‘It wasn’t us’:
AG’s Dept denies massive filter false positive

46

news The Federal Attorney-General’s Department has denied any involvement in a controversial event in April which saw some 1,200 websites wrongfully blocked by several of Australia’s major Internet service providers, claiming that neither it nor the Australian Federal Police were involved, despite ISPs blaming the Government for the move.

On April 12, Melbourne publication the Melbourne Times Weekly reported that more than 1,200 websites, including one belonging to independent learning organisation Melbourne Free University, might have been blocked by “the Australian Government”. At the time, Melbourne Free University was reportedly told by its ISP, Exetel, that the IP address hosting its website had been blocked by Australian authorities. The block lasted from April 4 until April 12.

Subsequently, the US-based Electronic Frontier Foundation issued a media release linking the issue to the Labor Federal Government’s various Internet filtering initiatives, especially the voluntary filtering scheme currently implemented by a number of major ISPs including Telstra, Optus and Vodafone.

In November last year, Communications Minister Stephen Conroy formally dumped the Government’s highly controversial mandatory Internet filtering scheme, instead throwing his support behind a much more limited scheme which sees Australian ISPs voluntarily implementing a much more limited filter which Telstra, Optus and one or two other ISPs had already implemented. Vodafone has also implemented the filter, and the process is also believed to be under way at other ISPs such as iiNet.

The ‘voluntary’ filter only blocks a set of sites which international policing agency Interpol has verified contain “worst of the worst” child pornography — not the wider Refused Classification category of content which Conroy’s original filter had dealt with. The instrument through which the ISPs are blocking the Interpol list of sites is Section 313 of the Telecommunications Act. Under the Act, the Australian Federal Police is allowed to issue notices to telcos asking for reasonable assistance in upholding the law. It is believed the AFP has issued such notices to Telstra and Optus to ask them to filter the Interpol blacklist of sites.

Speculation in April centred around the idea that the Australian Federal Police had wrongfully added the web hosting address for Melbourne Free University to its filter list, which had then been distributed to the ISPs participating in the program. Commenters noted that users of ISPs which had implemented the filter — such as Telstra, Optus and Vodafone — were unable to access the host for Melbourne Free University, while users at other ISPs, which have not implemented the voluntary filter, such as TPG, were able to freely access the site as per normal.

However, in a statement issued late yesterday, the Attorney-General’s Department denied any involvement in the false positive event, on its own part or that of the AFP.

“The Attorney-General’s Department was made aware of the incident to which you refer,” the department said in a statement. “As the Attorney-General’s Department, and its portfolio agencies, including the Australian Federal Police, were not involved, and no powers under legislation administered by the Attorney-General were utilised, we are not in a position to provide further comment.”

The Australian Communications and Media Authority, which has powers to enforce the takedown of content hosted in Australia (but not outside of Australia), also denied it was involved, repeating the statement it issued in April noting that it had not blocked the site where Melbourne Free University was hosted and that it was not investigating any prohibited content.

Both agencies yesterday declined to comment further on the issue when questioned by Delimiter. Delimiter has also requested comment by the office of Communications Minister Stephen Conroy, Conroy’s Department of Broadband, Communications and the Digital Economy, telcos including Telstra, Optus, iiNet and Exetel, and the Australian Federal Police. Formal responses have not yet been received by any of these organisations.

In addition, Delimiter has filed a wide-ranging Freedom of Information request with the Australian Federal Police with the aim of determining whether the block was caused by a Section 313 notice issued by the agency. The FOI request seeks: The complete text of all notices issued by the AFP under Section 313 of the Telecommunications Act to any Australian ISP in calendar year 2013; Any responses sent by ISPs to the AFP in response to the issuing of these notices, and any communication from the AFP to the ISPs in response to these notices, in calendar year 2013.

