Optus’ filter can be defeated by ‘trivial’ DNS change

46

The nation’s second-largest telco Optus this afternoon confirmed users would be able to defeat its implementation of a blacklist filter of sites containing child pornography merely by changing the DNS settings on their PC.

Along with Telstra, Optus has pledged to implement a voluntary filtering framework developed by the ISP industry’s peak representative body, the Internet Industry Association. The filter, which is being seen as a more moderate industry approach developed in reaction to the Federal Government’s much more comprehensive filter scheme, will see the ISPs block a “worst of the worst” list of child pornography sites generated by international police agency Interpol.

However, in a brief statement this morning, Optus confirmed industry speculation that its filter could be defeated through a minor setting change on Internet users’ PCs. “That’s correct,” a spokesperson said, when asked if users could circumvent Optus’ filter by setting their PC to use a different DNS server than the default. “It’s a feature of the Interpol list.”

The circumvention technique relies on the fact that the ISPs’ filtering scheme sees them blocking Interpol’s list of sites at the domain name layer, in a different and less complex technique to the models which have so far been proposed under the Federal Government’s much wider scheme.

Asked about the same issue, Telstra was less willing to comment than Optus. “We do not intend to explain how motivated people with technical skills can access child abuse content by circumventing blocking of the Interpol worst of list,” a spokesperson said this morning. “This would undermine our efforts to reduce the incidence of victims being publicly identified in Australia.”

Telstra’s filter went live late last week, while Optus’ will be implemented over the forthcoming weeks. Other ISPs have not yet clarified whether are definitely planning to implement the IIA’s framework, although several have specified they will cooperate with legal requirements if necessary.

Responding to Optus’ revelation of the ease of circumventing its Interpol filter, Electronic Frontiers Association spokesperson and board member Stephen Collins said he had to wonder why Optus would even bother with the filtering system. “With such a trivial circumvention, Optus’ implementation of this block list is worse than ineffective, it’s also misleading on a grand scale,” said Collins.

“Nobody will be protected from criminals by this, and worse, for those customers who believe they are protected, their kids or anyone else using their internet connection will bypass this with less than 30 seconds effort. Optus should be ashamed of themselves; first for implementing this list and trying to have their customers believe it would work and second for doing such a half-baked job.”

Last week, Collins labelled the IIA’s blacklist approach as “security theatre”, a term coined by US security consultant Bruce Schneier to describe a security approach intended to provide the feeling of improved security — despite a lack of actual measures that will impact security outcomes in practice.

“Our recent comments as to this move being security theatre hold even more strongly now,” said Collins today.

After hearing of Optus’ implementation, however, the IIA defended its scheme. In a phone interview this afternoon, former IIA chief executive Peter Coroneos — who finished up in the role last week but is still acting as a spokesperson on the Interpol scheme — defended the organisation’s framework.

“If someone’s determined to get to child porn websites, then they will get there … this has never been positioned as an absolute solution in all cases,” the executive said. “But people need to be aware that if they are going to actively go and search out child pornography on the Internet, they do so at some legal risk. The steps that industry are taking here not to prevent the determined criminal, but for everyone else, we think the measures will be understood for what they are hoping to achieve.”

“I don’t think it’s theatre to suggest that we are going to make it harder for the non-criminal to access child pornography,” Coroneos added. “I don’t really endorse the view that this is a completely worthless effort.”

The former IIA chief reiterated the organisation’s view that implementing the Interpol filter would bring Australia into line with other countries in Europe and Scandinavia. In addition, he pointed out that many technologies were devised with safety features in mind. “If people turn off the safety features, that doesn’t lead you to conclude that the safety features were of no use,” he said.

Coroneos said that those who were technically minded and able to circumvent the filter were not likely to be representative of the majority of people using the Internet. “If they wish to, they could route around the scheme, but it doesn’t invalidate it for the vast majority of Internet users,” he said.

Image credit: Delimiter

46 COMMENTS

      • Shouldn’t really.

        What you do is block all outgoing DNS requests, and allow only your own “trusted” DNS servers to do forward lookups out from the network. Theoretically, you’re only allowing those forward lookups onto external servers you in turn, trust.

        Now, anyone inside your network using other DNS servers won’t be able to resolve names to IP addresses, unless they’re using your DNS servers.

