Jean-Jacques Halans ‹› Afterhours

This is a fictitious story about a small Australian business owner, let’s say a Dentist. One day she decides to spend her marketing dollars on a website, instead of an advert in the Yellow Pages (who uses that nowadays anyway?), the local business guide or the local newspaper. Smart woman! Now, a website can be quite expensive. Or it can be very cheap! She gets her little nephew to setup a brochure site (a practice I don’t condone as a web professional!). Nothing fancy, people only need to find information about her practice, a contact form, maybe a feedback form for a little interaction.

All goes well. Calls for appointments come in, business is good. Once in a while, she looks up herself on Google, to see if people can find her. She tweaks the content a bit for search engine optimization, gets linked on some local business sites, decides to spend some money on Google adverts. She’s pretty happy. Once the site is on a roll, she really doesn’t need to look after it any longer, it seems. Her little nephew points her out that her website traffic is booming, it’s getting a lot of hits it seems. Cool!

Then all of a sudden appointments fall back, people aren’t calling her anymore. Is this the recession? Are people no longer getting insurance, so they can’t afford the Dentist any more? This must be the GFC! But then she looks at her website traffic, and it has fallen down to nearly nothing. She sees some European and US visitors, which obviously aren’t clients, but no more Australian users. What has just happened?

Her site got hacked! It’s not something she would be looking for, not something she knows anything about. It’s a bloody simple website. Why would anyone hack her site? What’s the point? And it wasn’t obvious either, it’s not like they defaced her homepage with pink elephants or something.

This is the point where I’ll be talking Today and Tomorrow.

Today, when your site gets hacked and points to malware/spyware, your Google entry will tell users that your site contains links to malware. But if people want they can still click through, they can still find you. Google doesn’t tell the website owner her site is hacked though, you have to find out yourself. As the website owner, you can take appropriate action, clean up your site, get some professional help protecting your site. You can then let Google know when to index your site again, as Google clearly points out the procedure. This is a private company trying to protect it’s users from downloading malware to their computers. A noble cause, though it might seem scary for the small business owner who relies on traffic coming from search results.

And this happens very, very frequently. Even to the best of us. All software, open or closed, contains holes. Some holes are easier to exploit than others. Some holes are easy to fix and get fixed quickly, some don’t. A lot of popular software contains/contained holes, like popular content management systems, forums, development platforms,… So, as it turns out, a website does need maintenance. It’s not something that you’d put out there, and let it run. You need to keep a watchful eye on it. (and start out by using a web professional, not your nephew).

But Tomorrow, things will be different. The government will protect us, the web users. Someone must think of the children. Our own anti-virus, host and router firewalls, parental filters, OpenDNS, modern browser,… just isn’t good enough.

In the case of the Dentist, it turns out the Russian mob had injected content onto her site, advertising content deemed illegal under Australian law, and then spammed millions of users pointing to the content. Her site was put on the government blacklist, according to the media, without her knowledge. The list is (used to be) secret, so it’s not something you can query to see if your site is on it. And Tomorrow, it will be taken offline. You get hacked, you get (secretly) charged, and your website gets killed off.

As said, this is a fictitious story, but it does hold some elements of truth. Web pages from those morally objectionable characters of the likes of a dentist, a dog kennel (MaroochyBoardingKennels.com.au) and canteens.com.au (that is “school cafeterias”, not whatever your and ACMA’s dirty minds make of it) ended up on the actual official government blacklist.

Any locally hosted websites hosting content deemed illegal by ACMA (Australian Communications and Media Authority) must be removed by ISP’s and content hosts. If the site is hosted overseas (tip: if you are an Australian business targeting local customers, it does make more sense to host in Australia!), the ACMA adds you to a blacklist which Today is used by client-side internet filters, but Tomorrow it will be used by the Great Australian Firewall, the network level mandatory ISP filtering scheme currently on trial. It is not clear what the procedure will be (if there is any), for complaints received at ACMA, if and how ACMA will let website owners know they got complaints, if ACMA will allow website owners to fix any issues during a grace period…

Can we even imagine where this filter is leading us too? Do we really want to go there?