In addition, Delimiter is also seeking the full text of any email communication between the AFP and the Attorney-General’s Department or between the AFP and the office of the Federal Attorney-General which took place on or since 1 April 2013 that mentions an Internet block placed on a number of websites including Melbourne Free University.

The news comes as Greens Communications Spokesperson, Senator Scott Ludlam, has placed increasing pressure on the Federal Attorney-General Mark Dreyfus, to reveal any involvement his office or department had in the false positive block. In mid-April Ludlam formally asked Dreyfus the following questions on notice: “With reference to the block placed on the Internet Protocol (IP) address of the Melbourne Free University for undisclosed reasons from Thursday, 4 April 2013 to Friday, 12 April 2013:”

  • Under what agreement or arrangement between law enforcement agencies and internet service providers (ISPs) was the block executed.
  • What was the nature of the content hosted on the Melbourne Free University server that triggered the block.
  • Was the block placed by government order under section 313 of the Telecommunications Act 1997, and if not, under what authority was it made.
  • Why was the block lifted, and when was it lifted.
  • Was the block executed by government order in relation to implementation of the European Cybercrime Convention, and if so, did the block request originate from a foreign law enforcement agency.
  • Did the block on one IP address cause negative impacts on 1,200 other websites.
  • What explanation was provided and what redress is available to the operators of the 1,199 sites that were not violating the law.
  • What notification processes are in place to ensure that organisations and businesses suffering indefinite collateral damage from such mistakes do not waste network research and other resources in diagnosing and seeking to rectify the problem.

On 29 April the Government transferred the questions on notice to the Minister representing the Treasurer, without any explanation.

Update: The AFP has additionally issued the following statement with respect to the incident: “The AFP is aware of the incident to which you refer, however the AFP does not have any involvement in the matter.”

opinion/analysis
Given the denials by the Attorney-General’s Department and the ACMA, I am even more mystified as to what happened in early April that caused Melbourne Free University and some 1,200 other sites to be blocked by Australia’s major ISPs, and the sense I am getting behind the scenes from some of the players involved is that they are also mystified. It seems that this whole thing didn’t go through the normal processes.

I would like at this point to inform the Government and associated parties that I’m not going to let go of this one. I will pursue this issue until the public finds out what happened here. The Australian Government does not currently really have the power to arbitrarily block whole categories of websites from the Internet without some form of extreme justification (such as those sites hosting ‘worst of the worst’ child pornography as defined by Interpol), and I am pretty sure that Melbourne Free University was not doing that. Something has gone wrong here, and I will not rest until someone lets the Australian public know precisely what happened. Mark my words: The truth here will come out.

46 COMMENTS

  1. Glad you are vigilantly following this one through Renai. It is very important. It’s a real shame something like this gets complete disinterest by the MSM. People should be angered by this, but most sit back idle completely uninformed.

    • History tells us the answer to that is don’t filter. Gov’s seem to learn that the hard way.

  2. Seems to me like someone accidentally pasted an IP address into the filter list update being distributed to ISPs. Where an understandable mistake, it would demonstrate the fallibility and fragility of such a system, which probably speaks to why everyone representing the Govt is in ‘complete denial’ mode.

    To what extent are ISPs limited in discussing the filter? Are they simply being coy because they don’t want to officially admit they have even implemented it? Are they able to disclose the presence (or lack) of that particular IP on the filter under condition of anonymity, or are they legally bound to not discuss it under any circumstances?

    There is no way the ISPs in question don’t know how that IP got blocked, but it is completely possible that the Govt depts don’t have any official understanding or record of the cause if it was accidental (except, of course, the specific people or office responsible if it originated from the AFP, who could have sat on it once they were advised of the problem. They should have come forward by now, of course, but what should have been done is not necessarily what has).

    • The process for reviewing the accidental blocking of a random IP would be… what?

      Presumably any block is instigated by people who have some sort of technical background. If not, the whole process is a complete charade anyway – if you have no idea what you are or are not blocking wtf does it matter where the filter comes from or whats actually in it?