        If people ring up and complain that they can’t use Google DNS or OpenDNS any more, you just come back with “I’m sorry, our network does not support your configuration”. If there’s an appropriate update to the TOS, they are entirely within their rights to do so.

        It is actually a useful security measure to take – it prevents your users from being harmed by DNS dumping in particular, and it is actually something that I recommend to customers seeking to keep their network(s) as watertight as possible.

        But it is easy to control in a corporate environment – in an ISP environment, you’re potentially going to piss some people off, because people like us demand/require the flexibility.

        A filter by way of DNS poisoning – (which is what they are doing) – is only truly effective if you do something like above, because people will just change their DNS.

        It is just a really weak technical solution to what they are trying to achieve.

        • Or you could anonymously intercept all port 53 traffic leaving the network and seeing if it is on the blacklist, if it is then just substitute in the blocked page and ignore the response from the other DNS.

          • On what grounds?

            It would only breach the telco act if the user who made the request is directly related back to the request, at no stage did I state that was the case, hence the reason for the word, anonymously.

          • My understanding is that the act of intercepting the data is enough (without the person’s knowledge). But IANAL.

            Ibs posted something on Saturday to Whirlpool’s content filtering thread which goes into some detail about it.

          • Telstra already do this with outgoing connections on port 25. I had to figure this out the hard way when developing some SMTP software. If you attempt to connect to any server on 25, it will be redirected to a Telstra server that doesn’t accept any commands.

          • That’s only on their consumer plans and I imagine it forms part of their ToS. Does it really redirect to another server, or does it just block it?

          • If it’s government policy to anonymously intercept port 53 as part of the part of the overall plan then the telco act would be modified to reflect, note this is not “intercepting” data as such either.

            Could you post a link to that whirlpool post too, save our brains from having to read through the rest of Whirlpool to find t.

          • Better ring up any ISPs you have used in the past, in case they use(d) transparent proxies on all of your web traffic..

        • Quote: But it is easy to control in a corporate environment – in an ISP environment, you’re potentially going to piss some people off, because people like us demand/require the flexibility.

          It’s not flexibility I’m after, it’s functionality.

          I have used Google DNS since it was available because Telstra’s DNS servers regularly fail to perform lookups in a correct or timely fashion. If they do take the step of filtering outbound DNS at the border routers then I’ll have to setup something like dnsmasq to simultaneously hit all available Telstra DNS servers in the hope that one of them gives me a useful response. That’s not exactly friendly for other users of the Telstra network.

          • It seems unlikely they will block non-Telstra DNS, however since all Internet in Australia is monitored, it provides a much easier game plan for the watchers if they only need to keep an eye on the relatively small number of people who use a non-Telstra DNS (probably less than 1% of total DNS lookups).

            Observation of these people will give them ideas of what next to block (and there will be a next step to this).

        • You are assuming way too much. Your method of denying DNS requests to other servers is easily circumventable by simply using PAT through a proxy. For ISPs to inspect all traffic to see if it is a DNS request or just traffic would consume vast amounts of time and would slow traffic to a stand still, losing said company customers. It would be far more practicle to use Snorator Conjob’s filter.

          • You’re right, when a filter is implemented specifically at the DNS level no police organisation is going to suspicious of someone who intentionally uses a proxy to avoid their DNS traffic being seen.

            How would they know? Because you wouldn’t be sending any port 53 traffic, and if you bothered to read the Interpol website you’d be aware that sort of activity is specifically what they are looking for.

            The only thing you’d achieve by doing this is to put a massive target on your back.

  1. Is Coroneos really suggesting that non-criminals accidentally come across this material?

    • With all due respect, Coroneus has a history of pretty bland, some might say feeble, responses to filtering, government or ISP based, mandatory or well, mandatory (for Telstra/Optus users), appearing to have consistently taken the path of least resistance. Whether or not this was/is due to trying to smooth the path for his previous clients is now fairly irrelevant. Given his current nebulous position it may be time for him to either harden up or gracefully leave the playing field.

  2. One acronym: VPN

    People who care will use the tools available to access (a) the grotty sites, or (b) the sites that are blocked by the government using the kiddy-porn provisions. (b) is much more likely, given the federal nanny state that won’t let people even research euthanasia etc.

    • VPNs are all well and good, but people shouldn’t have to go to lengths like that to ensure that they aren’t being misled into believe the internet is free.