As a side note, compromised home computers are being used in the hundreds of thousands around the world in illegal activities, in botnets used for spamming, temporary hosting illegal content used by fast-flux domains. Will the government be blocking all these individual IP addresses too?

My take on the “Clean Feed” filter, aka the “Rudd Filter”.

But first this.

A 2006 UQ study found that road accidents, more than 25,000 serious injury accidents each year, cost Australia $17 billion each year. That’s about 68 serious injuries everyday.

Drunk driving is illegal. It can kill yourself, and it can kill others. The Rudd Filter would be like breath testing every driver every time they get into a car, tested not by the police, but by the RTA. Technology-wise, there are devices which can be installed in a car, where you need to blow into first, before the car starts. The cost to a new car would be minimal. Problem solved. No more drunk drivers. Or the drunk driver asks a ‘friend’ (friends don’t let friends drive drunk) to blow for him, and of he goes, circumventing the filter. Then the filter could be adjusted to breathe into the device every 30, 10 or 5 minutes, so you need someone sober with you to keep driving. But that would be very annoying 98% of the time you are driving around alone, doing the shopping or whatever. It would really slow you down. Because of course, you need to stop by the side of the road the blow into the device, you can’t do it while driving. Maybe we could blow up some balloons early in the evening, and keep them on the back seat of the car…

Speeding is illegal. It can kill yourself, and it can kill others. The Rudd Filter would be like installing a black box (think airplane black box) into your car to monitor your speed. It needs to have GPS functionality too, so it knows where you are in order to adjust the speed limit. It also knows about time, so when you’re near a school at school times, it slows you down accordingly. It needs communication capabilities so it can update itself when situations change. And to make sure your road tax is being payed, as well as checking for having valid insurance. And it can communicate with traffic lights, so when it turns orange, the car slows down to stop, in stead of accelerating to make sure you get through. It also keeps an eye on total weight of the car, and number of passengers, to prevent over-crowding of the car. The black box also keeps tabs on your breaks, your tires, your lights and the oil level, keeping your car in perfect order. Perfect. The technologies exist, they only need to be poured into one small device. No more speeding, no more running red lights, no more illegal parking, no dodgy breaks or failing break lights. That is until someone finds a way to update its firmware or installs a mod chip on his black box which effectively tunnels all real-time information through the device, letting the device think it is parked. They would have free reign on the roads, and we still need police to catch them, and they would still kill children crossing the road.

Silly comparison?
How do the numbers stack up, car drivers vs internet connections?
Deadly or serious car accidents vs illegal internet activity?

Back to the issue at hand, the actual Rudd Filter proposal.
Protect the children, block illegal content. Lofty goals for sure. Check out these statistics in regard to children using the Internet.
A blacklist of illegal content is already being used by ACMA (containing 3,200+ web pages) to take down illegal content hosted on Australian servers. Senator Conroy wants to take it one step further, no actually two steps further. Not only does he want to filter internet traffic at the ISP level based on a blacklist (of known illegal internet addresses), which is already in use in the UK, New Zealand, Norway and Sweden, and at a couple of thousand addresses doesn’t really pose a problem; but he wants to dynamically filter all internet traffic based on content analysis, on words and image within the responding page.
A blacklist of illegal internet addresses is pretty straight forward. A user requests an address, that’s checked against the list, all OK, continue. Personally I use OpenDNS to block “questionable” content on my free open network. People who are looking for that, might as well pay for their own internet connection. Problem is that it blocks whole domains. You can’t block just a single page of, let’s say Facebook, you need to block Facebook all together, resulting in massive collateral damage. Still, blocking domains doesn’t help when the user knows the IP (numerical) address. Blocking the IP address doesn’t help because one IP address can block a whole lot of domains.
So that’s why they want to do it dynamically, based on what a particular page contains in words and pictures, and compare that to signatures, telltale signs of bad content. That’s some nifty shizz. A picture deemed illegal based on % of “flesh” tone and body shape, the technology in use on for example Google Image search, might be filtered out of an online article on a domain, in stead of blocking the whole domain. This needs to happen in real-time. Again, that won’t work on a secure HTTPS connection (like when connecting to your bank), as content over the wire is encrypted and can’t be inspected. Doing content inspection for all traffic coming into Australia will require some beefy hardware to keep up, incurring extra costs for ISPs, passing it on to their customers, while still slowing things down.
And then the Internet is more than web pages. It’s email, Usenet, peer-2-peer downloads, instant messenger protocols, voice-over-IP,… These filters won’t handle that traffic. And it won’t protect children from adult predators either.
Haven’t we learned anything from Spam filters? Let’s block all “viagra” mails. We still got “v1agra” in our inbox.
Haven’t we learned from phishing scammers (trying to get our banking details), using fast-flux domains and domain tasting?
Don’t they know what VPN’s are (like when connecting securely from home to your office), or anonymous proxy servers? Or steganography?
Or even Google Translate as a proxy?