      There is, to my mind, no possible way the block was put in accidentally, at least in the sense that nobody knew why it was going in. There must be a paper trail; if not, then whatever agencies are involved would almost certainly be in breach of numerous regulations. Surely we don’t have a filtering system whose operational process is just “hey, go for it”.

    • There’s always Wikileaks – I’m sure if someone privy to this information was to avail them of a copy of any letter of demand ( assuming of course it really was the govt filter list, lets remember, exetel support staff are in some off shore country, since exetel does not implement the filter, how would they know) they would see to its publication.

    • Once again, the filter uses DNS names not IP addresses.

      DNS names resovle to IP addresses sure, but the list distributed by the government is a list of names.

      Maybe this is ASIO.

  3. An IP block to take down a particular website is akin to carpet bombing a city to take down a joy-rider. It should never be on the cards in the first place. Well, outside of syria or iran at least.

    Are we sure the intent was to take down a web site? It seems an awfully poor way to do so if it was a targetted takedown for other reasons – you could get to the site from different ISPs and internationally.

    It is quite scarey to think there is no clear way to find out either directly or indirectly why the block was made. Fine, the agencies involved can’t say anything if its for an ongoing investigation or something, but surely we can see something from the judiciary or a panel of review or ANYTHING that says a legal block was put in place in accordance with a particular law. If that framework doesn’t exist, or the info can be kept secret indefinitely, in what sense are we not living in a totalitarian state?

    • It will likely end up taking a High Court challenge to sort this mess out., Obviously since everyone from Adam to God are denying they ordered the filter, someone can talk about it, I mean if it was human error, FFS, just come out and say so, everyone will move on (until the next time) when the High Court might be called upon to force some kind of review panel.

  4. Isn’t this the sort of false positive that we were assured would not happen when the concept of the filter was proposed?

    • Yes.

      Although I tend to think Occams Razor likely applies here. The simplest explanation is that it was an error.

      As such, and given the assurances in the past that mistakes were going to be quite impossible, it’s hardly sensible to presume anyone will admit it. The musical chairs will continue, FOIs will probably end up in a black hole.

      And this whole thing becomes a self-referential joke. Only without the punch-line and laugh track.

      • That’s what I was thinking… Someone screwed the pooch but has enough plausible deniability that they can’t prove who internally…. See it all the time. You usually know who did it, but can’t quite prove it because no one bothered/was willing to pay for a proper audit trail.

        I bet they all log on with the same service account and password :-P

  5. “It seems that this whole thing didn’t go through the normal processes.”

    It’s not outside of the realms of reason that someone inadvertently entered an incorrect address block and all involved are now attempting a rather-large game of musical chairs, in an attempt to obfuscate causes.

    I doubt MSM will pay it much mind, to be honest, a fair chunk of their audience will be sympathetic to filtering “nasties” and don’t see the value of an open internet.

  6. How could an address be accidentally pasted into a list that is supposed to be prepared by Interpol and be distributed via the AFP to the ISPs?

    Surely there is no suggesting that the AFP have secretly added sites to the Interpol list before forwarding it on to the ISPs.

    No one would of course be suspicious about the massive increase in the number of sites on the Interpol list from around 400 to around 1200 as revealed by answers to committee questions by the AFP. and make an incorrect guess as to why.

    Yes I would say that we really need Renai to chase hard on this mystery.

  7. Update: The AFP has additionally issued the following statement with respect to the incident: “The AFP is aware of the incident to which you refer, however the AFP does not have any involvement in the matter.”

    • Sweet, it must be the case that anyone can get a block then, you know, if they ask nicely. Ima ask to block 117.53.164.173 since I spend too much time reading some of the sites hosted there.

    • I notice they don’t say they don’t know who was responsible, just that they weren’t involved..