  3. So let me get this straight – the current Australian govt policy is to block this list of WorstofTheWorst sites so that the handful of web users who are so stupid they cant google “anonymous proxy” cant access them..
    but leave them running! why?

    Why not just make sure Interpol and the authorities in what ever country the sites exist RAID THE SITES and shut them down?
    Or just complain to the ISPS, like this example:
    http://cyberlaw.org.uk/2009/05/29/germany-delete-don%E2%80%99t-block-it-works-unpolitikde/
    where people got most of the nasty sites shut down purelt by ISP complaints.

    • Governments do this stuff for political showmanship. They want to look like they care about the world’s problems. It’s cheaper and easier to look like they care, rather than take any real action, because they know most people would never realise the difference.

      • what are you talking about?

        the AFP is actively using honeypots to trap pedophiles in chat rooms, etc.

        don’t you read the news?

        you make it sound like law enforcement agencies aren’t doing anything at all about arresting real people (which is patently not true).

        • “the AFP is actively using honeypots to trap pedophiles in chat rooms, etc.”

          Which is going to completely ineffective against the vast majority of sexual abuse against children. Most victims are attacked by people who are in their family or who are friends of the family.

        • This thread concerns the mandatory imposition of a pissant excuse for a filter on their customers by Telstra and Optus which is not only deceptive and morally questionable, but downright dangerous in that it will lull the m’s and d’s into a false sense of security. In this instance the two isps are doing this with the – implied/tacit/likely about to grab as a lifeline to drop their own (despised) filter option – support of the government. Don’t confuse the AFP with the government, which has blatantly cut AFP funds.

    • You’re right too, that complaints can make a HUGE difference – the DC that was disconnected from the internet for being a massive source of spam that I referred to earlier basically happened due to complaints.

      A Washington Post researcher got the ball rolling – here’s the article he wrote up once it was disconnected:

      http://www.washingtonpost.com/wp-dyn/content/story/2008/11/12/ST2008111200662.html

      Just shows what actually doing something can actually do…

      • that’s preciously the point… the irony is that the ISPs/webhosts for some of the biggest and most notorious C&C/botnets have actually been located within the United States… and look how long it took to shutdown these operations despite rumours swirling around for ages.

        imagine replicating the same thing overseas in countries that don’t give a hoot about formal requests for international assistance.

        • But child pornography is universally dispised by nearly all living human beings.
          It might in fact be one of the few ills in this world that could gain genuine worldwide cooperation and result in it being effectively deleted from the internet.

          Wouldn’t that be amazing to see.

          That’s what irritates me most of all about this filter.
          No ostrich was ever saved by sticking it’s head in the sand.
          Similarly, no child will ever be saved by the filter. It’s shameful.

          • *But child pornography is universally dispised by nearly all living human beings.*

            how is child prostitution any worse? and that shit happens in poor countries every day. what are you going to do about it (as opposed to jumping up and down over an “internet filter”)?

            *It might in fact be one of the few ills in this world that could gain genuine worldwide cooperation and result in it being effectively deleted from the internet.*

            there has been worldwide coop in shutting down paedo websites and catching paedos for years. remember the global “Wonderland” (or whatever it’s called) network that was shutdown in a blaze of international news publicity years ago?

            *Wouldn’t that be amazing to see.*

            it’s not amazing – it’s already happening.

            *No ostrich was ever saved by sticking it’s head in the sand.*

            law enforcement agencies are not sticking their heads in the sand. they’re adopting a two-pronged approach of catching the “bad guys” and “blocking websites”. stop spreading FUD.

            *Similarly, no child will ever be saved by the filter. It’s shameful.*

            how would you like pictures of you being made available all over the internet? what’s the argument again – something along the lines of “everytime someone looks at those pictures, the same children/victims are being abused all over again”.

            of course, if this “Interpol filter” is the start of a slippery slope down to a “mandatory Govt filter”, it’s extremely troubling for future civil liberties.

          • I picture you, tosh as having massive purple veins on your forehead 24/7.
            Like Edward Norton in the first half of American History X, but with more veins and stoner red eyes.

            Or are you actually pretty chilled out and merely write like a you caught your mum in my bed?

            I’m curious

          • when your argument hits a brick wall, nothing like resorting to a good old personal attack….

            “purple veins”… and even mentioning “mothers”… that just says everything about you.

          • I was just trying to say that you appear to write angrily. Always.