As it turns out, the original Clean Feed proposal is based on 20,000 petitions gathered through churches, hardly representative for the whole of Australia. You could easily get 20,000 petitions gathered through pubs to get rid of the smoking ban too.
To get the policy into legislation, Senator Conroy will need the support of some independent senators, who have their own agenda, and this is where the sh*t really hits the fan. Minority pressure groups influencing policy to a degree that it affects everyone. Today it is porn and international gambling sites. Tomorrow it is a religiously offending cartoons, bad product reviews, citizen journalism (blogs illegal in Italy),… It is just a matter of time, what is legal today, may not be tomorrow. Games deemed illegal in Australia, as in without classification: “throughout Australia it is illegal to sell, to adults, any computer game unless it is classified suitable for a 15 year old“, are still being traded through grey imports. Will we soon need age verification for every page we visit, deemed unsuitable for 14 year olds or younger?

The Clean Feed filter will result in a false sense of security, as it accomplishes little, and is very costly and very ineffective. It creates more problems than it solves. It stifles innovation and progress. People, children and their parents alike, need to be educated. Yes, ISP’s can help with that. They could be “parent friendly” ISP’s, providing guides, and DNS based filters like the ones used in the UK or the Scandinavian countries. Parents should be parenting their children, take responsibility, in stead of brushing it of. Create non-admin accounts on their family pc’s (you don’t want your kids to install malware either, do you?), use decent internet browsers, keep your pc up-to-date, provide MAC filtering and timed access control on (wireless) routers,… Too hard? Read and learn. Or ask friends, colleagues, family. (Or maybe they should get their family friendly Internet at the local McDonald’s?)

The only ones who stand to profit from this filter are the filter vendors, selling millions of dollars of annual licensing, for something which might prevent some accidental encounters, considerably slowing down everyone’s Internet experience, but certainly not blocking any knowledgeable sicko to get his hit.

Maybe we could spend the money better to prevent car accidents, obesity, lung cancer, education. Really.

Need more convincing that a Clean Feed is a bad idea (or at least its execution)? Be informed, read on:
The State of Censorship: Australia
EFA: Labor’s Mandatory ISP Internet Blocking Plan
Great, clear presentation on Internet Filtering (ppt)
Petitions to parliament drove ALP’s Internet filtering policy

Then do something:
No Clean Feed
The Rudd Filter
Somebody Think Of The Children
Then sign an online petition (though I hope there will be one offline soon too):

Of course testing any ISP-based Internet filter is difficult, as you would try to retrieve illegal content…
The only way is to try the Great Firewall of China. It blocks content that’s legal in Western countries, so you’re not breaking any laws (when you lookup lawful content), and check response time and DNS time:
try a news site like http://www.smh.com.au, look at the Chinese and US times (never mind what they mean, just that the higher they are, the slower the Internet), they would be about the same. Now try http://www.amnesty.org. For me at least, times where x2-x3 slower for China.
If you use Firefox you can try the China Channel extension.

And let’s not forget the Beijing Olympics:
“Slow internet major problem at Olympics”