      I wonder if it was one of those secretive organisations like ASIO or the DSD protecting us from something or other which they can’t tell us about :-)

  8. How bizarre…no one did it, but it happened anyway…

    Looking forward to your updates on this one Renai!

  9. None of this makes any sense. I presume the “filter” everyone keeps referring to is I presume the voluntary IIA filter, which Telstra, Optus and some others have implemented.

    It is a DNS filter. This wasn’t a DNS filter. The IP address was blackholed.

    So lets start again from the beginning. All ISP’s acted in concert to blackhole an IP. Why? Is there some blacklist I’ve never heard of distributed by the government? Is there a law that requiring the ISP’s implement this list, or this all done on a “gentleman understanding”?

    In contrast the question Renai seems to be seeking the answer to, “how did Melbourne Free University’s address get on that list” is less interesting at this point. The answer is probably something boring like “fat fingered it”, or “clerical error”.

    It’s made all the more puzzling by the responses on AUSNog. It’s not like there is any shortage of reasonable explanations. Someone stuffing up a BGP routing table while trying to de-fang a DOS for example. But they didn’t give one of them. Instead, questions on why all ISP’s suddenly dropped packets their customers are paying them to route was answered with “because we were asked to”. Follow on questions I would have thought reasonable like “who asks you to drop packets I’m paying you for, why on earth would you do as they ask and why not at least disclose to me what conditions you do it under” were met with hostility, and then finally “everyone who needs to know does know, and we can’t say more”.

    We need a bright light shone into this particular corner of our democracy. I hope you are the one to do Renal.

    • Could have been a blacklist though, one that is shared by the major ISPs. I agree – there’s no reason to obfuscate the facts if it was an error made by a tech (and even then it is highly unlikely to affect multiple ISPs in the same was like this).

      So was it a completely separate blacklist? If so, what is it, who is using it and why?

  10. Time for dentists and dog trainers everywhere to get very nervous, somethings coming down the pipes and the Russian mob is stirring under the page…

  11. I thought I’d think outside the box for a minute.

    I haven’t seen a story yet (although I may have missed it) stating where the site was hosted. If it was hosted outside Australia, could it possibly have been a block, not by Aussie ISPs, but by a provider along a common transit route?

    I have seen in the tech media worries about certain countries blocking websites and possibly affecting data traversing through the country, effectively blocking the site for more than their local population.

    • A) would be unlikely to see this affect some ISPs and not others in this way

      B) they would just explain it was a problem with a major international DNS root server (or whatever the cause was in your scenario) – there’s absolutely no need for taking the line of ‘we were told to’ if they weren’t.

      • I would like to add; that international transit very well COULD account for the block. ISP’s in Australia all use a very wide variety of providers to get data from international sources. If this block existed on just one international carrier (perhaps very close to the exit node from the nearest international hop); it very well could lead to a situation where – for instance – Telstra couldn’t access something, but PIPE could.

        But since we have had at-least one ISP blame law enforcement, I’m going to pin it on something law enforcement related.

    • Atleast one ISP in question responded saying it was a law enforcement request, and that they could say no more.

      Since AFP denies doing it; and the AG department denies doing it, it leaves 1 of 2 possibilities.

      1) A case the AFP is running they don’t want public (so they lie until they are allowed to admit they did it)

      2) A different government law enforcement agency did it. (ASIO, DSD etc).

      Just to be clear, this was not the “filter”. The filter is a domain NAME filter. NOT an IP address filter. There is no crossover. There is no possibility for an “Accident”.

      It is kind of like blaming your water company for a pile of bricks in your bathroom, and claiming it came out of your tap. Bricks don’t run through water pipes. In the same way that IP addresses are not domain names, and blocking an IP address in a domain name filter won’t work.

      • “The filter is a domain NAME filter. NOT an IP address filter.”

        Do you have any evidence for this claim?

        My understanding is that Australian ISPs are free to implement internet censorship in any way they choose.

