's of user, until it is fixed.

We don't know what attacks may be made against it, but we will find out, hopefully not to late to remove the system if it proves fundementally unworkable.

TheG,

"Telstra have already made it clear that they will not be using the model they tested"

Really? I don't see any reference to that. Yet their reference to their DNS test still stands at: http://exchange.telstra.com.au/2009/12/15/isp-blocking-our-evaluation-report/

"highly secured VPNs directly between ACMA and the ISP systems are planned."

Nothing is secure. Many security admins were shocked when a presenter at the 2008 Blackhat Conference in Las Vegas demonstrated using a "man in the middle" attack between a VPN client & server.

"Gain control of the filter system?"

Very few countries have mandatory filtering. Of those that do, many of them don't have a high e-commerce usage, whereas in Australia, there is a high usage of e-commerce with a market of tens of billions of dollars. The Australian filter will definitely become a hackers target as the high financial reward for doing so is too tempting.

"Fantasy stuff mostly."

Last year an Australian hacker used a botnet to remotely install scripts onto netcomm ADSL routers (with a security hole) connected to the net - thus having the ability to add to his botnet. A few years ago this would be considered "fantasy", today it is a "reality".

"Some people seem to think that ISPs have no idea of security?"

ISPs are only required to give you access to the net, nothing about security. The larger ISPs that may decide to develop their own filter solution would be expected to have better security, whereas the smaller ISPs will use a 3rd party solution that is likely to be filled with security holes & programming bugs (i.e. buffer overflows).

Furthermore, a staff member at an ISP may even be bribed by a well funded hacker group (i.e. Russian Mafia) for access details to these filters so they can install "man in the middle" daemons.

"Your bank account would be empty by now if it was so easy."

I know people that have had strange things happen to their bank balances. The bank claims an internal system error whereby it may have been a hacker. Banks keep details about hacking very quiet, else customers loose faith in the electronic financial system.

"DNS poisoning is not needed at all, where did that ancient idea come from? Time to get into the 21st Century. Proxies are also not needed at all."

If this is true then why was DNS blackholing filter tests done by Telstra & Exetel? Why was proxy filtering tests done by Enex Labs for the government?

@ TheG

"If hackers could hack security gear like the filters so easy as suggested by some, why are they not hacking ISPs all the time? There would need to be chaos in ISP-land all day and night?"

Basically because ISP networks are decentralised. Without filters, data does not need to go to a single point in the network for checking. With filters, it does. Hackers (well not actually hackers per se, moreso troublemakers) will simply cause the filter boxes to crash under high load, including a technique called split packets, whereby the filters attempt to reconstruct packets but can't because they never end, causing them to crash.

An analogy is a five lane highway. One day, the highway is merged into one lane. A person wanting to cause trouble creates a roadblock on that lane. The result? All traffic is halted. Decentralised, as is the current situation, everything flows as it should. Centralised, which is where the filters come into place, everything must go to one specific place in the network. When that fails, no more data is processed, mainly due to legal threats for not censoring the traffic.