            Your logic seems to make sense. In a way. Still not a fan of the ostrich approach. It can’t be that hard to get sites like that shut down – no matter where they’re hosted.

  4. “If someone’s determined to get to child porn websites, then they will get there … this has never been positioned as an absolute solution in all cases,”

    In other words, it’s not a silver bullet. Sounds like he is borrowing a little of Conroy’s failed rhetoric. Suprised he didn’t mention the spams and scams coming through the portal.

  5. Coroneos is an idiot. Yeah, I want to evade the filter? Do I want to look at any child pron stuff? No, absolutely not. Do I want to guarantee that I will be able to surf the net getting the results that I usually get, without accidental blocking of lawful sites? Absolutely. TOR, I2P, hotspotshield and Jondofox and are free methods of evading the filter. Or you could move to an ISP that isn’t into this nonsense such as Internode or iinet.

  6. The filter doesn’t merely block child porn (in fact, it doesn’t block any of the common sources of it on the internet, as they’re not websites – it’s mostly blocking honeypots and scam sites). “Child porn” is often marched out, like in this article, to try and silence any opposition to the filter, implying “if you don’t want your net traffic filtered.. it means you want child porn.” Sadly, this line works on the uninformed masses. Also, @myne – “But child pornography is universally dispised by nearly all living human beings.” While accurate in modern society, realise this view has only come around through social change in the last 80 years. Opposition to it, which I share, is a social state, not a natural one. Never listen to people who try to rewrite history. It’ll weaken you.

  7. Quote: [Stephen Collins?] “Nobody will be protected from criminals by this, and worse, for those customers who believe they are protected, their kids or anyone else using their internet connection will bypass this with less than 30 seconds effort. Optus should be ashamed of themselves; first for implementing this list and trying to have their customers believe it would work and second for doing such a half-baked job.”

    Changing DNS settings requires administrative privileges on most computers on routers. If you’re giving your children that kind of access then you’ve already failed as a parent.

    • @Ant, specifically “Changing DNS settings requires administrative privileges on most computers on routers. If you’re giving your children that kind of access then you’ve already failed as a parent.”

      Kudos for missing the point gloriously. The filter is to prevent (a minuscule portion of the) documented physical abuse of children from being readily accessible to paedophiles (over a single medium which likely represents only a small amount of the volume of trafficked material), not to stop kids finding pornography on the internet. I’m also unsure what being “on routers” has to do with anything? Changing DNS settings should require appropriate permissions regardless of whether or not you’re using DHCP.

      A bad parent allows young (i.e <10) children to access the internet without supervision. A bad parent is not one who simply does not know how (or why) to change their computer's permissions. Damn, if you sat me in front of a Windows 7 box I would have no idea whatsoever how to achieve such fine grained permission control given Microsoft's lack of anything even resembling a proper security model.

      • Perhaps you need to read what I quoted and how I responded before painting me with the missed-the-point brush.

        You don’t know how to secure your Windows 7 computer? You know how to lock your car, don’t you? You probably should shouldn’t connect to the internet if you don’t know how to secure it. People running administrator-level accounts on open computers are the main reason botnets have such a massive footprint on the internet.

        • Have you considered that Fail doesnt use Win7? Maybe is a Linux user?

          But to elaborate on what he said, do you have full “fine-grain” control over all security settings on your win7 box? or do you just lock it down completely in non admin, and open it fully in admin?

      • eh, let me guess, with all your “a bad parent…” comments you don’t actually have children of your own do you?

  8. Michael Wyres : you are assuming way too much. Your method of denying DNS requests to other servers is easily circumventable, inspecting all traffic to see if it is a DNS request or just traffic would consume vast amounts of time and would slow traffic to a stand still, losing said company customers.

  9. I just don’t understand why anybody is bothering to block child pornography. Who is the target? Are there really ‘casual pedophiles’ out there, who will support child porn provided it is convenient? Who will try going to their websites and get a “this domain has been blocked by the australian government” notice and just say ‘oh well, back to my other fetishes”?

    People who have already overcome the huge social stigma of wanting to look at child porn are surely going to be determined enough to bypass the filter. I honestly find it highly improbable that any filter implementation is going to make even a significant dent in the amount of child porn viewed in Australia.

    Am I missing something or is this just a “look at us, fighting our culture’s perceived greatest villains” stunt for the people who don’t understand the issue?

Comments are closed.