        However the bottom line is that a group of ISPs have simultaneously blocked a particular IP address and noone is saying on what authority and for what reason.

        • More or less, but the agreed method seems to be DNS, it has no resource impact, well, if by RPZ, that’s not entirely true increasing lookups to between 4 to 13 more per bad-guy-domain, but still, you wouldn’t notice any delay, which is why ISP’s are not crying too foul, since they dont need invest untold cash into layer 7 filtering like conroy at the behest of FFA and the ACL wanted.

  12. Whoa there tiger.

    There are reasons other than evil AFP style filters that IP addresses get blackholed on the Internet. Same scenario that happens every day of the week on the wild west of the web:

    1. A WordPress install on a shared server gets compromised and starts sending spam or acting as a DDOS zombie
    2. The IP address being used by the compromised server is picked up by a honeypot, and a commerical RTBH (remotely triggered blackhole) service then blacklists the naughty IP address (which if you are on the same shared server, means you are also screwed, speak to your hosting provider!)
    3. The naughty IP address is then sent automagically via BGP to every ISP who subscribes to the particular RTBH service, and they then start null routing (ie dropping) all traffic originating from that IP address at their edge

    I know that everybody loves a conspiracy theory, but it is possible, just possible, that this is the protection mechanisms working as intended.

    Anyone who is being blocked inadvertently should really be taking it up with their hosting provider, or ideally switching providers.

    Regards,
    Douglas.

    • “Unusually, a representative of one of the blackholing ISPs, AAPT, would only state that “in regard to this issue, this IP address has been blocked”.”

      Surely if it was from the RTBH system they’d have said that? Because if I was at AAPT as a network operator and I had become aware of this block, I would check the reason and THEN respond saying “Blocked by the RTBH provider we subscribe to”.

      I don’t think its a *conspiracy*, I just think its standard law enforcement relating to a case they aren’t talking about yet.

      It is certainly NOT the filter that everyone loves to conflate shit with.

      • If one of the AAPT guys went onto the ausnog mailing list and advertised how they were defending their network (and as a side comment, I doubt they would even know), then most likely their next post would have been a few days later asking if anybody was hiring :)

        I personally doubt that this would be LE related. They are not this well coordinated!

        You may well be right, but it helps if people understand that there are perfectly legitimate reasons for this behavior.

        Regards,
        Douglas

      • You say “I don’t think its a *conspiracy*, I just think its standard law enforcement relating to a case they aren’t talking about yet.”

        So where did they get the authority to block 1,200 IP addresses including at least one that we know is absolutely legal. There is certainly nothing in the Telecommunications Acts that permits this.and Sec 313 which everyone likes to quote only applies to illegal acts. I don’t know of any law enforcement legislation that gives any organisation in Australia the right to block legal communications.

        I don’t know what has happened and I doubt that it is related to the Interpol filter but I am in total agreement with Renai that we need to know who and why and under what authority this was done. I would also like to know what action the Government is going to take to protect innocent people from this type of attack in the future.

        • Bob – one IP address was blocked. 1200 websites were hosted on the same IP address.

          One install on that IP address was being naughty. Maybe sending spam, maybe a DDOS zombie, maybe a Botnet CandC server, maybe hosting kiddie porn.

          Someone (or more likely something) has told multiple ISPs (most likely a BGP signalled RTBH trigger) that this one IP is doing bad things, and they should block it. All other websites were then taken down as collateral damage, because they used cheap shared hosting on the same IP address. This is the inherent risk of using cheap shared hosting, instead of dedicated hosting.

          If your computer was being attacked continuously and you found out the IP address of the attacker, I assume you would ring your ISP and ask them to block it?

          Same thing has possibly (but not necessarily, nobody really knows) happened here, but on a bigger scale.

