Web filters threaten national security

Security experts say filters put networks at risk

Dan Kaminsky
Credit: Dave Bullock/http://eecue.com

Dan Kaminsky
Credit: Dave Bullock/http://eecue.com

Internet heavyweights have attacked the federal government's Internet content filtering plans and claimed it opens vulnerabilities that could threaten national security.

Renowned security experts reproached the Australian government for pushing ahead with the national clean-feed Internet scheme. They say a nation-wide Internet filtering is both technically infeasible and morally reprehensible, and have called on the public to disrupt the government's plans if they are actioned after the current trials.

National cyber-security received a significant boost under the government's $300 billion Defence White Paper. Security researcher Dan Kaminsky, famous for revealing the DNS Cache-poisoning attack and extent of infection from Sony's obfuscated rootkit, said the filters open a security hole which has been used to cripple entire ISP networks.

“The problem is [the government is] putting a really sensitive piece of code in a really dangerous place. The bottom line is that these active man-in-the-middle filters seem like a great idea at the time, until there is a security vulnerability,” Kaminsky said in a Web video from the recent RSA conference in the US.

“We've found major security vulnerabilities in filters put in front of ISPs and they basically corrupted the entire network for that ISP.

“I'd hate to see that affect an entire country,” he said.

Internode network engineer Mark Newton, a vocal critic of Web filtering, said the architecture of Web filters is vulnerable to hacking.

“If the network is configured to trust the censorware server, then a hacker can cause traffic flows from all over the network to divert to it,” Newton said. “The attack, which may normally take down a Web site, can have create profound privacy risks to users.”

Blacklist arbitration, more than a moral issue, has the potential to destabilise the government's scheme because effectiveness of the filters relies on clear definitions of illegal content.

Marcus Ranum, renown security designer and chief of security at Tenable Network Security, says opponents should hammer the media regulator with ambiguous content, similar to the methods used to unveil information on the blacklist.

“The best forum of civil disobedience and social protest is to look for weird edge-cases and to challenge them and consume their time,” Ranum said. “Saturate [them] with legitimate well-thought out appeals in the grey area that will make the censor's brain melt.”

Edge-cases delivered “courteously, politely, ruthlessly and cleverly” will disrupt the clarity of content arbitration, he said, and call to question the government's ability to make moral decisions about online content.

Newton said the dissenting public will be inspired to break the system if it is enforced against popular opinion.

Experts said the technology is too rigid to work with ambiguous child exploitation laws, which made recent headlines when it was revealed teenagers 'sexting' or uploading sexually explicit images to social networking sites could be charged.

“Maturity is a trajectory. When are unilaterally treating [the public] like a child, they are raising themselves as being vastly more responsible.. I don't think government are more typically more moral than their constituents,” he said.

Spire Security research director Peter Lindstrom said the size and diversity of Australia's population is unsuited to an umbrella Web filter.

“I don't see a real reason to apply these controls across a population as diverse and disparate as Australia... there is so much ambiguity in deciding what is appropriate and legitimate that it's hard to see how an entire nation-state can make that decision for its population,” Lindstrom said.

Credit to Wade Millican and Donal O Duibhir for the RSA Web video. | at nodecity.com for the Web video.

Join the Computerworld newsletter!

Error: Please check your email address.

Tags internet content filteringACMA

More about InternodeRSASonySpire

Show Comments