        • Who said anything about 1200 IP addresses?

          many shared webhosts run from one to three thousand hosts per machine on a single IP (well, one single IPv4 number, and one single IPv6 number)

    • Here is just one example of the above type of service:

      http://www.spamhaus.org/bgpf/

      Once Spamhaus thinks an IP address is being used as a Botnet CandC server, it will advertise the /32 IP address to every ISP who subscribes to the service via BGP, and the ISPs will then start null routing traffic originating from that IP address (s/RTBH).

      There are plenty of other companies who run a similar style systems.

      This is actually a good thing.

      Regards,
      Douglas

      • Douglas, you are completely missing the point.

        You are right in saying that could be what happened. It is a perfectly understandable course of events, which nobody would have paid much attention to.

        But when the ISP’s were asked what happened, they didn’t say “BGP routing fuckup”. They said “we were asked to, and we must follow lawful requests” or something along those lines.

        So forget this line of reasoning. Quite apart from anything else, it’s already been addressed in the earlier comments. Read them!.

          • This http://lists.ausnog.net/pipermail/ausnog/2013-April/017922.html :

            > Please note that we regret to inform that the IP address has been blocked
            > by Australian authority for undisclosed reasons.
            >
            > As per our supplier, due to the legal department our supplier is unable to
            > share any information regarding the blocking of the IP address. Therefore
            > we are not able to provide the details regarding who has blocked the IP or
            > why because the supplier wont provide these info.
            >
            > Also note that our supplier is unable to have this IP unblocked.
            >
            > Level 1 – Network Support Engineer
            > Exetel Pty Ltd

          • Not conclusive, but an interesting comment from them. Thanks.

            Moral of the story is that if you use shared hosting, you will get burnt, and there is sod all you can do about it.
            If it’s not a RTBH service blocking you, it’s the law.

            Regards,
            Douglas.

          • “Moral of the story is that if you use shared hosting, you will get burnt, and there is sod all you can do about it.”

            Based on the statement from Exetel, even if you do not use shared hosting, you can get burnt and there is still sod all you can do about it.

            As long as government thinks it is OK to block IP addresses or domains without due process and in secret, this kind of thing is going to keep happening.

          • bare in mind this:

            “Network Support Engineer” at Exetel is nothing more than a fancy name they have given their CSR’s, they are NO MORE an engineer, than the 18yo kid who works at the local coffee Club

      • I would suggest that you read the original article at http://www.melbournetimesweekly.com.au/story/1428137/australian-government-may-have-taken-more-than-a-thousand-sites-offline/ as it seems pretty clear from that the block was an DNS block not an IP block as 1200 sites (IP’s) were affected.

        Spamhaus use IP blocks “The Spamhaus Botnet Command and Control (C&C) list is an advisory “drop all traffic” list consisting of single IPv4 addresses.” http://www.spamhaus.org/bgpf/ So it is almost certain that the block had nothing to do with that type of black hole system.

        • Did you even read that article Bob?

          “The IP address that hosts melbournefreeuniversity.org also hosts gambling and pornography websites, which is not uncommon as one IP address can host thousands of websites from all over the world. More than 1200 other sites at the IP address were also blocked.”

          One IP address hosting 1200 sites was blocked! This is IP blocking.

  13. Aaaaand … *drum roll*

    We have a winner!

    http://delimiter.com.au/2013/05/15/interpol-filter-scope-creep-asic-ordering-unilateral-website-blocks/

    The Federal Government has confirmed its financial regulator has started requiring Australian Internet service providers to block websites suspected of providing fraudulent financial opportunities, in a move which appears to also open the door for other government agencies to unilaterally block sites they deem questionable in their own portfolios.

    • OK, fair enough.

      Except, is nobody is allowed acknowledge that have been asked to implement these blocks, let alone explain the reason? In a democracy?

      Is this for real or are the ISP’s just being cute and insisting they can’t speak about the matter?

      • The ISPs are usually bound by confidentiality provisions in these kinds of cases, but I think they are as surprised by ASIC’s move as we are.

Comments are closed.